Director of Information Security
Job Summary:
The Director, Information Security, is highly experienced in leading our global security program with a strong emphasis on Governance, Risk, and Compliance (GRC), Data Governance, and Application/Product Security. As a global eCommerce leader, protecting customer trust, safeguarding sensitive data, and ensuring compliance across multiple regions is a top priority. This role will drive strategy, execution, and oversight of enterprise-wide security initiatives, ensuring that business operations remain resilient, secure, and compliant.
Job Expectations:
This is a leadership role that has accountability for identifying, evaluating, reporting, and managing information security risks in ways that meet security, compliance, and regulatory requirements with focus on GRC, Data Governance and Application/Product Security.
Develop a vision and strategy for comprised of governance, risk management, that will include measurable goals, objectives, and metrics
Design, develop, coordinate, and document the secure operation of information systems and develop best practices for securing enterprise-wide data and information systems
Ensure application/product security practices align with relevant industry standards, regulations, and compliance frameworks. Lead efforts to maintain and obtain necessary certifications.
Oversee the implementation of advanced security monitoring and analysis tools to detect and respond to security incidents and vulnerabilities
Evaluate the security posture of third-party cloud providers and vendors. Develop and implement strategies to manage and mitigate associated risks.
Build, mentor, and lead a team of security engineering, product security, cloud security and GRC professionals. Foster a collaborative and innovative work environment that encourages skill development and knowledge sharing.
The duties and responsibilities described above may provide only a partial description of this position. This is not an exhaustive list of all aspects of the job. Other duties and responsibilities not outlined in this document may be added as necessary or desirable, with or without notice.
Knowledge, Skills and Abilities:
Master’s degree in an Information Technology related field of study or equivalent post-high school education and/or work-related experience
Strong team leadership skills directing teams in Cybersecurity, Governance Risk and Compliance, Data Governance, Application/Product Security.
Experience leading and developing a strategic, comprehensive enterprise information security management program
10+ years of experience in Cybersecurity, GRC, Data Governance, Application or Product security
Experience implementing security practices in CI/CD environment
Self-motivation and the ability to work under minimal supervision are a must
Excellent at multitasking, and open to constant learning
Excellent problem solving and analytical skills; outstanding oral and written communication skills
Energetic and positive attitude
Governance, Risk & Compliance (GRC)
Lead enterprise-wide cybersecurity GRC programs, ensuring compliance with international regulations (GDPR, CCPA, PCI DSS, SOX, etc.) and industry standards (ISO 27001, NIST CSF).
Establish and maintain cybersecurity policies, frameworks, and risk management practices.
Oversee third-party risk management and vendor security assessments.
Partner with Legal, Compliance, and Internal Audit to support regulatory audits and certifications.
Data Governance & Protection
Defining and enforcing data governance strategy, ensuring protection of sensitive customers, employees, and business data across systems.
Implement data classification, retention, and handling practices aligned with global privacy regulations.
Collaborate with data teams to integrate security controls into data platforms and analytics environments.
Drive adoption of data loss prevention (DLP), encryption, and monitoring solutions.
Application/Product Security
Build and lead a global application/product security program integrated into the software development lifecycle (SDLC).
Define secure coding standards, conduct application security reviews, and champion DevSecOps practices. Strong understanding of common security threats, i.e. OWASP Top 10 and mitigation
Partner with engineering teams to embed security into CI/CD pipelines.
Oversee penetration testing, vulnerability management, and remediation processes for applications and APIs. In-depth knowledge of DevSecOps security tools and techniques for code analysis, vulnerability scanning, and risk assessment.
In-depth knowledge of DevSecOps security tools and techniques for code analysis, vulnerability scanning, and risk assessment. Working knowledge of security frameworks, tools, and methodologies (e.g., SAST, SCA, DAST, threat modeling, etc.).
Leadership & Strategy
Lead, mentor, and grow a global security team focused on GRC, data governance, and application security.
Act as a trusted advisor to executive leadership and the board on emerging security threats and business risks.
Develop multi-year cybersecurity strategy aligned with business objectives.
Foster a security-first culture across the enterprise through training and awareness programs.
Hands-on experience with Familiarity with cloud security and DevSecOps practices.
Ensure adherence to relevant regulatory requirements and industry best practices related to product security (e.g., GDPR, NIST CSF, PCI, SOC2, OWASP, etc.).
Judgment/Reasoning Ability: Able to identify, troubleshoot and resolve problems quickly using sound judgment, poise and diplomacy. Ability to use judgment and reasoning skills, and determine when to escalate issues, as required, in a timely manner.
Physical Demands: The physical demands described here are representative of those that must be met by a Team Member to successfully perform the essential functions of this job. While performing the duties of this job, the Team Member is regularly required to talk and hear. The Team Member is frequently required to sit, walk, climb stairs, use hands and fingers, bend, stoop and reach with hands and arms. Reaching above shoulder heights, below the waist or lifting as required to file documents or store materials throughout the work day. The Team Member may occasionally lift or move office products and supplies up to 25 pounds. Proper lifting techniques required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Work Environment: The noise in the work environment is usually moderate. Other factors are:
Hectic, fast-paced with multi-level distractions
Professional, yet casual work environment
Office / Warehouse environment
Ability to work extended hours as required
#LI-JC1
The anticipated pay scale for this position can be found below, however the pay range applicable to you may vary by geographic location based on where the job is located or where you work. The final pay offered to a successful candidate will be dependent on several factors that may include but are not limited to the type and years of experience within the job, the type of years and experience within the industry, education, etc. iHerb, LLC is a multi-state employer and this pay scale may not reflect positions that work in other states or locations. Employees (and their families) that meet eligibility criteria as outlined in applicable plan documents are eligible to participate in our medical, dental, vision, and basic life insurance programs and may enroll in our company’s 401(k) plan. Employees will also be eligible for Time Off and Paid Sick Leave pursuant to the company’s policies. Employees will enjoy paid holidays throughout the calendar year. Eligibility requirements for these benefits will be controlled by applicable plan documents. Hired applicant may be awarded Restrict Stock Units and receive annual bonuses pursuant to eligibility and performance criteria defined in the respective plan documents and policies. For more information on iHerb benefits, visit us at iHerbBenefits.com.
Anticipated Pay Scale:
$205,956—$275,834 USD
About the job
Apply for this position
Director of Information Security
Job Summary:
The Director, Information Security, is highly experienced in leading our global security program with a strong emphasis on Governance, Risk, and Compliance (GRC), Data Governance, and Application/Product Security. As a global eCommerce leader, protecting customer trust, safeguarding sensitive data, and ensuring compliance across multiple regions is a top priority. This role will drive strategy, execution, and oversight of enterprise-wide security initiatives, ensuring that business operations remain resilient, secure, and compliant.
Job Expectations:
This is a leadership role that has accountability for identifying, evaluating, reporting, and managing information security risks in ways that meet security, compliance, and regulatory requirements with focus on GRC, Data Governance and Application/Product Security.
Develop a vision and strategy for comprised of governance, risk management, that will include measurable goals, objectives, and metrics
Design, develop, coordinate, and document the secure operation of information systems and develop best practices for securing enterprise-wide data and information systems
Ensure application/product security practices align with relevant industry standards, regulations, and compliance frameworks. Lead efforts to maintain and obtain necessary certifications.
Oversee the implementation of advanced security monitoring and analysis tools to detect and respond to security incidents and vulnerabilities
Evaluate the security posture of third-party cloud providers and vendors. Develop and implement strategies to manage and mitigate associated risks.
Build, mentor, and lead a team of security engineering, product security, cloud security and GRC professionals. Foster a collaborative and innovative work environment that encourages skill development and knowledge sharing.
The duties and responsibilities described above may provide only a partial description of this position. This is not an exhaustive list of all aspects of the job. Other duties and responsibilities not outlined in this document may be added as necessary or desirable, with or without notice.
Knowledge, Skills and Abilities:
Master’s degree in an Information Technology related field of study or equivalent post-high school education and/or work-related experience
Strong team leadership skills directing teams in Cybersecurity, Governance Risk and Compliance, Data Governance, Application/Product Security.
Experience leading and developing a strategic, comprehensive enterprise information security management program
10+ years of experience in Cybersecurity, GRC, Data Governance, Application or Product security
Experience implementing security practices in CI/CD environment
Self-motivation and the ability to work under minimal supervision are a must
Excellent at multitasking, and open to constant learning
Excellent problem solving and analytical skills; outstanding oral and written communication skills
Energetic and positive attitude
Governance, Risk & Compliance (GRC)
Lead enterprise-wide cybersecurity GRC programs, ensuring compliance with international regulations (GDPR, CCPA, PCI DSS, SOX, etc.) and industry standards (ISO 27001, NIST CSF).
Establish and maintain cybersecurity policies, frameworks, and risk management practices.
Oversee third-party risk management and vendor security assessments.
Partner with Legal, Compliance, and Internal Audit to support regulatory audits and certifications.
Data Governance & Protection
Defining and enforcing data governance strategy, ensuring protection of sensitive customers, employees, and business data across systems.
Implement data classification, retention, and handling practices aligned with global privacy regulations.
Collaborate with data teams to integrate security controls into data platforms and analytics environments.
Drive adoption of data loss prevention (DLP), encryption, and monitoring solutions.
Application/Product Security
Build and lead a global application/product security program integrated into the software development lifecycle (SDLC).
Define secure coding standards, conduct application security reviews, and champion DevSecOps practices. Strong understanding of common security threats, i.e. OWASP Top 10 and mitigation
Partner with engineering teams to embed security into CI/CD pipelines.
Oversee penetration testing, vulnerability management, and remediation processes for applications and APIs. In-depth knowledge of DevSecOps security tools and techniques for code analysis, vulnerability scanning, and risk assessment.
In-depth knowledge of DevSecOps security tools and techniques for code analysis, vulnerability scanning, and risk assessment. Working knowledge of security frameworks, tools, and methodologies (e.g., SAST, SCA, DAST, threat modeling, etc.).
Leadership & Strategy
Lead, mentor, and grow a global security team focused on GRC, data governance, and application security.
Act as a trusted advisor to executive leadership and the board on emerging security threats and business risks.
Develop multi-year cybersecurity strategy aligned with business objectives.
Foster a security-first culture across the enterprise through training and awareness programs.
Hands-on experience with Familiarity with cloud security and DevSecOps practices.
Ensure adherence to relevant regulatory requirements and industry best practices related to product security (e.g., GDPR, NIST CSF, PCI, SOC2, OWASP, etc.).
Judgment/Reasoning Ability: Able to identify, troubleshoot and resolve problems quickly using sound judgment, poise and diplomacy. Ability to use judgment and reasoning skills, and determine when to escalate issues, as required, in a timely manner.
Physical Demands: The physical demands described here are representative of those that must be met by a Team Member to successfully perform the essential functions of this job. While performing the duties of this job, the Team Member is regularly required to talk and hear. The Team Member is frequently required to sit, walk, climb stairs, use hands and fingers, bend, stoop and reach with hands and arms. Reaching above shoulder heights, below the waist or lifting as required to file documents or store materials throughout the work day. The Team Member may occasionally lift or move office products and supplies up to 25 pounds. Proper lifting techniques required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Work Environment: The noise in the work environment is usually moderate. Other factors are:
Hectic, fast-paced with multi-level distractions
Professional, yet casual work environment
Office / Warehouse environment
Ability to work extended hours as required
#LI-JC1
The anticipated pay scale for this position can be found below, however the pay range applicable to you may vary by geographic location based on where the job is located or where you work. The final pay offered to a successful candidate will be dependent on several factors that may include but are not limited to the type and years of experience within the job, the type of years and experience within the industry, education, etc. iHerb, LLC is a multi-state employer and this pay scale may not reflect positions that work in other states or locations. Employees (and their families) that meet eligibility criteria as outlined in applicable plan documents are eligible to participate in our medical, dental, vision, and basic life insurance programs and may enroll in our company’s 401(k) plan. Employees will also be eligible for Time Off and Paid Sick Leave pursuant to the company’s policies. Employees will enjoy paid holidays throughout the calendar year. Eligibility requirements for these benefits will be controlled by applicable plan documents. Hired applicant may be awarded Restrict Stock Units and receive annual bonuses pursuant to eligibility and performance criteria defined in the respective plan documents and policies. For more information on iHerb benefits, visit us at iHerbBenefits.com.
Anticipated Pay Scale:
$205,956—$275,834 USD