Head of Information Security - Innovation

Position Summary Head of Information Security – Innovation. As a leading technology law firm, Cooley is determined to become a leader in the digital practice of law. The Innovation Head of Information Security will set the overall security program direction and own the risk management framework for Cooley AI. The Head of Information Security will serve as the executive‑facing security voice, presenting quarterly security posture updates to leadership. This role will proactively design the governance program and is accountable for the platform’s SOC2 compliance. This position directly manages the GRC Analyst and provides dotted‑line governance oversight to DevSecOps, Endpoint Engineering, and DevOps on security‑related decisions. Responsibilities Establish and maintain the information security program roadmap aligned to SOC2, ISO27001, and additional certifications as required by the business Own TSC scoping, evidence architecture, and GRC platform standup (Vanta, Drata, or equivalent), designing a unified control framework that serves both SOC2 and ISO27001 without duplicative effort, with execution support from the GRC Analyst Design and own the end‑to‑end security operations architecture, from telemetry and log collection to SIEM deployment to detection engineering, SOAR/automation, and MDR escalation, with execution support from DevOps, DevSecOps, and Endpoint Engineering Serve as incident commander during security events Define incident response and business continuity plans, lead tabletop exercises at least annually, and own the escalation playbook including forensic readiness and external communications Select and manage the audit firm relationship, including negotiate scope, manage the audit process, handle exceptions, and translate between stakeholders Own the endpoint security strategy for an AI‑native engineering organization, such as MDM/MAM policy design, EDR selection and deployment, and device trust enforcement across developer and non‑developer endpoints, with execution support from endpoint engineering Develop and implement a DLP strategy for unstructured, high‑sensitivity legal content, including design controls that go beyond simple pattern matching to protect legal documents, privileged communications, and client data Conduct periodic risk assessments, and make accept/mitigate/transfer recommendations Review and approve all security policies and standards Evaluate and approve third‑party vendors and SaaS tools from a security and data‑privacy perspective, with execution support from the GRC Analyst Advise the Director of Practice Engineering on security architecture decisions, including cloud posture, data encryption strategy, and access control design Serve as direct supervisor and mentor to direct reports Provide day‑to‑day supervision of direct reports, ensure compliance with assigned work hours and monitor for compliance with all firm and department policies Manage staffing coverage, review and process time logs/time off requests Support business professional development and continued educational opportunities In collaboration with immediate supervisor and central HR, participate in hiring, performance appraisals, counseling, termination and other employee lifecycle events All other duties as assigned or required Skills and Experience Required: 10+ years of directly relevant exempt‑level experience in information security with at least 2 years in a CISO, Head of Security, or senior security leadership role Demonstrated experience building a security program from scratch or near‑scratch at a SeriesB–D stage company and taken a company through its first SOC2 TypeII and/or ISO27001 certification Deep fluency with cloud‑native architectures (AWS or GCP preferred), infrastructure‑as‑code patterns, and modern CI/CD pipelines – must be able to credibly evaluate the engineering team’s technical decisions Hands‑on experience with GRC automation platforms (Vanta, Drata, or equivalent) and understands how to structure controls for efficient audit evidence collection Proven track record of effective leadership After orientation at CooleyLLP, exhibit proficiency in the Microsoft Office suite, iManage and other firm applications Ability to work extended and/or weekend hours, as required Ability to travel, as required Bachelor’s degree Preferred: Prior law firm experience Experience at a B2B SaaS or legal tech company Competencies Entrepreneurial by nature Excellent attention to detail Exceptional interpersonal and communication skills with ability to facilitate and solve problems Ability to organize, prioritize and coordinate multiple activities often under tight timelines Ability to drive projects to completion and achieve goals Strong judgment Team‑player with collaborative spirit Unwavering ability to handle and maintain confidentiality regarding firm information, projects, client data High level of professionalism at all times Demonstrated ability to lead through influence and develop talent Proactive, analytical mindset Effective presentation skills #J-18808-Ljbffr Cooley