Sign upLog in

Director Information Security & Governance

Express & Bonobos

Columbus, OH

Apply
JOB DETAILS
SKILLS
Applications Security, Artificial Intelligence (AI), Artificial Intelligence (AI) Programming Languages, Budgeting Software, CCSP - Cisco Certified Security Professional, CISA - Certified Information Systems Auditor, CISM - Certified Information Security Manager, CISSP - Certified Information Systems Security Professional, Cloud Computing, Coaching, Code Reviews, Communication Skills, Computer Science, Computer Security, Continuous Improvement, Contract Requirements, Cross-Functional, Due Diligence, Ecosystems, Enterprise Applications, Enterprise Protection, Establish Priorities, Expense Tracking, Financial Compliance, Functional Programming Languages, GCP (Good Clinical Practices), GIAC - Global Information Assurance Certification, Global Branding, Hunting, Incident Management, Incident Response, Information Technology & Information Systems, Information/Data Security (InfoSec), Internal Audit, Internet Security, Leadership, Legal, Mentoring, Mobile Applications, PCI-DSS, Penetration Testing, Philosophy, Policy Development, Privacy Controls, Purchasing/Procurement, Regulations, Relationship Management, Retail, Risk, Risk Analysis, Risk Management, Security Analysis, Security Architecture, Security Attacks, Security Information and Event Management (SIEM), Security Policy, Service Level Agreement (SLA), Software Development Lifecycle (SDLC), Software Patches, Software as a Service (SaaS), Talent Management, U.S. National Institute of Standards and Technology (NIST), Use Cases, eCommerce
LOCATION
Columbus, OH
POSTED
11 days ago
Overview

About PHOENIX
PHOENIX Retail, LLC is a retail platform operating the Express and Bonobos brands worldwide.

About Express
Express is a multichannel apparel brand dedicated to a design philosophy rooted in modern, confident and effortless style whether dressing for work, everyday or special occasions. Since its launch in 1980, the brand has embraced a design philosophy rooted in modern, confident and effortless style. Express ensures you look and feel your best, wherever life takes you. The Company operates over 400 retail and outlet stores in the United States and Puerto Rico, the express.com online store and the Express mobile app.

About Bonobos
Our Bonobos menswear brand is known for being a style instigator and offering perfect-fit risks through our innovative retail model and personalized experience. Launched online in 2007 with its signature line of chinos, Bonobos now offers a variety of styles available to order online and to try on at any one of our 50 Guideshop locations and at www.bonobos.com. Our Guideshops are in-real-life stores that deliver one-on-one service and expert fit advice. Don't think traditional retail, Bonobos is something you haven't seen before.

Responsibilities

POSITION OVERVIEW

The Director, Information Security & Governance serves as Phoenix Retail's senior information security leader with enterprise-wide accountability for the strategy, execution, and ongoing maturity of the company's information security, data protection, privacy controls, and AI security governance program. The role protects Phoenix Retail's omnichannel environment, including corporate systems, e-commerce platforms, store technology, customer and payment data, AI-enabled capabilities, and supporting infrastructure. The Director provides strategic leadership for the Information Security team, fostering a high-performance culture through mentorship and talent development to ensure the sustained operational excellence of the team and the organization.

Operating with the scope and presence of a Chief Information Security Officer, the Director leads enterprise security strategy, governance, policy, architecture, operations, incident response, AI security controls, and security risk management. The role advises executive leadership and the Board on security posture, emerging threats, regulatory obligations, business risk, and investments required to protect the company.

This leader partners closely with Technology, Development, Legal, Procurement, Internal Audit, Compliance, Finance, and business stakeholders to embed security across enterprise technology and vendor ecosystems. The Director is a key stakeholder in Third-Party Risk Management and owns Phoenix's PCI-DSS program with full accountability for readiness and outcomes. This is a strategic leadership role requiring strong hands-on technical credibility. The Director must also be able to engage directly with technical matters, including SIEM activity, detection validation, threat hunting, incident investigations, and AI control monitoring when needed.

KEY RESPONSIBILITIES

  • Serve as enterprise owner for Phoenix Retail's information security strategy, roadmap, governance model, security policy framework, and AI security governance, aligned to business priorities and retail operating needs.
  • Lead and mature a security program built against the NIST Cybersecurity Framework, including measurable controls, maturity targets, risk-based prioritization, and reporting to executive leadership and the Board.
  • Design, implement, and monitor controls for AI technologies and use cases, including acceptable-use standards, administrative approvals, data handling requirements, identity and access guardrails, logging, vendor risk inputs, usage monitoring, and spend/consumption oversight.
  • Own PCI-DSS across corporate, e-commerce, and store/cardholder data environments, including scoping, segmentation, control design, assessor coordination, remediation, evidence, and executive accountability for outcomes.
  • Lead application security across Phoenix Retail's digital commerce and enterprise application portfolio, embedding secure design, code review/SAST/DAST, testing, and risk acceptance into the SDLC.
  • Lead network, cloud, endpoint, identity, collaboration, and infrastructure security architecture and operations, ensuring appropriate controls across corporate, e-commerce, store, GCP, Google Workspace, and other key environments.
  • Own security operations, 24x7 monitoring, detection engineering, escalation, and incident response; maintain enough hands-on fluency with the SIEM to validate detections, review alerts, and support active investigations when required.
  • Direct threat and vulnerability management, including scanning, prioritization, remediation governance, patch SLAs, penetration testing, attack surface management, and executive risk reporting.
  • Partner with Legal and Procurement as a key security stakeholder in Third Party Risk Management, including vendor due diligence, contract security requirements, AI and SaaS provider reviews, control assessments, ongoing monitoring, and remediation tracking.
  • Review and approve security designs for new technology initiatives, AI-enabled capabilities, cloud services, store technology, payment systems, and major vendor platforms before production deployment.
  • Lead enterprise incident response planning, crisis coordination, tabletop exercises, post-incident reviews, and communications with executive, legal, operational, and technical stakeholders.
  • Partner with Internal Audit on control testing, evidence, and remediation while maintaining appropriate independence and avoiding self-audit.
  • Recruit, lead, coach, and develop a high-performing security team; establish clear ownership, operating rhythms, performance expectations, and career paths.
  • Own the security budget, tooling roadmap, vendor portfolio, managed service relationships, SLAs, renewals, and investment recommendations, including cost governance for emerging security and AI-related capabilities.
  • Communicate security risk clearly from analyst to Board level, translating technical issues into business impact, risk decisions, and actionable priorities.


REQUIRED EXPERIENCE & QUALIFICATIONS

  • Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or equivalent work experience.
  • 10+ years of progressive experience in information security, cybersecurity, technology risk, or a closely related area, including significant enterprise security leadership responsibility.
  • Demonstrated ability to operate as the senior security leader for a complex enterprise; retail, omnichannel, e-commerce, payment, or large distributed operating environment experience preferred.
  • Demonstrated proficiency with the NIST Cybersecurity Framework (CSF), including program design, maturity assessment, control mapping, remediation planning, and executive reporting.
  • Direct, accountable experience owning PCI-DSS in a merchant, e-commerce, payment, or retail environment.
  • Deep technical expertise across application security, network security, cloud and infrastructure security, endpoint security, identity and access management, vulnerability management, AI security governance, and security operations.
  • Ability to serve as the enterprise authority on securing AI-enabled tools, platforms, and workflows, with practical command of policy, administration, data protection, technical guardrails, monitoring, vendor governance, and cost-aware usage controls.
  • Familiarity with Google Cloud Platform (GCP) and Google Workspace environments, including administrative models, IAM, logging, data protection, and security configuration considerations.
  • Hands-on working proficiency with a major SIEM/SOC platform; Palo Alto XSIAM experience strongly preferred.
  • Proven incident response leadership, including high-severity security events, executive communications, tabletop exercises, post-incident reviews, and continuous improvement.
  • Experience leading and developing security teams, managed service providers, and cross-functional programs across Technology, Legal, Procurement, Internal Audit, and business stakeholders.
  • Experience presenting cybersecurity posture, risk, and investment recommendations to executive leadership, Audit Committee, or Board-level audiences.
  • CISSP or equivalent senior security credential required; CISM, CISA, CCSP, GIAC, or similar credentials are also valued.


CRITICAL SKILLS & ATTRIBUTES

  • CISO-level judgment and executive presence while operating effectively within a Director-level role.
  • Technically credible and current; able to challenge architecture, read SIEM detections, question control gaps, evaluate AI security risks, and contribute to investigations without displacing the team.
  • Strong AI security judgment; enables business use while enforcing administrative, technical, data, monitoring, and financial guardrails that are practical for a retail operating environment.
  • Strategic and pragmatic; balances risk reduction, customer trust, business speed, cost, and operational resilience.
  • Calm and decisive under pressure, especially during active incidents, peak retail periods, major releases, and audit/compliance cycles.
  • Strong communicator who can translate technical risk into business decisions for executives, Board members, auditors, attorneys, merchants, and engineers.
  • High ownership mindset; accountable for outcomes, not just recommendations.
  • Strong discretion, integrity, and judgment when handling sensitive security, legal, personnel, and incident information.


Closing

If you would like to know more about the California Consumer Privacy Act click here.

Applicants must be currently authorized to work full-time in the United States. PHOENIX does not sponsor applicants for work visas (e.g., H-1B or TN status) for this position.

An equal opportunity employer, PHOENIX does not discriminate in recruiting, hiring or any other terms and conditions of employment hiring on the basis of any federal, state, or locally protected characteristic. PHOENIX only hires individuals authorized for employment in the United States. PHOENIX is committed to providing reasonable accommodation to individuals with disabilities. If you need an accommodation to search and apply for a job position due to a disability, please call 1-800-964-9793 and say 'Associate Relations' or send an e-mail to AssociateRelations@Express.com and let us know the nature of your request and your contact information.

Notification to Agencies: Please note that PHOENIX does not accept unsolicited resumes or calls from third-party recruiters or employment agencies. In the absence of a signed Master Service Agreement and approval from HR to submit resumes for a specific requisition, PHOENIX will not consider or approve payment to any third-parties for hires made.

About the Company

E

Express & Bonobos

Resume Resources

Free Resume TemplatesFree Resume Builder