Principal Audit and Compliance Consultant

At DirectDefense, we provide cutting-edge cybersecurity and compliance solutions to organizations across multiple industries, including finance, healthcare, government, and information security. Our team of experts is dedicated to helping clients identify, assess, and mitigate IT risks while ensuring regulatory compliance.

Position Overview

We seek a Principal Audit and Compliance Consultant to join our Compliance team. In this role, you will lead comprehensive risk assessments, compliance evaluations, and internal and external audits across various regulatory frameworks. You will also provide expert guidance on designing and implementing robust information security programs tailored to organizational needs.

This is an exciting opportunity for an experienced compliance professional who thrives in a fast-paced environment, enjoys working across diverse industries, and excels at translating technical security concepts into actionable business strategies.

Key Responsibilities

• Conduct and lead risk and compliance assessments for frameworks such as ISO 27001, PCI-DSS, GDPR, NIST SP 800-53, and HIPAA.
• Evaluate IT security policies, architecture, and controls to ensure compliance with industry standards.
• Develop and implement information security programs or specific components based on regulatory requirements and best practices.
• Perform IT audits and security risk assessments, identifying vulnerabilities and recommending remediation strategies.
• Guide organizations in managing policy exceptions by documenting risks, proposing compensating controls, and defining remediation action plans.
• Communicate effectively with technical teams and executive leadership, providing strategic recommendations and technical documentation.
• Provide cybersecurity strategic planning, risk mitigation, and remediation planning expertise.
• Draft executive-level reports and technical documentation, including compliance assessment findings and security recommendations.

Required Qualifications & Experience

• Minimum 5 years of risk and compliance experience, including conducting assessments for one or more of the following frameworks: ISO 27001, PCI-DSS, GDPR, NIST SP 800-53, or HIPAA.
• Strong understanding of security architecture, infrastructure, networking, and system design.
• Expertise in IT security principles, including firewall management, server security, SIEM, IDS/IPS, web proxies, access control, and authentication.
• Proven ability to assess security frameworks and control design across complex IT environments.
• Experience managing security policy exceptions and working with stakeholders to document risks and define mitigation strategies.
• Ability to work independently with minimal supervision while managing multiple projects simultaneously.
• Excellent communication skills, including translating technical security concepts into actionable insights for stakeholders.
• Strong experience in remediation planning, cybersecurity strategic planning, and technical writing.

Preferred Qualifications

• Working knowledge of at least two of the following compliance frameworks and standards:
  • NIST RMF, FISMA / FedRAMP, NIST CSF, NIST DFARS / SP 800-171, AICPA SOC 2, HIPAA / HITRUST / HITECH, PCI-DSS, GDPR
• Experience leading IT projects or serving in a project management role.

Certifications (Required – at least one of the following)

• CISSP – Certified Information System Security Professional (ISC)²
• CAP – Certified Authorization Professional (ISC)²
• CISM – Certified Information Security Manager (ISACA)
• Security+ – CompTIA
• CISA – Certified Information Systems Auditor (ISACA)
• ISO 27001 Lead Implementer / Lead Auditor
• GIAC Systems and Network Auditor (GSNA)
• IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)
• CIA – Certified Internal Auditor (IIA)

Benefits include:

• 401(k)
• AD&D Insurance
• Dental Insurance
• Disability insurance
• Health insurance
• Life insurance
• Vision insurance
• Flex PTO program
• Paid certification and continuing education

Work schedule: Monday through Friday

Work hours: 40 hours a week

A little about DirectDefense

Since coming together in 2011 to form DirectDefense, our team has been committed to offering Cybersecurity defense strategies that are unmatched in the industry. Whether we are performing assessments of networks, platforms, and applications or applying managed services to improve your organization’s security posture, we are focused on providing world-class services that don’t just work–they work for you.

OUR MISSION

We establish partnerships with our clients based on trust and results. We leverage our deep industry knowledge and expertise to identify and remediate blind spots in your security program, provide meaningful visibility of your entire enterprise, and align your organization with security best practices and compliance standards.

OUR VISION

We aim to secure organizations across all industries against advanced threats and attacks in today’s world. Acting in partnership with organizations, we will provide unmatched information security services designed to improve your overall security posture, close gaps, and track vulnerabilities continuously through continued education and support.

EEO Commitment

We’re an equal employment opportunity/affirmative action employer that empowers our people to fearlessly drive change – no matter their race, color, ethnicity, religion, sex (including pregnancy, childbirth, lactation, or related medical conditions), national origin, ancestry, age, marital status, sexual orientation, gender identity and expression, disability, veteran status, military or uniformed service member status, genetic information, or any other status protected by applicable federal, state, local, or international law.

As Colorado law requires under the Equal Pay for Equal Work Act, DirectDefense provides a reasonable compensation range for roles that may be hired in Colorado. Actual compensation is influenced by a wide array of factors, including but not limited to skill set, level of experience, and specific office location. For the state of Colorado only, the range of starting pay for this role is $60,000 - $70,000 per year with a monthly and quarterly bonus.

A little about DirectDefense

Since coming together in 2011 to form DirectDefense, our team has been committed to offering Cybersecurity defense strategies that are unmatched in the industry. Whether performing assessments of networks, platforms, and applications or applying managed services to improve your organization’s security posture, we are focused on providing world-class services that don’t just work–they work for you.

OUR MISSION

We establish partnerships with our clients based on trust and results. We leverage our deep industry knowledge and expertise to identify and remediate blind spots in your security program, provide meaningful visibility of your entire enterprise, and align your organization with security best practices and compliance standards.

OUR VISION

We aim to secure organizations across all industries against advanced threats and attacks in today’s world. Acting in partnership with organizations, we will provide unmatched information security services designed to improve your overall security posture, close gaps, and track vulnerabilities continuously through continued education and support.

As Colorado law requires under the Equal Pay for Equal Work Act, DirectDefense provides a reasonable compensation range for roles that may be hired in Colorado. Actual compensation is influenced by a wide array of factors, including but not limited to skill set, level of experience, and specific office location. For the state of Colorado only, the range of starting pay for this role is $139,544 to $181,407 per year with a bonus package.