Director, Information Security & Governance

Express, LLC
Columbus, United States of America
28 days ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Senior

Job location

Columbus, United States of America

Tech stack

Artificial Intelligence
Software System Penetration Testing
Software as a Service
Cloud Computing
Code Review
Encodings
Computer Security
Information Systems
Payment Systems
Identity and Access Management
Intrusion Detection and Prevention
Network Security
PCI Data Security Standards
Program Design Languages
Systems Development Life Cycle
Cloud Services
Security Information and Event Management
Software Deployment
Software Vulnerability Management
Privacy Controls
Data Logging
Data Processing
Google Cloud Platform
Enterprise Software Applications
Software Security
Information Technology
Cybercrime
Gsuite
Static Application Security Testing
Dynamic Application Security Testing

Job description

The Director, Information Security & Governance serves as Phoenix Retail's senior information security leader with enterprise-wide accountability for the strategy, execution, and ongoing maturity of the company's information security, data protection, privacy controls, and AI security governance program. The role protects Phoenix Retail's omnichannel environment, including corporate systems, e-commerce platforms, store technology, customer and payment data, AI-enabled capabilities, and supporting infrastructure. The Director provides strategic leadership for the Information Security team, fostering a high-performance culture through mentorship and talent development to ensure the sustained operational excellence of the team and the organization. Operating with the scope and presence of a Chief Information Security Officer, the Director leads enterprise security strategy, governance, policy, architecture, operations, incident response, AI security controls, and security risk management. The role advises executive leadership and the Board on security posture, emerging threats, regulatory obligations, business risk, and investments required to protect the company. This leader partners closely with Technology, Development, Legal, Procurement, Internal Audit, Compliance, Finance, and business stakeholders to embed security across enterprise technology and vendor ecosystems. The Director is a key stakeholder in Third-Party Risk Management and owns Phoenix's PCI-DSS program with full accountability for readiness and outcomes. This is a strategic leadership role requiring strong hands-on technical credibility. The Director must also be able to engage directly with technical matters, including SIEM activity, detection validation, threat hunting, incident investigations, and AI control monitoring when needed., * Serve as enterprise owner for Phoenix Retail's information security strategy, roadmap, governance model, security policy framework, and AI security governance, aligned to business priorities and retail operating needs.

  • Lead and mature a security program built against the NIST Cybersecurity Framework, including measurable controls, maturity targets, risk-based prioritization, and reporting to executive leadership and the Board.
  • Design, implement, and monitor controls for AI technologies and use cases, including acceptable-use standards, administrative approvals, data handling requirements, identity and access guardrails, logging, vendor risk inputs, usage monitoring, and spend/consumption oversight.
  • Own PCI-DSS across corporate, e-commerce, and store/cardholder data environments, including scoping, segmentation, control design, assessor coordination, remediation, evidence, and executive accountability for outcomes.
  • Lead application security across Phoenix Retail's digital commerce and enterprise application portfolio, embedding secure design, code review/SAST/DAST, testing, and risk acceptance into the SDLC.
  • Lead network, cloud, endpoint, identity, collaboration, and infrastructure security architecture and operations, ensuring appropriate controls across corporate, e-commerce, store, GCP, Google Workspace, and other key environments.
  • Own security operations, 24x7 monitoring, detection engineering, escalation, and incident response; maintain enough hands-on fluency with the SIEM to validate detections, review alerts, and support active investigations when required.
  • Direct threat and vulnerability management, including scanning, prioritization, remediation governance, patch SLAs, penetration testing, attack surface management, and executive risk reporting.
  • Partner with Legal and Procurement as a key security stakeholder in Third Party Risk Management, including vendor due diligence, contract security requirements, AI and SaaS provider reviews, control assessments, ongoing monitoring, and remediation tracking.
  • Review and approve security designs for new technology initiatives, AI-enabled capabilities, cloud services, store technology, payment systems, and major vendor platforms before production deployment.
  • Lead enterprise incident response planning, crisis coordination, tabletop exercises, post-incident reviews, and communications with executive, legal, operational, and technical stakeholders.
  • Partner with Internal Audit on control testing, evidence, and remediation while maintaining appropriate independence and avoiding self-audit.
  • Recruit, lead, coach, and develop a high-performing security team; establish clear ownership, operating rhythms, performance expectations, and career paths.
  • Own the security budget, tooling roadmap, vendor portfolio, managed service relationships, SLAs, renewals, and investment recommendations, including cost governance for emerging security and AI-related capabilities.
  • Communicate security risk clearly from analyst to Board level, translating technical issues into business impact, risk decisions, and actionable priorities.

Requirements

  • Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or equivalent work experience.
  • 10+ years of progressive experience in information security, cybersecurity, technology risk, or a closely related area, including significant enterprise security leadership responsibility.
  • Demonstrated ability to operate as the senior security leader for a complex enterprise; retail, omnichannel, e-commerce, payment, or large distributed operating environment experience preferred.
  • Demonstrated proficiency with the NIST Cybersecurity Framework (CSF), including program design, maturity assessment, control mapping, remediation planning, and executive reporting.
  • Direct, accountable experience owning PCI-DSS in a merchant, e-commerce, payment, or retail environment.
  • Deep technical expertise across application security, network security, cloud and infrastructure security, endpoint security, identity and access management, vulnerability management, AI security governance, and security operations.
  • Ability to serve as the enterprise authority on securing AI-enabled tools, platforms, and workflows, with practical command of policy, administration, data protection, technical guardrails, monitoring, vendor governance, and cost-aware usage controls.
  • Familiarity with Google Cloud Platform (GCP) and Google Workspace environments, including administrative models, IAM, logging, data protection, and security configuration considerations.
  • Hands-on working proficiency with a major SIEM/SOC platform; Palo Alto XSIAM experience strongly preferred.
  • Proven incident response leadership, including high-severity security events, executive communications, tabletop exercises, post-incident reviews, and continuous improvement.
  • Experience leading and developing security teams, managed service providers, and cross-functional programs across Technology, Legal, Procurement, Internal Audit, and business stakeholders.
  • Experience presenting cybersecurity posture, risk, and investment recommendations to executive leadership, Audit Committee, or Board-level audiences.
  • CISSP or equivalent senior security credential required; CISM, CISA, CCSP, GIAC, or similar credentials are also valued., * CISO-level judgment and executive presence while operating effectively within a Director-level role.
  • Technically credible and current; able to challenge architecture, read SIEM detections, question control gaps, evaluate AI security risks, and contribute to investigations without displacing the team.
  • Strong AI security judgment; enables business use while enforcing administrative, technical, data, monitoring, and financial guardrails that are practical for a retail operating environment.
  • Strategic and pragmatic; balances risk reduction, customer trust, business speed, cost, and operational resilience.
  • Calm and decisive under pressure, especially during active incidents, peak retail periods, major releases, and audit/compliance cycles.
  • Strong communicator who can translate technical risk into business decisions for executives, Board members, auditors, attorneys, merchants, and engineers.
  • High ownership mindset; accountable for outcomes, not just recommendations.
  • Strong discretion, integrity, and judgment when handling sensitive security, legal, personnel, and incident information., Applicants must be currently authorized to work full-time in the United States. PHOENIX does not sponsor applicants for work visas (e.g., H-1B or TN status) for this position.

About the company

PHOENIX Retail, LLC is a retail platform operating the Express and Bonobos brands worldwide. About Express Express is a multichannel apparel brand dedicated to a design philosophy rooted in modern, confident and effortless style whether dressing for work, everyday or special occasions. Since its launch in 1980, the brand has embraced a design philosophy rooted in modern, confident and effortless style. Express ensures you look and feel your best, wherever life takes you. The Company operates over 400 retail and outlet stores in the United States and Puerto Rico, the express.com online store and the Express mobile app. About Bonobos Our Bonobos menswear brand is known for being a style instigator and offering perfect-fit risks through our innovative retail model and personalized experience. Launched online in 2007 with its signature line of chinos, Bonobos now offers a variety of styles available to order online and to try on at any one of our 50 Guideshop locations and at www.bonobos.com. Our Guideshops are in-real-life stores that deliver one-on-one service and expert fit advice. Don't think traditional retail, Bonobos is something you haven't seen before.

Apply for this position