Your browser cookies must be enabled in order to apply for this job. Please contact if you need further instruction on how to do that.

Director, Information Security

Legal and Privacy | Portland, OR | Full Time

Job Description

Have you always dreamed of being a part of a world-class team, but haven’t quite found a culture that truly understands what this means?   Well, this may be that dream opportunity ready for the taking.   Janrain, an Identity Cloud service provider, has built a culture that is a magnet for top talent – a culture where innovation, intellectual honesty, and team camaraderie are more than core values.  Janrain is on its way to becoming the largest digital identity network in the world, with the need to expand its team with people who have an insatiable appetite for success with the team in mind. That’s where you come in. If you are looking to work in a fast-paced, highly collaborative environment focused on leading edge technology, then we should talk. We are looking for an energetic, enthusiastic, well-organized team player to join our team as a  Director, Information Security.  

Primary Responsibilities

  • Further develop, maintain, and run Janrain’s Information Security Management System (ISMS) and related enterprise-wide policies and programs to ensure information assets are protected, technology systems are secure, and security and business continuity risk/reward decisions are balanced and comply with external regulatory requirements while maintaining an understanding of the challenges facing the business
  • Work in a highly collaborative team environment to serve as the security SME throughout the company and with prospects and clients, and contribute towards the goal of developing and maintaining industry-leading cybersecurity practices
  • Use subject matter expertise, technical knowledge, and project management skills to gain and maintain compliance.  
  • SOC 2 Type 2 (all five trust principles)
  • Cloud Security Alliance Certification
  • ISO 27001: 2013
  • ISO 27018:2014
  • Document our developed strategies and compliance requirements in order to ensure follow-through, and collaborate with VP Privacy and Product teams to ensure security and privacy by default and design practices are followed in product lifecycle
  • Utilize your experience in security best practices (and knowledge of failure), and your desire to build domain knowledge, and act from a position of expertise and case-specific need while championing security best practices in all areas of the business
  • Conduct quarterly controls review and internal audit, and coordinate external audits and company readiness
  • Conduct security training (corporate, contractor and job specific) and track and report on security metrics (KPIs and KRIs)
  • Responsible for the annual Risk Assessment and for maintaining the Janrain risk register
  • Manage vulnerabilities by identifying, ranking, prioritizing, coordinating remediation for them, and driving resolution through Product and Engineering.
  • Maintain, execute and enforce the company’s external parties risk assessment program to assess systems, vendors and contractors, agencies, and partners.
  • Manage internal access controls

Required Skills/Education

  • Minimum 6+ years experience managing security processes and related infrastructure for internet-attached services
  • 3+ years operating within at least one major security compliance framework (ISO 27001, PCI DSS, SOC, CSA Level 2, or HIPPA), including owning internal preparations and facilitating active audit support
  • 2+ years in a senior role owning full security lifecycle and operational processes for internet hosted software products
  • 2+ years working with within SDLC (development) and ISMs (operational) frameworks, including implementing new policies and ensuring relevant controls are followed
  • Experience performing gap analysis and developing change plans to align software architectures with required secure implementation practices
  • Experience championing process improvements needed to operationalize security practices and to make them repeatable/enforceable 
  • Ongoing work demonstrating functional knowledge through industry certifications such as CISM and/or CRISC
  • Ability to present and speak well to colleagues and clients (including their CISOs) and intersect with individuals throughout the company from technical individual contributors to senior executives
  • Solid experience managing external/third party controls and internal access controls
  • College degree
  • Knowledge of scrum and agile development processes

In addition, the Director of Information Security  should have knowledge of the following:

  • Threats and vulnerabilities related to:

    • Business processes and initiatives

    • Third-party management

    • Data management

    • Hardware, software and appliances

    • The software development life cycle (SDLC)

    • Project and program management

    • Business continuity and disaster recovery management (DRM)

    • Management of IT operations

  • Methods to identify risk
  • Risk scenario development tools and techniques
  • Risk identification and classification standards, and frameworks
  • Risk events incident concepts (examples include: contribution conditions, lessons learned, loss result)
  • Elements of a risk register
  • Risk appetite and tolerance
  • Risk analysis methodologies
  • Organizational structures
  • Organizational assets (eg, people, technology, data, trademarks, intellectual property) and business processes including enterprise risk management (ERM)
  • Organizational policies and standards
  • Business process review tools and techniques
  • Analysis techniques (eg, root cause, gap, cost-benefit, return on investment)
  • Capability assessment models and improvement techniques and strategies
  • Data analysis, validation and aggregation techniques (eg, trend analysis  modeling)
  • Data collection and extraction tools and techniques
  • Principles of risk and control ownership
  • Characteristics of inherent and residual risk
  • Exception management practices
  • Risk assessment standards, frameworks, and techniques
  • Risk response options and criteria for selection
  • Information security concepts and principles, including confidentiality integrity and availability of information
  • Systems control design and implementation, including testing methodologies and practices
  • The impact of emerging technologies on design and implementation of controls
  • Requirements, principles, and practices for education and training risk and control activities
  • Key risk indicators (KRI)
  • Risk monitoring tools and techniques
  • risk monitoring standards and frameworks
  • Risk reporting tools and techniques
  • IT risk management best practices
  • Key performance indicators (KPIs)
  • Control types, standards, and frameworks
  • Control monitoring and reporting tools and techniques
  • Control assessment types (eg. self assessment, audits, vulnerability assessments, penetration tests, third party assurance)
  • Control activities, objectives, practices and metrics related to:
    • Business processes
    • Information security including technology certification and accreditation practices
    • Third-party management including service delivery
    • Data management
    • The software development life cycle (SDLC)
    • Project and program management
    • IT operations management
    • The information systems architecture (eg, platforms,, networks, applications, databases, and operating systems)



If you enjoy working for an innovative and rapidly growing company with a clear mission apply today! We are located  in the vibrant Pearl District in Portland, Oregon.  You will enjoy free public transportation passes, bike storage, showers, stocked kitchens and monthly happy hours to socialize with your colleagues and celebrate our successes . In addition, Janrain offers a generous benefit package to take care of you and your family  which includes medical, dental, and vision coverage, paid time off, 401K, life insurance, disability plans and stock options.

To apply for this position, please send a resume and cover letter to:

Position Type:  Full-Time/Regular

You must be authorized to work in the United States.  To all recruitment agencies: Janrain only accepts agency resumes from agencies with an approved agency contract. Agencies must contact Human Resources. Please do not forward resumes to our jobs alias, Janrain employees or any other company location. Janrain is not responsible for any fees related to unsolicited resumes.

Janrain is an equal opportunity employer. Employment here is based solely upon one’s individual merit and qualifications directly related to professional competence. We don’t discriminate on the basis of race, color, religion, national origin, ancestry, pregnancy status, sex, age, marital status, disability, medical condition, sexual orientation, gender identity, or any other characteristics protected by law.