Director Information Security & Governance

Serve as enterprise owner for Phoenix Retails information security strategy roadmap governance model security policy framework and AI security governance aligned to business priorities and retail operating needs.

Lead and mature a security program built against the NIST Cybersecurity Framework including measurable controls maturity targets risk-based prioritization and reporting to executive leadership and the Board.

Design implement and monitor controls for AI technologies and use cases including acceptable-use standards administrative approvals data handling requirements identity and access guardrails logging vendor risk inputs usage monitoring and spend/consumption oversight.

Own PCI-DSS across corporate e-commerce and store/cardholder data environments including scoping segmentation control design assessor coordination remediation evidence and executive accountability for outcomes.

Lead application security across Phoenix Retails digital commerce and enterprise application portfolio embedding secure design code review/SAST/DAST testing and risk acceptance into the SDLC.

Lead network cloud endpoint identity collaboration and infrastructure security architecture and operations ensuring appropriate controls across corporate e-commerce store GCP Google Workspace and other key environments.

Own security operations 24x7 monitoring detection engineering escalation and incident response; maintain enough hands-on fluency with the SIEM to validate detections review alerts and support active investigations when required.

Direct threat and vulnerability management including scanning prioritization remediation governance patch SLAs penetration testing attack surface management and executive risk reporting.

Partner with Legal and Procurement as a key security stakeholder in Third Party Risk Management including vendor due diligence contract security requirements AI and SaaS provider reviews control assessments ongoing monitoring and remediation tracking.

Review and approve security designs for new technology initiatives AI-enabled capabilities cloud services store technology payment systems and major vendor platforms before production deployment.

Lead enterprise incident response planning crisis coordination tabletop exercises post-incident reviews and communications with executive legal operational and technical stakeholders.

Partner with Internal Audit on control testing evidence and remediation while maintaining appropriate independence and avoiding self-audit.

Recruit lead coach and develop a high-performing security team; establish clear ownership operating rhythms performance expectations and career paths.

Own the security budget tooling roadmap vendor portfolio managed service relationships SLAs renewals and investment recommendations including cost governance for emerging security and AI-related capabilities.

Communicate security risk clearly from analyst to Board level translating technical issues into business impact risk decisions and actionable priorities.

Bachelors degree in Information Systems Computer Science Cybersecurity or equivalent work experience.

10 years of progressive experience in information security cybersecurity technology risk or a closely related area including significant enterprise security leadership responsibility.

Demonstrated ability to operate as the senior security leader for a complex enterprise; retail omnichannel e-commerce payment or large distributed operating environment experience preferred.

Demonstrated proficiency with the NIST Cybersecurity Framework (CSF) including program design maturity assessment control mapping remediation planning and executive reporting.

Direct accountable experience owning PCI-DSS in a merchant e-commerce payment or retail environment.

Deep technical expertise across application security network security cloud and infrastructure security endpoint security identity and access management vulnerability management AI security governance and security operations.

Ability to serve as the enterprise authority on securing AI-enabled tools platforms and workflows with practical command of policy administration data protection technical guardrails monitoring vendor governance and cost-aware usage controls.

Familiarity with Google Cloud Platform (GCP) and Google Workspace environments including administrative models IAM logging data protection and security configuration considerations.

Hands-on working proficiency with a major SIEM/SOC platform; Palo Alto XSIAM experience strongly preferred.

Proven incident response leadership including high-severity security events executive communications tabletop exercises post-incident reviews and continuous improvement.

Experience leading and developing security teams managed service providers and cross-functional programs across Technology Legal Procurement Internal Audit and business stakeholders.

Experience presenting cybersecurity posture risk and investment recommendations to executive leadership Audit Committee or Board-level audiences.

CISSP or equivalent senior security credential required; CISM CISA CCSP GIAC or similar credentials are also valued.

CISO-level judgment and executive presence while operating effectively within a Director-level role.

Technically credible and current; able to challenge architecture read SIEM detections question control gaps evaluate AI security risks and contribute to investigations without displacing the team.

Strong AI security judgment; enables business use while enforcing administrative technical data monitoring and financial guardrails that are practical for a retail operating environment.

Strategic and pragmatic; balances risk reduction customer trust business speed cost and operational resilience.

Calm and decisive under pressure especially during active incidents peak retail periods major releases and audit/compliance cycles.

Strong communicator who can translate technical risk into business decisions for executives Board members auditors attorneys merchants and engineers.

High ownership mindset; accountable for outcomes not just recommendations.

Strong discretion integrity and judgment when handling sensitive security legal personnel and incident information.