Senior Director, Information Security and Risk Management

Wilson Sonsini is the premier legal advisor to technology, life sciences, and other growth enterprises worldwide. We represent companies at every stage of development, from entrepreneurial start-ups to multibillion-dollar global corporations, as well as the venture firms, private equity firms, and investment banks that finance and advise them. The firm has approximately 1,100 attorneys in 17 offices: 13 in the U.S., two in China, and two in Europe. Our broad spectrum of practices and entrepreneurial spirit allow our staff exceptional opportunities for professional achievement and career growth.

The Senior Director of Information Security & Risk Management is responsible for leading and managing key aspects of the firm's information security and risk management program in support of the CISO. This role involves overseeing security engineering, operations, information governance, risk management, records management, and compliance activities, as well as contributing to the firm's overall security posture.

The Senior Director will work closely with practice groups, firm management, General Counsel’s office, and other administrative departments to address client and regulatory requirements and support the firm's strategic needs. Engagement with the GC’s office will include items such as supporting the review of client outside counsel guidelines, reporting on client audit requests; making recommendations associated with vendor contracts and third-party reviews; reporting on the status of any requested internal investigations; and generally supporting cybersecurity concerns associated with internal legal issues.  It is also imperative that the Senior Director actively network with peers at other firms and clients. Active engagement with organizations the firm belongs to for collaborative engagement around security and risk management decision making is also a critical activity of the position.

The Sr. Director will support the CISO in developing and implementing strategic initiatives to improve the firm’s security program, as well as in the development of metrics and associated briefings used to communicate the state and direction of the program to firm leadership.

MAIN DUTIES

Risk Management and Compliance:

• Lead firm-wide technology-related risk and compliance activities.  
• Lead firm-wide records management activities.
• Provide support for the risk management and compliance function.  
• Oversee client audit request workflows and coordinate firm IT audits.  
• Oversee the firm's risk registry and associated corrective action plans.  
• Oversee data input into the Governance Risk & Compliance (GRC) system and generate compliance metrics reports.  
• Track compliance remediation efforts and report on discrepancies to the firm CIO & CISO.  
• Maintain measures and metrics of risk related to the firm's security and IT posture.  
• Oversee employee compliance with security and privacy training.  
• Oversee risk assessments.  
• Oversee incident response protocols and vulnerability management programs. 
• Ensure compliance with firm standards and regulations.  
• Produce recommendations from risk evaluations that align with business needs.  
• Communicate risk metrics to firm leadership.  

Security Engineering and Operations

• Identify and implement emerging technologies where they can enhance firm best practices for mitigating cyber risk.
• Oversee security and risk management systems and architecture.  
• Oversee investigations and responses to security events from both the Security Operations team and Security Operations Center (SOC).  
• Oversee analysis and identification process and technology needs, and coordinate the design, installation, testing, and maintenance of security enhancements.  
• Improve the firm's security posture to mitigate threats.  
• Oversee the evaluation, selection, and implementation of security controls.  
• Hold regular meetings with firm leadership to review policy and procedure deficiencies.  
• Drive remediation activities and track compliance deliverables.  
• Oversee the product lifecycle and operations of security technologies.  
• Evaluate the security of infrastructure, network, and system designs.  
• Plan, coordinate, and drive changes to improve security.  
• Maintain knowledge of client security and risk management needs.  
• Stay current with emerging security technologies and trends and provide recommendations.  
• Participate in and provide leadership for the incident response process.

QUALIFICATIONS

• 7+ years leading information security programs.
• Master’s degree preferred.
• Experience in an AmLaw 50 law firm environment or professional services industry is a plus.
• Ability to communicate and coordinate risk-related information effectively.
• Strong communication skills with people from diverse backgrounds.  
• Knowledge and experience in risk management and compliance reporting.  
• Experience with GRC applications and metrics development.  
• Proven ability to lead and motivate teams.  
• Exceptional communication skills, including the ability to translate technical security concepts into business terms.  
• Demonstrated ability to understand and address business security and risk management needs.  
• Ability to identify technology-related risks and implement effective solutions.
• Strong analytical and problem-solving skills.
• Ability to visualize, plan, and execute process improvements.  
• Extensive knowledge of network architecture and design.  
• Relevant certifications such as CISSP, CISM, CISA, or similar are highly desirable.  
• Significant expertise in relevant security and risk management frameworks and disciplines (e.g., ISO 27001, NIST CSF, COBIT, etc.).  
   

The primary location for this job posting is in Washington, D.C., but other locations may be listed. The actual base pay offered will depend upon a variety of factors, including but not limited to the selected candidate’s qualifications, years of relevant experience, level of education, professional certifications and licenses, and work location. The anticipated pay range for this position is as follows:

San Francisco and Silicon Valley: $447,100 - $604,900 per year

Austin, Boston, Boulder, District of Columbia, Los Angeles, New York, San Diego, Seattle, and Wilmington: $402,390 - $544,410 per year

Salt Lake City and all other locations: $357,000 - $483,000 per year

The compensation for this position may include a discretionary year-end merit bonus based on performance. We offer a highly competitive salary and benefits package.

Benefits information can be found here. Equal Opportunity Employer (EOE).