Senior Director, Information Security & Compliance

Job Summary:

The Senior Director, Information Security & Compliance is responsible for building, operating, and continuously improving the company's information security program. This role owns security governance, risk management, regulatory compliance, and security operations across all IT systems and data. The Senior Director establishes the security policy framework, manages relationships with managed security service providers, coordinates external security assessments, and ensures the company maintains a security and compliance posture appropriate for a clinical-stage biopharma preparing for public company obligations. This is a hands-on leadership role. At a company of this size, the Senior Director operates as a solo security practitioner with significant leverage through managed security partners (SentinelOne Vigilance MDR, Huntress ITDR/SIEM, Zscaler ZIA) and external assessment firms. The role reports to the VP of IT and works closely with Quality, Legal, Finance, and external auditors to ensure security controls satisfy SOX, GDPR, GxP, and FDA regulatory requirements.

Work Arrangement & Location: 

Remote - This position is designated as remote; the incumbent will be expected to travel to Beeline Medicines’ offices on a periodic basis to support in-person collaboration, team engagement, and business operations. The frequency and scheduling of such visits will be determined at the company's discretion based on business need.

Essential Duties and Responsibilities:

• Security Governance & Policy. Own the information security policy framework, including development, maintenance, and periodic review of all security policies, standards, and procedures. Ensure policies align with NIST CSF 2.0, NIST SP 800-53, and applicable regulatory requirements (SOX, GDPR, GxP). Present the security posture and risk landscape to IT leadership and executive stakeholders.
• Risk Management & Vendor Security. Lead IT risk management activities, including risk identification, assessment, treatment planning, and risk register maintenance. Conduct and coordinate vendor security risk assessments for third-party service providers. Support the company's broader enterprise risk management process with IT-specific risk inputs.
• Compliance & External Assessments. Own IT General Controls (ITGCs) for SOX compliance readiness, including access controls, change management controls, computer operations, and audit evidence preparation. Coordinate with external SOX auditors, providing documentation, walkthroughs, and remediation of findings. Manage relationships with external firms performing penetration testing, NIST controls mapping, and security control assessments
• Security Operations & MSSP Management. Manage the company's managed security service provider ecosystem, including SentinelOne Vigilance MDR (endpoint detection and response), Huntress (identity threat detection, SIEM), and Zscaler ZIA (network security). Define alert escalation procedures, review detection efficacy, and ensure coordinated incident response across all providers.
• Incident Response. Own the security incident response program, including the incident response plan, tabletop exercises, breach notification procedures, and post-incident reviews. Serve as the primary technical incident coordinator, working with managed security providers for detection and containment and with Legal and the external DPO for regulatory notification obligations.
• Identity & Access Governance. Design and enforce identity and access management controls in Microsoft Entra ID, including Conditional Access policies, privileged access governance, access reviews, and role-based access control. Ensure access controls satisfy SOX ITGC requirements, FDA 21 CFR Part 11 electronic access provisions, and GDPR data access minimization principles.
• Security Awareness & Training. Own security awareness and training program execution in coordination with KnowBe4, including phishing simulation campaigns, security awareness training content, completion tracking, and remedial training for failed simulations. Maintain training records as audit evidence for SOX and GxP compliance.
• Perform other duties and responsibilities as assigned

Qualifications:

• Education: Bachelor's degree in Information Security, Computer Science, Information Technology, or a related discipline; equivalent professional experience accepted.
• 12+ years of progressive information security experience with at least 5 years in a security leadership role (Manager, Director, or equivalent) preferred.
• Demonstrated experience building or significantly maturing an information security program, including policy development, risk management, and compliance framework implementation.
• Experience with security frameworks: NIST CSF, NIST SP 800-53, ISO 27001, or equivalent.
• Direct experience with SOX IT General Controls — either implementing ITGCs for IPO readiness or supporting ongoing SOX compliance at a public company.
• Strong working knowledge of Microsoft 365 security controls, including Entra ID, Conditional Access, Defender, and Purview.
• Demonstrated experience building or significantly maturing an information security program, including policy development, risk management, and compliance framework implementation.
• Experience managing managed security service providers (MDR, MSSP, or similar) and coordinating external security assessments (penetration testing, controls testing, risk assessments).
• Demonstrated experience building or significantly maturing an information security program, including policy development, risk management, and compliance framework implementation
• Independent judgment and self-direction — this role operates as a solo security practitioner at a small company and must prioritize effectively without day-to-day supervision.
• Strong written and verbal communication with the ability to translate security risks into business terms for executive and non-technical audiences.