Open Roles
Open Roles

InfoSec & IT Lead

TLDR

Hands-on lead shaping security, privacy and compliance for a small company, driving Zero Trust, SOC 2/ISO readiness, cross-border data privacy governance, and hands-on IT operations.

About RevOptimal:

RevOptimal is building the future of privacy-conscious identity resolution for advertising. Instead of relying on outdated identifiers like cookies, IP addresses, or device IDs, we resolve identity using deterministic, people-based signals to help advertisers reach real audiences with greater precision and confidence.

Our solutions power smarter audience targeting, cross-device attribution, and curated private marketplaces—helping brands and agencies make their data work harder.


The role:

We are hiring a hands-on InfoSec & IT Lead to design, operate, and mature a security, privacy and compliance program that protects our data, enables secure vendor & partner integrations, and keeps RevOptimal audit-ready for SOC 2 and other certifications. You will help design and build a secure cloud architecture, lead SOC 2 and ISO 27001:2022 readiness, drive Zero Trust adoption, own security operations and incident response, and be accountable for privacy compliance across US state laws and GDPR. The role also includes hands-on IT operations for a small company (<20 employees).


What you'll do:

Security strategy & architecture

  • Define and execute the company security strategy and roadmap across cloud, data, application, and infrastructure security.
  • Lead the design and pragmatic implementation of Zero Trust architecture principles (identity-centric controls, least-privilege access, micro-segmentation, device posture and conditional access).
  • Design and enforce secure cloud architecture patterns (AWS best practices for S3, IAM, KMS, VPCs, cross-account roles and clean-room integrations).
  • Implement secure key management, encryption at rest / in transit, and data classification & retention standards appropriate for sensitive data.

Compliance, GRC & Privacy (SOC 2, ISO 27001 & Data Privacy)

  • Own SOC 2 readiness, audit lifecycles and evidence automation.
  • Lead ISO 27001:2022 readiness and the ISMS lifecycle when appropriate (scoping, risk assessment & treatment, SoA, internal/external audits).
  • Own data privacy compliance frameworks across relevant regimes: US state privacy laws (e.g., CPRA/CCPA and other state statutes) and EU GDPR. Responsibilities include:
    • Maintain a comprehensive data map / Record of Processing Activities (RoPA) covering personal data flows, storage locations, retention and processors.
    • Run Data Protection Impact Assessments (DPIAs) for high-risk processing and partner integrations.
    • Operate a DSAR / DSR process (data subject access/deletion/portability requests) and ensure timely responses that meet legal deadlines.
    • Manage Data Processing Agreements (DPAs) and contractual privacy controls with vendors and partners.
    • Implement and enforce privacy-by-design/default controls and data minimization across technical and product solutions.
    • Ensure lawful cross-border data transfer mechanisms (e.g., SCCs, adequacy assessments, and technical safeguards) and document them appropriately.
  • Operate and maintain compliance automation tooling (e.g., Vanta) and privacy management tooling; track remediation and evidence collection.

Security operations & engineering

  • Build and operate detection & monitoring (centralized logging, alerting and lightweight SIEM).
  • Manage vulnerability scanning, third-party pen testing, remediation workflows and risk treatment.

Partner & cloud integrations

  • Secure onboarding and hardening of partner integrations (S3 buckets, IAM roles, cross-account access, clean-room patterns).
  • Assess and govern third-party security and privacy posture with technical and contractual controls.

IT operations & employee support

  • Manage day-to-day IT for a company <20 people: device lifecycle (MDM), endpoint protection, SSO/MFA, Google Workspace/Slack/Atlassian administration, onboarding/offboarding and enforcement of 2FA.
  • Own vendor relationships for IT/security/privacy services and provide escalated IT support.

Team, communication & culture

  • Evangelize security and privacy across the company: training, phishing simulations, privacy awareness.
  • Report security and privacy KPIs to executives (SOC 2/ISO coverage, Zero Trust adoption, DSAR SLAs, MTTR).


Required Qualifications:

  • 6+ years of professional experience in information security, with at least 3 years in a leadership/managerial role.
  • Hands-on cloud security experience in AWS (S3, IAM, KMS, CloudTrail, CloudWatch, VPCs, cross-account roles).
  • Proven experience leading SOC 2 readiness and audit programs and operating compliance automation tools.
  • Practical experience implementing Zero Trust principles in cloud environments.
  • Practical experience with GDPR and with US state privacy laws (CCPA/CPRA and/or other modern state privacy statutes), including DSAR/DSR handling, DPIAs, RoPA, DPAs and breach notification processes.
  • Strong operational security capabilities (vulnerability management, IR, logging/monitoring, IAM, encryption).
  • Practical IT operations experience for small companies (MDM, SSO/MFA, onboarding/offboarding).
  • Excellent written and verbal communication skills.
  • Formal security certification preferred (CISSP, CISM).

Preferred / nice-to-have

  • Experience directly driving or supporting ISO 27001:2022 certification and managing an ISMS.
  • Privacy certifications: CIPP/US, CIPP/E or equivalent.
  • Experience designing and implementing Zero Trust at scale and familiarity with NIST SP 800-207.
  • Familiarity with privacy and governance tooling (OneTrust, TrustArc, BigID) and with SOC 2 automation (Vanta).
  • Infrastructure as code experience (Terraform/CloudFormation) and secure CI/CD pipelines.
  • Experience with global privacy topics (Schrems II implications, SCCs, adequacy) and with managing cross-border transfer risk.
  • Familiarity with CPRA, Virginia, Colorado, Connecticut, Utah privacy rules and breach notification regimes.

Tools & technical environment (what you’ll use)

  • Cloud: AWS — S3, IAM, KMS, CloudTrail, CloudWatch, Inspector/Inspector2, cross-account roles, clean-room patterns.
  • Compliance & privacy: Vanta (SOC 2 automation) and privacy management tools (OneTrust/TrustArc or equivalent) for RoPA/DPIAs/DSAR workflows.
  • Identity & Zero Trust tooling: SSO/IdP (Okta/AWS SSO), MFA/conditional access, ZTNA/SASE or equivalent.
  • Productivity & HR: Google Workspace, Slack, Atlassian (Jira/Confluence), Rippling.
  • Detection/EDR/SIEM: CloudWatch/CloudTrail, AWS Inspector/Inspector2, chosen EDR/SIEM tooling.

Open Roles is a startup that focuses on delivering precise and privacy-conscious identity resolution for advertisers. We empower brands and agencies to effectively reach their target audiences by leveraging innovative, people-based signals instead of traditional identifiers. Our solutions enhance audience targeting, cross-device attribution, and facilitate curated private marketplaces in an increasingly privacy-forward advertising landscape.

View company profile
Apply for this job

Pro members saw this job first

New jobs unlock for everyone after 24 hours. Startup Jobs Pro shows them right away, with instant alerts and salary filters. From $7/month.

Get Pro