Director, Information Security
The Director, Information Security plays an integral role in the leadership and development of the Information Security team and is responsible for securing customer, employee, and corporate data within Torrid. Specifically, this leader and his/her team is responsible for monitoring and reporting on the security health of Torrid’s data systems, implementing and administering all cyber security technologies, delivering key cyber risk metrics to stakeholders at all levels of the company, maintaining data regulatory compliance, defining data security policies and guidelines. In addition, this leadership role will lead Torrid’s Business Continuity and Disaster Recovery program.
What you'll do...
- Build and lead key security roles within Torrid, including: Data Security Compliance, Security Operations, Security Engineering, and DevSecOps
- Build and guide the Information Security team in developing individual skillsets to maximize personal growth and team success
- Ensure Torrid is compliant with all data compliance requirements, including SOX, CCPA, GDPR, ADA and PCI
- Develop and maintain Torrid’s Cyber Incident Response Plan; ensuring all required participants are trained in response protocols
- In partnership with Torrid’s Information Technology teams, ensure that critical business systems are resilient to cyber events
- Work alongside other Torrid teams to identify areas of cyber risk to the organization and assist with reducing those risks to acceptable levels
- Define, direct, and oversee the execution of security processes in the areas of intrusion prevention, security event monitoring/SIEM, vulnerability management, privilege access management, web filtering, and VPN
- Recommend security solutions that drive improvements in the capability and functionality of the cyber security program
- Serve as a subject matter expert providing advisory services related to Torrid’s security architecture strategy, as well as, security requirements for all internal and external business partners
- Establish, monitor, evaluate, and report key performance and risk indicators (KPIs and KRIs) to provide leadership with accurate and timely information regarding the effectiveness of the information security strategy
- Develop DevSecOps functions within Torrid and ensure code development is aligned with industry best practices
- Manage the gathering and analysis of Torrid’s data to ensure actionable information is available and responded in accordance with defined SLAs
- Define 3rd party data security requirements and perform cyber risk assessments of Torrid’s current and prospective 3rd party vendors ensuring all appropriate controls are applied
- Maintain a roadmap for the development of security architecture and standards
- Ensure that the Global Security Strategy is meeting the security and privacy needs of internal and external customers
- Provide strategic and tactical security guidance for new and existing technical solutions
- Communicate and promote the awareness of information security, information risk, and privacy to business units, customers and partners
- Provide direct leadership of security projects to improve operational efforts
- Participate in on-call support and issue escalation, as needed
- Develops, oversees, and regularly tests IT disaster recovery procedures to assure business continuity for both central and distributed systems and services.
What you'll need...
- 5-7 years’ experience in a Cyber Security leadership role reporting directly to the CIO or CTO.
- 10 years’ experience operating, monitoring and enforcing security policies, standards, tools, controls and systems in large scale organizations where you directly managed employees.
- Prior experience with PCI compliance in a retail organization and implementing a NIST cybersecurity framework.
- Deep understanding of Payment Card Industry (PCI) Data Security Standard (DSS), ISO 27001/27002, SSAE-16, COBIT, ITIL, Personally Identifiable Information (PII), NIST Cyber Security Framework, and other regulatory compliance, privacy standards, and legislation.
- Broad understanding of Networking Protocols, Netflow, Routing, DNS, Firewalls (Palo Alto Networks and Cisco ASA), Wireless, Operating Systems (including Windows, MacOS, and Linux), Virtualization (VMware ESX), Databases (MS SQL, Oracle, MySQL), Payment Applications, Retail Operations and Processes (Oracle ORPOS and XStore), Cryptography, PKI, Patch Management, Scripting, Mobile Device Management, and Disaster Recovery
- Educational knowledge or work experience with behavioral analytics technologies
- Proficiency in managing onshore/offshore teams and large scale projects
- Proficiency in establishing and maintaining effective working relationships with employees, business partners and third party vendors.
- Excellent verbal and written communication skills to technical and non-technical audiences of various levels in the organization
- Strong understanding and/or experience with Security Information and Event Management (SIEM), Vulnerability Management, Penetration Testing, Authentication Methods, Identity and Access Management (IAM), Anti-Malware and Malware Analysis/Remediation, Intrusion Detection and Intrusion Prevention (IDS/IPS), Web Application Firewalls, File Integrity Monitoring (FIM), Incident Response/Forensics, Physical Access Controls and Security Best Practices
- Excellent verbal and written communication skills for technical and non-technical audiences of various levels in the organization
- A “breaker” mindset. You ask, “How are things NOT supposed work?”
- Excellent verbal and written communication skills with a wide range of audiences including executives, business stakeholders and IT team members
- Great attitude and strong work ethic
- High level of creativity, quick problem-solving capabilities and strong analytical skills
- High level of personal integrity, and the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
- Must be a critical thinker with strong problem-solving skills
- Ability to work on multiple projects and meet deadlines by setting priorities with work projects
- Ability to establish and maintain effective working relationships with coworkers and clients
- High degree of initiative, dependability and ability to work with little supervision.
- Fluent written and spoken English
- BA/BS degree in Computer Science, Information Security or equivalent mix of education and experience
- Master’s or other advanced degree in Cyber Security preferred
- Professional security management certifications, such as Global Information Assurance Certifications, Certified Information Systems Security Professional (CISSP), Systems Security Certified Practitioner (SSCP), Certified Information Security Manager (CISM), AWS Certified Security – Specialty, Palo Alto Networks Certified Network Security Administrator (PCNSA), or other similar credentials desired.
What you'll get...
- Our open floor plan allows for a creative, collaborative and fun environment.
- A competitive benefits package including medical, dental, vision, 401k and paid time off.
- Additional perks like a generous employee discount, access to employee-only sales, café, masseuse, gym, fitness and yoga classes, basketball court, and more.
- Can't forget Thirsty Thursdays during the summer!
Our company participates in E-Verify. E-Verify is a program that electronically confirms a candidate’s eligibility to work in the United States after completing the Employment Eligibility Verification (Form I-9). The information provided on the Form I-9 is compared to the records contained in the Social Security Administration and Department of Homeland Security (DHS) databases. This helps employers verify the identity and employment eligibility of newly hired employees.
E-Verify Poster: https://e-verify.uscis.gov/web/media/resourcesContents/E-Verify_Participation_Poster_ES.pdf
Eligibility to Work Poster (English): https://www.e-verify.gov/sites/default/files/IER_RightToWorkPoster.pdf
Eligibility to Work Poster (Spanish): https://www.e-verify.gov/sites/default/files/everify/posters/IER_RighttoWorkPosterES.pdf