Director of Cyber Security

CarltonOne is a global B2B technology leader, and part of the Goldman Sachs portfolio, helping organizations around the world reward and inspire exceptional people. Our solutions empower employees to be more productive, sales teams to perform at their best, and customers to stay engaged and loyal.

Our platform powers the global engagement industry, enabling companies to deliver impactful employee recognition, customer loyalty, rewards, sales, and channel incentive programs. We partner with over 450 clients, 500 vendors, and serve 14 million members across 185 countries.

Beyond engagement, every CarltonOne solution drives our eco-action mission: funding tree planting to help restore the planet. To date, we’ve funded over 20 million trees and are on track to plant millions more each year. Learn more at carltonone.com.

About the Opportunity

CarltonOne is seeking a Director, Information Security & Cyber Risk to lead and operationalize our global security program. This role is responsible for executing CarltonOne’s security strategy across information security, application security, cloud security, and cyber risk, ensuring strong protection of customer data, systems, and intellectual property.

The Director will partner closely with Engineering, Product, IT, and Legal teams to embed security into technology and business processes. This is a hands-on leadership role focused on program maturity, operational excellence, regulatory compliance, and risk reduction within a growing global SaaS environment.

Key Responsibilities

Security Leadership & Program Execution

• Lead the execution and continuous improvement of CarltonOne’s information security and cyber risk programs.
• Act as the primary security advisor to senior technology leadership.
• Implement and maintain security governance frameworks aligned with global regulations and industry best practices.
• Promote a strong security culture through awareness programs, training, and practical guidance across teams.

Application & Information Security

• Lead secure software development lifecycle (SSDLC) practices, ensuring security is embedded throughout design, development, testing, and deployment.
• Partner with Engineering and Product teams on threat modeling, vulnerability management, secure code practices, and tooling.
• Own data protection programs including data classification, access controls, encryption standards, and incident response processes.
• Coordinate application security testing, penetration testing, and vulnerability remediation efforts.

Cloud Security

• Implement cloud security controls and standards supporting CarltonOne’s cloud infrastructure and services.
• Ensure secure architecture, identity and access management, and configuration best practices across cloud environments.
• Work closely with engineering teams to embed security into cloud design and deployment workflows.

Cyber Risk Management & Compliance

• Manage enterprise cyber risk programs, including risk identification, assessment, prioritization, and mitigation.
• Maintain risk registers, metrics, and dashboards to support leadership decision-making.
• Ensure compliance with security and privacy frameworks including SOC 2, ISO 27001, PCI‑DSS, GDPR, and other applicable global regulations.
• Support and coordinate security audits, certifications, and customer assurance activities.

Incident Response & Threat Management

• Maintain and continuously improve incident response, security monitoring, and business continuity processes.
• Oversee security operations, including vulnerability management, threat detection, and incident response. Review and continuously improve incident management procedures and own the end‑to‑end incident response and Security Operations (SecOps) lifecycle.
• Act as incident lead during security events, coordinating investigation, response, communication, and post incident reviews.

Team Leadership & Development

• Lead and develop a high performing security team across information security, application security, and risk functions.
• Set clear priorities, performance metrics, and development plans.
• Drive operational maturity through KPIs, process improvement, and regular reporting.

Qualifications

• 8–12+ years of progressive experience in information security, with at least 3–5 years in a senior leadership or director's level role.
• Strong expertise across information security, application security, cloud security, and governance, risk, and compliance (GRC).
• Proven experience implementing and maturing security programs within SaaS or high growth technology environments.
• Solid knowledge of regulatory and compliance frameworks including SOC 2, ISO 27001, PCI‑DSS, GDPR, CCPA, and similar standards.
• Experience supporting audits, certifications, and regulatory inquiries.
• Excellent communication skills with the ability to translate technical risk into business impact.
• Professional certifications such as CISSP, CISM, CISA, CCSP, or equivalent are strongly preferred.

Additional Perks

Here are some additional perks that we provide:

• Competitive salary and benefits package.
• Health, dental, and vision coverage.
• 3 weeks’ vacation plus personal days.
• Access to our employee benefits portal for exclusive discounts.
• Monthly company-wide events, celebrations, and team activities.
• Bravo reward points program for recognition and appreciation
• Convenient office location close to public transit.

How to Apply

If this great opportunity looks rewarding to you, let’s connect. Our online application will give you the option to apply to this role directly.

The target hiring range for this position is $150,000 - $170,000. Placement in the salary range will be based on factors such as market conditions, internal equity, and candidate experience, skills, and qualifications relevant to the role.

We value diversity and inclusion and encourage all qualified people to apply. If we can make this easier through accommodation in the recruitment process, or if you need assistance to accommodate a disability, please contact us with the “Help” button in the application.

Vacancy status: This posting represents an active vacancy for which we are currently hiring.

AI Disclosure: Artificial Intelligence (AI) may be used in the hiring process for this role.