Drive and mature the company-wide information security program and strategy including managing policies, standards, risk assessments, and the enterprise risk register
Act as the primary internal authority on information security operations, advising leadership and department heads on risk and priorities
Develop security metrics and reporting for technical and executive stakeholders
Serve as a working technical mentor to security analysts, providing hands-on guidance, knowledge sharing, and day-to-day direction across IT and cloud security domains
Own ISO 27001 certification and maintenance, including audits, evidence collection, and improvement
Directly manage controls rationalization across frameworks (ISO 27001, SOC 2, NIST CSF, SOX ITGC) to support evolving compliance requirements
Lead and execute the vendor and third-party risk management program
Establish and maintain information security controls in alignment with life sciences regulatory requirements, including 21 CFR Part 11 and GxP
Partner with the Software, cloud security, and DevOps teams on expanding industry-standard security practices into the software development lifecycle
Actively participate in security operations across the corporate IT environment, including hands-on involvement in endpoint security, identity and access management, vulnerability management, and security monitoring
Define cloud security governance standards and policies for SaaS-hosted environments and oversee compliance
Own and continuously improve the company-wide security awareness and training program
Champion a realistic, risk-based security culture across a diverse workforce spanning research, clinical, and corporate functions
Requirements
12+ years of progressive information security experience with a strong track record of hands-on technical execution
Direct, practitioner-level experience in at least two of the three domains: GRC, IT security operations, and application/cloud security
Experience collaborating with or embedding security within software engineering or product organizations
Deep working knowledge of ISO 27001, including post-certification program management and audit readiness
Familiarity with SOC 2, NIST CSF, HIPAA, SOX IT General Controls, and related frameworks
Hands-on understanding of application security principles, secure SDLC practices, and cloud security (AWS, Azure, or GCP)
Able to write and maintain clear, practical policies and standards directly, without relying on external consultants or pre-built templates
Strong risk assessment skills with the ability to translate technical findings into business impact for non-technical audiences
Experience supporting or preparing for a SOX readiness assessment or IPO-related compliance effort
Direct experience with GRC platforms (Vanta, Drata, Tugboat Logic, or similar) and security tooling across endpoint, identity, SIEM, and AppSec domains
Pragmatic and mission-driven; energized by doing meaningful work in a fast-moving clinical-stage environment
Regulated industry experience strongly preferred; life sciences, biotech, or pharma background is a meaningful plus
CISM, CISSP, or CRISC certification preferred, AWS Security Specialty, CCSP, or equivalent a plus
ABOUT IAMBIC THERAPEUTICS
Additional Information
JOB SUMMARY
We have an established information security program and are looking for a hands-on Associate Director to grow it and take it to the next level. This is a practitioner role as much as a leadership role - you will be directly involved in the work across governance, IT, cloud security, software, and DevOps. The immediate strategic priority is expanding our security posture into the software development lifecycle, embedding cloud security practices across our internally developed SaaS environment, while maintaining and maturing our governance, risk, and compliance foundation.
You will work to obtain and maintain our ISO certification, partnering closely with IT leadership, R&D, and the broader organization to continuously raise the security bar across the company.
This role reports to the VP of IT and carries significant visibility to the CTO and senior leadership.
This role is Hybrid based in San Diego HQ or Boston, MA preferred
Iambic-therapeutics · San Diego