If you are wondering what makes TRIMEDX different, it's that all of our associates share in a common purpose of serving clients, patients, communities, and each other with equal measures of care and performance.

• Everyone is focused on serving the customer and we do that by collaborating and supporting each other
• Associates look forward to coming to work each day
• Every associate matters and makes a difference

It is truly a culture like no other — We hope you will join our team! Find out more about our company and culture here.

The Director of Information Security is a senior leadership position with full programmatic authority over the organization’s security posture. This role is accountable for building, maturing, and operating a comprehensive security program organized across five pillars: Governance, Risk and Compliance; Threat and Vulnerability Management; Identity and Access Management; Application and Cloud Security; and Resilience and Incident Response.

This role owns the organizational risk register, drives the compliance posture across ISO 27001 and SOC 2, and makes security decisions within established organizational risk appetite. The Director does not surface risks for others to own; they own the program and report outcomes to senior leadership. They lead a team of security professionals and serve as the primary security authority for engineering, operations, and executive leadership.

As AI tooling and accelerated engineering become central to the business, the Director establishes the governance frameworks and practical guardrails that allow teams to innovate without compromising data integrity or regulatory standing.

Responsibilities

Accountabilities

• Owns the organizational risk register as a living management tool that reflects current exposure and drives resource decisions.

• Defines what security success looks like for the organization; develops and tracks KPIs that provide senior leadership a transparent, actionable view of risk posture and program ROI.

• Leads, develops, and grows the security team across five operational pillars; establishes clear ownership, career paths, and accountability structures.

• Shifts the security function from reactive, task-driven operations to a proactive, process-driven culture.

• Serves as the organization’s primary security authority; makes risk-based decisions independently within agreed organizational risk appetite.

• Serves as operational lead during and after security incidents — triage, resource coordination, retrospective and escalation to legal counsel and senior leadership per established protocols.

Governance, Risk & Compliance (Pillar 1)

• Oversees execution of ISO 27001 and SOC 2 Type II compliance programs as a unified control framework. Leads audit readiness, evidence collection, and control testing.

• Governs vendor risk management, including third-party security assessments and ongoing vendor performance against security requirements.

• Establishes guardrails for AI/LLM adoption, referencing emerging standards such as ISO/IEC 42001.

• Serves as a cross-functional risk consultant to managers and directors, helping them recognize and articulate risk within their own domains.

• Standardizes and streamlines the response process for customer security inquiries; develops a library of repeatable, high-quality responses.

Threat & Vulnerability Management (Pillar 2)

• Directs vulnerability management operations — scanning, prioritization, remediation tracking, and closure verification.

• Owns the external threat intelligence program, ensuring the team monitors the threat landscape relevant to the organization’s industry.

• Oversees penetration testing engagements including scope definition, vendor selection, and findings remediation.

Identity & Access Management (Pillar 3)

• Sets IAM strategy and governance including role-based access design, MFA enforcement, privileged access management, and periodic access review cadence.

• Ensures the IAM function operates within a defined governance structure with clear strategic direction.

Application & Cloud Security (Pillar 4)

• Defines and maintains security baselines for cloud infrastructure (Azure), DevOps pipelines, and application development.

• Embeds security guardrails into the development lifecycle as a natural part of engineering — not a gate or afterthought.

• Owns API security standards and cloud security posture management.

• Partners with engineering and architecture to ensure new systems are designed with security first approach to development.

Resilience & Incident Response (Pillar 5)

• Owns DR and BCP strategy, annual testing, and tabletop exercises. Ensures recovery objectives are clearly defined, achievable, and aligned with business needs.

• Ensures incident response plans are tested and current before they are needed.

Decision Making / Autonomy

• Operates with full programmatic authority within the organizational risk appetite — makes security decisions independently rather than seeking approval on every call.

• Escalates and provides recommendation to senior leadership on issues requiring executive or legal engagement.

Communications / Interactions

• Briefs the VP of IT and executive leadership using BLUF (Bottom Line Up Front) communication — clear context, current posture, and recommended action.

• Represents the security program during M&A due diligence and new customer onboarding, providing accurate and credible security posture assessments.

• Translates technical risk into business language that non-technical stakeholders can act on without requiring translation.

Leadership

• Leadership: Provide clear direction to ensure collective achievement of goals and objectives. Create an environment of respect, collaboration, and open communication.

• Associate Development: Identify and support development needs of direct reports and team members including connecting them to resources both internally and externally to ensure a culture of continuous improvement.

• Associate Engagement: Create high levels of employee engagement by understanding organizational and personal drivers that impact drivers and developing action plans that deliver increased engagement.

• Performance management: Set clear goals and expectations for teams, monitor, and enable performance and intervene with appropriate action when performance gaps occur and provide timely, honest feedback. Ensure that associates complete assigned actions by required deadlines.

• All other duties as assigned.

Skills and Experience

Required Experience

• Minimum of 10 years of experience in Information Security or a related field is required. At least 5 years of people management experience leading technical security teams is also required.

• Demonstrated track record of building security programs from a reactive state to a proactive, process-driven posture.

• Multi-framework compliance experience: hands-on ownership of ISO 27001, SOC 2, and at least one additional framework (NIST, HIPAA, or equivalent).

• Technical credibility across vulnerability management, IAM platforms (Okta, Entra ID), and cloud security (Azure preferred).

• Experience leading or contributing to security due diligence in M&A or major customer onboarding contexts.

• BLUF communicator: structures every briefing around the bottom line, with supporting context available but not leading.

Preferred Experience

• Experience managing a security program under a rapidly changing environment and adoption of new technology.

• Experience or a strong perspective on establishing guardrails for AI/LLM adoption, referencing frameworks such as ISO/IEC 42001.

• Familiarity with vulnerability management, IAM platforms, and Azure cloud security standards.

• Relevant certifications: CISSP, CISM, ISO 27001 Lead Implementer or Lead Auditor, CCSP, or Azure Security Engineer Associate.

Education and Qualifications

Bachelor’s degree in MIS, Computer Science or related field is required, or equivalent experience.

At TRIMEDX, we are committed to cultivating a workplace culture where every associate feels valued, supported, and empowered to thrive. This culture reflects our belief that our people are our foundation, their well-being is essential, and shared success is built through meaningful work, recognition, and opportunities for growth.

We embrace people’s differences which include age, race, color, ethnicity, gender, gender identity, sexual orientation, national origin, education, genetics, veteran status, disability, religion, beliefs, opinions and life experiences.

Visit our website to view our Workplace Culture Commitment , along with our social channels to see what our team is up to: Facebook, LinkedIn, Twitter.

TRIMEDX is an Equal Opportunity Employer. Drug-Free Workplace.

Because we are committed to providing a safe and productive work environment, TRIMEDX is a drug-free workplace. Accordingly, Associates are prohibited from engaging in the unlawful manufacture, sale, distribution, dispensation, possession, or use of any controlled substance or marijuana, or otherwise being under the influence thereof, on all TRIMEDX and Customer property or during working/on-call hours.