Director Information Security & Governance
Job Description
Overview
About PHOENIX
PHOENIX Retail, LLC is a retail platform operating the Express and Bonobos brands worldwide.
About Express
Express is a multichannel apparel brand dedicated to a design philosophy rooted in modern, confident and effortless style whether dressing for work, everyday or special occasions. Since its launch in 1980, the brand has embraced a design philosophy rooted in modern, confident and effortless style. Express ensures you look and feel your best, wherever life takes you. The Company operates over 400 retail and outlet stores in the United States and Puerto Rico, the express.com online store and the Express mobile app.
About Bonobos
Our Bonobos menswear brand is known for being a style instigator and offering perfect-fit risks through our innovative retail model and personalized experience. Launched online in 2007 with its signature line of chinos, Bonobos now offers a variety of styles available to order online and to try on at any one of our 50 Guideshop locations and at www.bonobos.com. Our Guideshops are in-real-life stores that deliver one-on-one service and expert fit advice. Don't think traditional retail, Bonobos is something you haven't seen before.
Responsibilities
POSITION OVERVIEW
The Director, Information Security & Governance serves as Phoenix Retail’s senior information security leader, with enterprise-wide accountability for the strategy, execution, and ongoing maturity of the company's information security, data protection, privacy controls, and AI security governance program. The role protects Phoenix Retail’s omnichannel environment, including corporate systems, e-commerce platforms, store technology, customer and payment data, AI-enabled capabilities, and supporting infrastructure. The Director provides strategic leadership for the Information Security team, fostering a high-performance culture through mentorship and talent development to ensure the sustained operational excellence of the team and the organization.
KEY RESPONSIBILITIES
Serve as enterprise owner for Phoenix Retail’s information security strategy, roadmap, governance model, security policy framework, and AI security governance, aligned to business priorities and retail operating needs.
Lead and mature a security program built against the NIST Cybersecurity Framework, including measurable controls, maturity targets, risk-based prioritization, and reporting to executive leadership and the Board.
Design, implement, and monitor controls for AI technologies and use cases, including acceptable-use standards, administrative approvals, data handling requirements, identity and access guardrails, logging, vendor risk inputs, usage monitoring, and spend/consumption oversight.
Own PCI-DSS across corporate, e-commerce, and store/cardholder data environments, including scoping, segmentation, control design, assessor coordination, remediation, evidence, and executive accountability for outcomes.
Lead application security across Phoenix Retail’s digital commerce and enterprise application portfolio, embedding secure design, code review/SAST/DAST, testing, and risk acceptance into the SDLC.
Lead network, cloud, endpoint, identity, collaboration, and infrastructure security architecture and operations, ensuring appropriate controls across corporate, e-commerce, store, GCP, Google Workspace, and other key environments.
Own security operations, 24x7 monitoring, detection engineering, escalation, and incident response; maintain enough hands-on fluency with the SIEM to validate detections, review alerts, and support active investigations when required.
Direct threat and vulnerability management, including scanning, prioritization, remediation governance, patch SLAs, penetration testing, attack surface management, and executive risk reporting.
Partner with Legal and Procurement as a key security stakeholder in Third Party Risk Management, including vendor due diligence, contract security requirements, AI and SaaS provider reviews, control assessments, ongoing monitoring, and remediation tracking.
Review and approve security designs for new technology initiatives, AI-enabled capabilities, cloud services, store technology, payment systems, and major vendor platforms before production deployment.
Lead enterprise incident response planning, crisis coordination, tabletop exercises, post-incident reviews, and communications with executive, legal, operational, and technical stakeholders.
Partner with Internal Audit on control testing, evidence, and remediation while maintaining appropriate independence and avoiding self-audit.
Recruit, lead, coach, and develop a high-performing security team; establish clear ownership, operating rhythms, performance expectations, and career paths.
Own the security budget, tooling roadmap, vendor portfolio, managed service relationships, SLAs, renewals, and investment recommendations, including cost governance for emerging security and AI-related capabilities.
Communicate security risk clearly from analyst to Board level, translating technical issues into business impact, risk decisions, and actionable priorities.
REQUIRED EXPERIENCE & QUALIFICATIONS
Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or equivalent work experience.
10+ years of progressive experience in information security, cybersecurity, technology risk, or a closely related area, including significant enterprise security leadership responsibility.
Demonstrated ability to operate as the senior security leader for a complex enterprise; retail, omnichannel, e-commerce, payment, or large distributed operating environment experience preferred.
Demonstrated proficiency with the NIST Cybersecurity Framework (CSF), including program design, maturity assessment, control mapping, remediation planning, and executive reporting.
Direct, accountable experience owning PCI-DSS in a merchant, e-commerce, payment, or retail environment.
Deep technical expertise across application security, network security, cloud and infrastructure security, endpoint security, identity and access management, vulnerability management, AI security governance, and security operations.
Ability to serve as the enterprise authority on securing AI-enabled tools, platforms, and workflows, with practical command of policy, administration, data protection, technical guardrails, monitoring, vendor governance, and cost-aware usage controls.
Familiarity with Google Cloud Platform (GCP) and Google Workspace environments, including administrative models, IAM, logging, data protection, and security configuration considerations.
Hands-on working proficiency with a major SIEM/SOC platform; Palo Alto XSIAM experience strongly preferred.
Proven incident response leadership, including high-severity security events, executive communications, tabletop exercises, post-incident reviews, and continuous improvement.
Experience leading and developing security teams, managed service providers, and cross-functional programs across Technology, Legal, Procurement, Internal Audit, and business stakeholders.
Experience presenting cybersecurity posture, risk, and investment recommendations to executive leadership, Audit Committee, or Board-level audiences.
CISSP or equivalent senior security credential required; CISM, CISA, CCSP, GIAC, or similar credentials are also valued.
CRITICAL SKILLS & ATTRIBUTES
CISO-level judgment and executive presence while operating effectively within a Director-level role.
Technically credible and current; able to challenge architecture, read SIEM detections, question control gaps, evaluate AI security risks, and contribute to investigations without displacing the team.
Strong AI security judgment; enables business use while enforcing administrative, technical, data, monitoring, and financial guardrails that are practical for a retail operating environment.
Strategic and pragmatic; balances risk reduction, customer trust, business speed, cost, and operational resilience.
Calm and decisive under pressure, especially during active incidents, peak retail periods, major releases, and audit/compliance cycles.
Strong communicator who can translate technical risk into business decisions for executives, Board members, auditors, attorneys, merchants, and engineers.
High ownership mindset; accountable for outcomes, not just recommendations.
Strong discretion, integrity, and judgment when handling sensitive security, legal, personnel, and incident information.
Closing
If you would like to know more about the California Consumer Privacy Act click here.
Applicants must be currently authorized to work full-time in the United States. PHOENIX does not sponsor applicants for work visas (e.g., H-1B or TN status) for this position.
An equal opportunity employer, PHOENIX does not discriminate in recruiting, hiring or any other terms and conditions of employment hiring on the basis of any federal, state, or locally protected characteristic. PHOENIX only hires individuals authorized for employment in the United States. PHOENIX is committed to providing reasonable accommodation to individuals with disabilities. If you need an accommodation to search and apply for a job position due to a disability, please call 1-800-964-9793 and say 'Associate Relations' or send an e-mail to [email protected] and let us know the nature of your request and your contact information.
Notification to Agencies: Please note that PHOENIX does not accept unsolicited resumes or calls from third-party recruiters or employment agencies. In the absence of a signed Master Service Agreement and approval from HR to submit resumes for a specific requisition, PHOENIX will not consider or approve payment to any third-parties for hires made.