Role Overview

We are seeking a skilled and strategic cybersecurity leader with publicly traded SaaS company experience to join our team as Director of Information Security. In this role, you will be responsible for maintaining and enhancing our information security program, ensuring implementation of best practices, policies, procedures, and technologies to detect and protect against evolving cyber threats. The leader will align defined information security strategic initiatives with the company’s strategic objectives while ensuring the team is informed and focused on those common goals. 

As a leader in the organization, you will need to closely collaborate with business stakeholders such as Legal, IT, Enterprise Applications, Product and Engineering in order to ensure adherence to relevant regulations and industry standards coupled with confidentiality, integrity, and availability (CIA) of our systems and data. CarGurus prides itself on teamwork and collaboration.  

You will need to have a security-first approach helping to instill a culture of privacy and security throughout the company by educating of standards and best practices using practical business speak. You need to be okay with being on center stage and embracing the spotlight! Wallflowers need not apply.

You must be able to quickly assess the world’s ever changing security landscape and make practical decisions about potential risks and threats to the business. CarGurus runs at a fast pace, and you will need to be able to think quickly on their feet especially when security events arise and escalate when appropriate to senior management. 

The role will report directly into the VP of Information Security, Technology and Enterprise Applications and will be responsible for overseeing Security Operations, Application Security, and IT Risk and Compliance.​​​​​​​​​​​​​​​​

What You’ll Do:  

• Manage, lead, mentor, and develop a high-performing security team.
• Conduct annual performance evaluations, build personal development and onboarding plans. 
• Form solid, collaborative relationships with peers and key partners across the business. 
• Maintain oversight of technical regulatory and compliance requirements. 
• Ensure security is embedded in the minds and culture of all employees. This includes being involved with our community and continuously driving awareness through training, conversations, presentations, etc. 
• Help manage vendor relationships.
• Own the security budget inclusive of working with the VP on annual budget planning. 
• Set forth long-term Information Security strategic plans while including tactical tasks and goals aligning them with business objectives, risk tolerance, and regulatory requirements. Deliver and communicate them to key partners. 
• Supervise security controls and the evolution of the company’s information security maturity. 
• Ensure that information security policies, standards, and guidelines to mitigate risks, maintain compliance with industry regulations (e.g., GDPR, CPRA) and contractual obligations are enforced and reviewed on an appropriate cadence.
• Work with IT Risk and Compliance to identify, assess, and prioritize information security risks across the organization.
• Report on security metrics, risks, and mitigation strategies to leadership, relevant stakeholders, and the Audit Committee.

Technical Qualifications:  

• Bachelor’s Degree or equivalent combination of education and experience in Information Security or Computer Science. 
• Prior experience at a Director level; this is not a step-up role. 
• Industry certifications such as GIAC certifications (GSLC, GSTRT, GLEG) and others; CISM, CISA, CRISC, are nice to have but if certifications aren’t your thing that is OK too. 
• Deep understanding of cybersecurity and privacy principles, standards, and risk frameworks (e.g., NIST Cybersecurity Framework, CIS Controls, PCI-DSS, GDPR, CPRA).
• Prior experience with system audits and IT reporting for SOX  (Sarbanes Oxley) and SOC compliance is a must. 
• Supervise security controls and the evolution of the company’s Information Security maturity. 
• Work closely with the Director of IT and Enterprise Applications on the implementation of large-scale projects and cross-functional initiatives.
• Understand the foundations of cloud and application security. Experience with GCP, AWS or Azure. 
• Solid understanding of RBAC models, SSO solutions, identity stores, directory services (SAML 2.0, OAuth 2.0, OIDC) and identity governance. 
• Provide feedback to security leaders on technical solutions while allowing them the flexibility to make the technical decisions. 
• Proven track record of authoring and maintaining security policies, standards, and procedures. 

Non-technical Qualifications:  

• Must be able to prioritize projects and tasks in a pragmatic way while understanding the critical impacts and downstream implications to the business. Attention to details and project management skills are required. 
• Work with your leaders to build quarterly roadmaps. Present roadmaps to key partners, gain agreement and ensure alignment on initiatives. 
• Being well organized is a must! 
• Excellent communication and interpersonal skills, with the ability to effectively communicate complex technical concepts to diverse audiences in a personable way.
• Strong writing abilities are a must as you will be writing detailed reports for the Audit Committee and Senior Leadership. 
• Adjusts quickly to the security needs of a highly agile organization, must be flexible and adaptable to change. 
• Love to learn and grow. If you don’t love staying current on emerging cybersecurity trends, threats, and solutions then this isn’t the job for you. 
• Cannot be overly risk averse. We move quickly, innovate, and will try things in contained environments. You have to be OK with operating in this type of environment. 
• Integrity, ownership, and accountability must be core to your values.