Director, Information Security and Compliance at SupportNinja

Work Set Up: Remote/WAH with occasional travel to either the Sanctum, SM North EDSA, QC or Hideout in Clark, Pampanga

Type of Contract: Full-Time

Equipment Provision: Company Provided

Start Date: March 30, 2026

The Director of Information Security and Compliance leads the organization’s security, privacy, and compliance program in a high-availability, client-driven environment. This role owns governance, risk management, audit readiness, and security assurance, ensuring security is embedded into ITIL service delivery (Incident/Problem/Change/Request) and that the organization can obtain, maintain, and continuously improve compliance with HIPAA, SOC 2 Type II, and PCI DSS. The Director is also a key client-facing leader, responsible for completing and managing new client and vendor security questionnaires, supporting audits, and translating requirements into operational controls.

This role also owns platform and application security governance for SupportNinja technology (including AI-enabled tooling), establishes privacy and AI governance controls, and defines clear shared-responsibility boundaries between SupportNinja-managed environments and customer-managed systems.

Key outcomes (what success looks like)

Continuous audit readiness with repeatable processes, clean evidence, and timely remediation for HIPAA, SOC 2 Type II, and PCI DSS.

Security and privacy controls are operationalized within ITIL processes (Change Enablement, Incident/Major Incident, Problem, Access/Request) and measurable through KPIs/KRIs.

NinjaAI and other SupportNinja platform capabilities are provably secure: secure SDLC, architecture reviews, release security gates, and multi-tenant control validation (segmentation, RBAC, logging) are operating with evidence.

Fast, consistent, high-quality client assurance: questionnaires, due diligence, and customer audits completed on time with accurate evidence and predictable cycle times.

Risk is proactively managed via a living risk register, control testing program, and prioritized remediation roadmap that demonstrates risk burn-down.

Privacy and AI governance are operational: data handling rules, retention/deletion standards, HITL guardrails, and vendor/model risk controls are defined, enforced, and monitored.

Vendor/subprocessor risks are assessed, documented, and monitored with clear acceptance criteria, contract security requirements, and change governance.

Key responsibilities

• Security governance, risk, privacy, and compliance (GRC)
  • Define and execute the information security, privacy, and compliance strategy, policies, standards, and multi-year roadmap aligned to business goals and client commitments.
  • Establish and maintain a risk management program (risk register, risk assessments, control gap analysis, risk treatment plans, and executive reporting).
  • Build and operate a control framework mapped across HIPAA, SOC 2 Type II (Trust Services Criteria), and PCI DSS, reducing duplication and improving audit efficiency.
  • Lead internal control testing and continuous monitoring; drive corrective action plans and track findings to closure.
  • Own evidence management and documentation discipline (policies, procedures, control narratives, diagrams, logs, tickets, approvals) for year-round readiness.
  • Own data classification and data handling standards (collection, access, storage, transmission, retention, deletion) including requirements for AI workflows, transcripts, QA artifacts, and client data exchanged through integrations.
• HIPAA, SOC 2 Type II, and PCI DSS program leadership
  • HIPAA: Lead security risk analysis, safeguard implementation (administrative/physical/technical), workforce training, incident/breach coordination support, and BAA-aligned controls where applicable.
  • SOC 2 Type II: Own readiness and audit execution, including scoping, control design, operating effectiveness, auditor coordination, evidence collection, and management responses.
  • PCI DSS: Own PCI program execution including scope definition, segmentation strategy, payment flow controls, secure operations, testing cadence, and support for SAQ/ROC requirements as applicable.
  • Maintain a compliance calendar and governance cadence to ensure ongoing performance, testing, and timely artifact refresh.
• Platform, application security, and secure SDLC (SupportNinja technology)
  • Own application and platform security governance for SupportNinja technology, including secure SDLC standards, threat modeling, architecture reviews, and release security gates.
  • Define and validate multi-tenant security controls where applicable (segmentation, RBAC, logging, monitoring, encryption, key management) and ensure client-ready evidence.
  • Establish security requirements and review gates for connectors and integrations (scopes, permissions, secrets management, API security standards, change control, and rollback).
  • Run vulnerability management and security testing programs, including scanning coverage, penetration testing, remediation SLAs, and exception handling with documented risk acceptance.
• AI governance and model/vendor risk
  • Establish and operate AI governance controls including data handling rules for LLM workflows, vendor/model risk assessments, HITL escalation guardrails, and output safety controls where applicable.
  • Define acceptable use standards for AI-enabled tooling in operations, including privacy-by-design reviews for new use cases, prompts, and workflow changes.
  • Implement monitoring and periodic evaluation of AI workflows for risk indicators (data exposure, access drift, policy violations) with corrective actions and reporting.
• ITIL integration and secure service delivery
  • Embed security controls and compliance requirements into ITIL processes:
    • Change Enablement: security risk reviews, approval gates, emergency change controls, segregation of duties.
    • Incident and Major Incident: security incident integration, severity model, on-call escalation, communications, post-incident reviews.
    • Problem Management: root cause analysis for recurring security events and systemic control failures; preventive actions.
    • Request and Access Management: least privilege, joiner/mover/leaver controls, access approvals, periodic access reviews, privileged access oversight.
    • Continual Improvement: security improvement backlog aligned to ITSM governance and measurable outcomes.
    • Own IAM control design and oversight in partnership with IT: joiner/mover/leaver, periodic access reviews, privileged access management, service account governance, break-glass procedures, and audit-ready evidence.
  • Define secure operating patterns for delivery environments (managed devices and BYOD where permitted) including endpoint baselines, controlled browser requirements, data loss protections, and customer conditional access expectations.
  • Partner with IT Operations/Engineering to implement secure baselines, logging/monitoring coverage, endpoint security, encryption, vulnerability remediation SLAs, and data loss protections suitable for operations environments.
• Client assurance and questionnaires (new clients / prospects)
  • Serve as executive owner for client security due diligence and assurance, including:
    • Completion of potential new client questionnaires and RFP security sections
    • Client audit support (remote/onsite), evidence packaging, and remediation tracking
  • Contractual security requirements review and operationalization (including HIPAA/PCI clauses as applicable)
  • Maintain standardized response libraries, control narratives, and an evidence repository to ensure consistent, high-quality, rapid responses.
  • Operationalize a client assurance function with defined SLAs, throughput metrics, and quality controls (cycle time, backlog, rework rate, audit findings by theme).
• Vendor / third-party / subprocessor risk management
• Lead the vendor and subprocessor security assessment program, including:
  • Completion/review of questionnaires, risk scoring, and approval decisions
  • Contract security requirements (DPA/BAA where applicable), right-to-audit terms, incident notification SLAs, and subprocess controls
  • Ongoing monitoring and reassessments based on risk tier and scope changes
  • Maintain the subprocessor inventory and change governance, including client-ready disclosures and review of material changes.
  • Partner with Procurement, Legal, IT, and Operations to ensure vendors meet requirements before onboarding and throughout the relationship.
• Security operations, incident response, and resilience
  • Oversee security operations capabilities (internal team and/or MSSP), including detection, triage, response, containment, and recovery.
  • Ensure logging, monitoring, alerting, and incident response playbooks meet audit and client requirements (including PCI incident handling expectations and HIPAA incident/breach assessment support where applicable).
  • Own incident response maturity including tabletop exercises, breach assessment decisioning, client notification workflows/templates, and evidence capture practices aligned to regulatory and contract requirements.
  • Own security-related business continuity and disaster recovery assurance: incident communications, RTO/RPO alignment, DR testing evidence, and operational resilience controls for critical services.
• Workforce security and operations enablement
  • Lead security awareness programs tailored to operations (phishing/social engineering, data handling, clean desk, recording controls, remote work hygiene).
  • Partner with delivery leadership to implement practical controls and coaching mechanisms that reduce sensitive data exposure and improve policy adherence.
• Leadership, reporting, and program management
  • Build and lead the InfoSec, Privacy, and Compliance team (GRC, compliance/audit, privacy, security operations), including hiring, coaching, and performance management.
  • Own budget, tooling strategy, and vendor performance (audit firms, MSSPs, security platforms).
  • Establish KPIs/KRIs and executive reporting dashboards (audit progress, control health, risk trends, vulnerability SLAs, incident metrics, questionnaire throughput, AI governance indicators)./

What are the required qualifications for a Director of Information Security and Compliance?

• 6-8+ years of progressive experience in information security, compliance, and GRC with leadership responsibility; experience in a BPO/contact center or services environment strongly preferred.
• Demonstrated, hands-on experience obtaining and maintaining compliance programs and audits for:
  • HIPAA
  • SOC 2 Type II
  • PCI DSS
• Strong understanding of ITIL/ITSM and proven ability to integrate security controls into Incident, Problem, Change, Request, and Access processes.
• Proven success in client-facing security assurance, including completing and defending new client questionnaires and supporting customer audits.
• Proven ability to assess vendor/subprocessor risk and complete/review questionnaires, driving conditions and remediation when needed.
• Working knowledge of secure SDLC and application/platform security governance (architecture reviews, threat modeling, security testing, release gates).
• Excellent written and verbal communication skills, including executive reporting and clear control narratives.
• Certifications: CISSP (required), CISM, CRISC, ISO 27001 Lead Implementer/Lead Auditor, CCSP.
• Experience with evidence repositories and GRC tooling, SIEM/EDR operations, vulnerability management programs, and data protection (DLP, encryption, key management).
• Experience operating privacy programs (GDPR/UK GDPR, CCPA/CPRA as applicable), including DPIAs, RoPA, and retention/deletion governance.
• Experience with AI governance controls, LLM vendor risk assessment, and HITL guardrails.

What key competencies would make a candidate successful in this role?

• Strong audit leadership and documentation discipline (controls, evidence, narratives).
• Risk-based decision-making, including exception handling and formal risk acceptance.
• Ability to translate complex framework requirements into practical, scalable operational controls for high-volume operations environments.
• Calm, credible client-facing presence; able to communicate issues and remediation plans without disrupting delivery.
• Ability to align shared-responsibility boundaries across SupportNinja-managed systems, customer-managed systems, and third-party vendors, and turn them into enforceable operational controls.

Ninja Perks and Benefits

• Full-time employees
  • Competitive compensation
  • Adherence to government-mandated benefits
  • Retirement Savings Program with Company Matching
  • Life Insurance
  • HMO on day 1
  • Paid time off, birthday leave
  • Bonus and incentive plans
  • Opportunities for skills training and personal and professional development
  • Employee Referral Program
  • Beautiful office space (for onsite employees)
  • Free lunch provided daily (for onsite employees)

Experience infinite fun so you can have infinite growth. Discover A Better Way to Grow! Are you ready?

If you are interested, you can access your instant interview here: https://alpharun.com/i/Gp5MG0il4K_N8g01lwTsR

Disclaimer:

The duties and responsibilities listed above describe the post as it is in general terms and are not definitive. The post holder is expected to accept any reasonable alterations that may from time to time be necessary.

SupportNinja is proud to be an Equal Employment Opportunity employer, and we do not discriminate based upon race, religion, color, national origin, gender, sexual orientation, gender identity, gender expression, age, veteran status, disability, or other applicable legally protected characteristics under federal, state, or local law.

#supportninjajobs