Owns the organizational risk register as a living management tool that reflects current exposure and drives resource decisions.
Defines what security success looks like for the organization; develops and tracks KPIs that provide senior leadership a transparent, actionable view of risk posture and program ROI.
Leads, develops, and grows the security team across five operational pillars; establishes clear ownership, career paths, and accountability structures.
Shifts the security function from reactive, task-driven operations to a proactive, process-driven culture.
Serves as the organization's primary security authority; makes risk-based decisions independently within agreed organizational risk appetite.
Serves as operational lead during and after security incidents - triage, resource coordination, retrospective and escalation to legal counsel and senior leadership per established protocols.
Governance, Risk & Compliance (Pillar 1)
Oversees execution of ISO 27001 and SOC 2 Type II compliance programs as a unified control framework. Leads audit readiness, evidence collection, and control testing.
Governs vendor risk management, including third-party security assessments and ongoing vendor performance against security requirements.
Establishes guardrails for AI/LLM adoption, referencing emerging standards such as ISO/IEC 42001.
Serves as a cross-functional risk consultant to managers and directors, helping them recognize and articulate risk within their own domains.
Standardizes and streamlines the response process for customer security inquiries; develops a library of repeatable, high-quality responses.
Owns the external threat intelligence program, ensuring the team monitors the threat landscape relevant to the organization's industry.
Oversees penetration testing engagements including scope definition, vendor selection, and findings remediation.
Identity & Access Management (Pillar 3)
Sets IAM strategy and governance including role-based access design, MFA enforcement, privileged access management, and periodic access review cadence.
Ensures the IAM function operates within a defined governance structure with clear strategic direction.
Application & Cloud Security (Pillar 4)
Defines and maintains security baselines for cloud infrastructure (Azure), DevOps pipelines, and application development.
Embeds security guardrails into the development lifecycle as a natural part of engineering - not a gate or afterthought.
Owns API security standards and cloud security posture management.
Partners with engineering and architecture to ensure new systems are designed with security first approach to development.
Resilience & Incident Response (Pillar 5)
Owns DR and BCP strategy, annual testing, and tabletop exercises. Ensures recovery objectives are clearly defined, achievable, and aligned with business needs.
Ensures incident response plans are tested and current before they are needed.
Decision Making / Autonomy
Operates with full programmatic authority within the organizational risk appetite - makes security decisions independently rather
Additional Information
If you are wondering what makes TRIMEDX different, it's that all of our associates share in a common purpose of serving clients, patients, communities, and each other with equal measures of care and performance.
Everyone is focused on serving the customer and we do that by collaborating and supporting each other
Associates look forward to coming to work each day
Every associate matters and makes a difference
It is truly a culture like no other - We hope you will join our team! Find out more about our company and culture here .
The Director of Information Security is a senior leadership position with full programmatic authority over the organization's security posture. This role is accountable for building, maturing, and operating a comprehensive security program organized across five pillars: Governance, Risk and Compliance; Threat and Vulnerability Management; Identity and Access Management; Application and Cloud Security; and Resilience and Incident Response.
This role owns the organizational risk register, drives the compliance posture across ISO 27001 and SOC 2, and makes security decisions within established organizational risk appetite. The Director does not surface risks for others to own; they own the program and report outcomes to senior leadership. They lead a team of security professionals and serve as the primary security authority for engineering, operations, and executive leadership.
As AI tooling and accelerated engineering become central to the business, the Director establishes the governance frameworks and practical guardrails that allow teams to innovate without compromising data integrity or regulatory standing.
Trimedx · Indianapolis, IN