Director Information Security & Governance

Director, Information Security & Governance

The Director, Information Security & Governance serves as Phoenix Retail's senior information security leader with enterprise-wide accountability for the strategy, execution, and ongoing maturity of the company's information security, data protection, privacy controls, and AI security governance program. The role protects Phoenix Retail's omnichannel environment, including corporate systems, e-commerce platforms, store technology, customer and payment data, AI-enabled capabilities, and supporting infrastructure. The Director provides strategic leadership for the Information Security team, fostering a high-performance culture through mentorship and talent development to ensure the sustained operational excellence of the team and the organization.

Operating with the scope and presence of a Chief Information Security Officer, the Director leads enterprise security strategy, governance, policy, architecture, operations, incident response, AI security controls, and security risk management. The role advises executive leadership and the Board on security posture, emerging threats, regulatory obligations, business risk, and investments required to protect the company. This leader partners closely with Technology, Development, Legal, Procurement, Internal Audit, Compliance, Finance, and business stakeholders to embed security across enterprise technology and vendor ecosystems. The Director is a key stakeholder in Third-Party Risk Management and owns Phoenix's PCI-DSS program with full accountability for readiness and outcomes. This is a strategic leadership role requiring strong hands-on technical credibility. The Director must also be able to engage directly with technical matters, including SIEM activity, detection validation, threat hunting, incident investigations, and AI control monitoring when needed.

Key Responsibilities

• Serve as enterprise owner for Phoenix Retail's information security strategy, roadmap, governance model, security policy framework, and AI security governance, aligned to business priorities and retail operating needs.
• Lead and mature a security program built against the NIST Cybersecurity Framework, including measurable controls, maturity targets, risk-based prioritization, and reporting to executive leadership and the Board.
• Design, implement, and monitor controls for AI technologies and use cases, including acceptable-use standards, administrative approvals, data handling requirements, identity and access guardrails, logging, vendor risk inputs, usage monitoring, and spend/consumption oversight.
• Own PCI-DSS across corporate, e-commerce, and store/cardholder data environments, including scoping, segmentation, control design, assessor coordination, remediation, evidence, and executive accountability for outcomes.
• Lead application security across Phoenix Retail's digital commerce and enterprise application portfolio, embedding secure design, code review/SAST/DAST, testing, and risk acceptance into the SDLC.
• Lead network, cloud, endpoint, identity, collaboration, and infrastructure security architecture and operations, ensuring appropriate controls across corporate, e-commerce, store, GCP, Google Workspace, and other key environments.
• Own security operations, 24x7 monitoring, detection engineering, escalation, and incident response; maintain enough hands-on fluency with the SIEM to validate detections, review alerts, and support active investigations when required.
• Direct threat and vulnerability management, including scanning, prioritization, remediation governance, patch SLAs, penetration testing, attack surface management, and executive risk reporting.
• Partner with Legal and Procurement as a key security stakeholder in Third Party Risk Management, including vendor due diligence, contract security requirements, AI and SaaS provider reviews, control assessments, ongoing monitoring, and remediation tracking.
• Review and approve security designs for new technology initiatives, AI-enabled capabilities, cloud services, store technology, payment systems, and major vendor platforms before production deployment.
• Lead enterprise incident response planning, crisis coordination, tabletop exercises, post-incident reviews, and communications with executive, legal, operational, and technical stakeholders.
• Partner with Internal Audit on control testing, evidence, and remediation while maintaining appropriate independence and avoiding self-audit.
• Recruit, lead, coach, and develop a high-performing security team; establish clear ownership, operating rhythms, performance expectations, and career paths.
• Own the security budget, tooling roadmap, vendor portfolio, managed service relationships, SLAs, renewals, and investment recommendations, including cost governance for emerging security and AI-related capabilities.
• Communicate security risk clearly from analyst to Board level, translating technical issues into business impact, risk decisions, and actionable priorities.

Required Experience & Qualifications

• Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or equivalent work experience.
• 10+ years of progressive experience in information security, cybersecurity, technology risk, or a closely related area, including significant enterprise security leadership responsibility.
• Demonstrated ability to operate as the senior security leader for a complex enterprise; retail, omnichannel, e-commerce, payment, or large distributed operating environment experience preferred.
• Demonstrated proficiency with the NIST Cybersecurity Framework (CSF), including program design, maturity assessment, control mapping, remediation planning, and executive reporting.
• Direct, accountable experience owning PCI-DSS in a merchant, e-commerce, payment, or retail environment.
• Deep technical expertise across application security, network security, cloud and infrastructure security, endpoint security, identity and access management, vulnerability management, AI security governance, and security operations.
• Ability to serve as the enterprise authority on securing AI-enabled tools, platforms, and workflows, with practical command of policy, administration, data protection, technical guardrails, monitoring, vendor governance, and cost-aware usage controls.
• Familiarity with Google Cloud Platform (GCP) and Google Workspace environments, including administrative models, IAM, logging, data protection, and security configuration considerations.
• Hands-on working proficiency with a major SIEM/SOC platform; Palo Alto XSIAM experience strongly preferred.
• Proven incident response leadership, including high-severity security events, executive communications, tabletop exercises, post-incident reviews, and continuous improvement.
• Experience leading and developing security teams, managed service providers, and cross-functional programs across Technology, Legal, Procurement, Internal Audit, and business stakeholders.
• Experience presenting cybersecurity posture, risk, and investment recommendations to executive leadership, Audit Committee, or Board-level audiences.
• CISSP or equivalent senior security credential required; CISM, CISA, CCSP, GIAC, or similar credentials are also valued.

Critical Skills & Attributes

• CISO-level judgment and executive presence while operating effectively within a Director-level role.
• Technically credible and current; able to challenge architecture, read SIEM detections, question control gaps, evaluate AI security risks, and contribute to investigations without displacing the team.
• Strong AI security judgment; enables business use while enforcing administrative, technical, data, monitoring, and financial guardrails that are practical for a retail operating environment.
• Strategic and pragmatic; balances risk reduction, customer trust, business speed, cost, and operational resilience.
• Calm and decisive under pressure, especially during active incidents, peak retail periods, major releases, and audit/compliance cycles.
• Strong communicator who can translate technical risk into business decisions for executives, Board members, auditors, attorneys, merchants, and engineers.
• High ownership mindset; accountable for outcomes, not just recommendations.
• Strong discretion, integrity, and judgment when handling sensitive security, legal, personnel, and incident information.