Director of Information Security
Headquartered in Cambridge, Massachusetts, CarGurus is the all-in-one platform that’s moving the entire car shopping journey online and guiding customers through each step. This includes everything from selling an old car to financing, purchasing, and delivering a new one. Today, millions of consumers visit cargurus.com each month, and more than 30,000 dealerships use our products. We have a people-first culture that fosters kindness, collaboration, and innovation, while empowering our Gurus with tools and resources to fuel their career growth. Our goal is to give all people—consumers, dealers, and our employees—the power to reach their destination.
Job Description
Role Overview
We are seeking a skilled and strategic cybersecurity leader with publicly traded SaaS company experience to join our team as Director of Information Security. In this role, you will be responsible for maintaining and enhancing our information security program, ensuring implementation of best practices, policies, procedures, and technologies to detect and protect against evolving cyber threats. The leader will align defined information security strategic initiatives with the company's strategic objectives while ensuring the team is informed and focused on those common goals.
As a leader in the organization, you will need to closely collaborate with business stakeholders such as Legal, IT, Enterprise Applications, Product and Engineering in order to ensure adherence to relevant regulations and industry standards coupled with confidentiality, integrity, and availability (CIA) of our systems and data. CarGurus prides itself on teamwork and collaboration.
You will need to have a security-first approach helping to instill a culture of privacy and security throughout the company by educating of standards and best practices using practical business speak. You need to be okay with being on center stage and embracing the spotlight! Wallflowers need not apply.
You must be able to quickly assess the world’s ever changing security landscape and make practical decisions about potential risks and threats to the business. CarGurus runs at a fast pace, and you will need to be able to think quickly on their feet especially when security events arise and escalate when appropriate to senior management.
The role will report directly into the VP of Information Security, Technology and Enterprise Applications and will be responsible for overseeing Security Operations, Application Security, and IT Risk and Compliance.​​​​​​​​​​​​​​​​
What You'll Do:
- Manage, lead, mentor, and develop a high-performing security team.
- Conduct annual performance evaluations, build personal development and onboarding plans.
- Form solid, collaborative relationships with peers and key partners across the business.
- Maintain oversight of technical regulatory and compliance requirements.
- Ensure security is embedded in the minds and culture of all employees. This includes being involved with our community and continuously driving awareness through training, conversations, presentations, etc.
- Help manage vendor relationships.
- Own the security budget inclusive of working with the VP on annual budget planning.
- Set forth long-term Information Security strategic plans while including tactical tasks and goals aligning them with business objectives, risk tolerance, and regulatory requirements. Deliver and communicate them to key partners.
- Supervise security controls and the evolution of the company’s information security maturity.
- Ensure that information security policies, standards, and guidelines to mitigate risks, maintain compliance with industry regulations (e.g., GDPR, CPRA) and contractual obligations are enforced and reviewed on an appropriate cadence.
- Work with IT Risk and Compliance to identify, assess, and prioritize information security risks across the organization.
- Report on security metrics, risks, and mitigation strategies to leadership, relevant stakeholders, and the Audit Committee.
Technical Qualifications:
- Bachelor’s Degree or equivalent combination of education and experience in Information Security or Computer Science.
- Prior experience at a Director level; this is not a step-up role.
- Industry certifications such as GIAC certifications (GSLC, GSTRT, GLEG) and others; CISM, CISA, CRISC, are nice to have but if certifications aren’t your thing that is OK too.
- Deep understanding of cybersecurity and privacy principles, standards, and risk frameworks (e.g., NIST Cybersecurity Framework, CIS Controls, PCI-DSS, GDPR, CPRA).
- Prior experience with system audits and IT reporting for SOX (Sarbanes Oxley) and SOC compliance is a must.
- Supervise security controls and the evolution of the company’s Information Security maturity.
- Work closely with the Director of IT and Enterprise Applications on the implementation of large-scale projects and cross-functional initiatives.
- Understand the foundations of cloud and application security. Experience with GCP, AWS or Azure.
- Solid understanding of RBAC models, SSO solutions, identity stores, directory services (SAML 2.0, OAuth 2.0, OIDC) and identity governance.
- Provide feedback to security leaders on technical solutions while allowing them the flexibility to make the technical decisions.
- Proven track record of authoring and maintaining security policies, standards, and procedures.
Non-technical Qualifications:
- Must be able to prioritize projects and tasks in a pragmatic way while understanding the critical impacts and downstream implications to the business. Attention to details and project management skills are required.
- Work with your leaders to build quarterly roadmaps. Present roadmaps to key partners, gain agreement and ensure alignment on initiatives.
- Being well organized is a must!
- Excellent communication and interpersonal skills, with the ability to effectively communicate complex technical concepts to diverse audiences in a personable way.
- Strong writing abilities are a must as you will be writing detailed reports for the Audit Committee and Senior Leadership.
- Adjusts quickly to the security needs of a highly agile organization, must be flexible and adaptable to change.
- Love to learn and grow. If you don’t love staying current on emerging cybersecurity trends, threats, and solutions then this isn’t the job for you.
- Cannot be overly risk averse. We move quickly, innovate, and will try things in contained environments. You have to be OK with operating in this type of environment.
- Integrity, ownership, and accountability must be core to your values.
Who we are
At CarGurus (NASDAQ: CARG), our mission is to give people the power to reach their destination. We started as a small team of developers determined to bring trust and transparency to car shopping. Since then, our history of innovation and go-to-market acceleration has driven industry-leading growth. In fact, we’re the largest and fastest-growing automotive marketplace, and we’ve been profitable for over 15 years.
What we do
The market is evolving, and we are too, moving the entire automotive journey online and guiding our customers through every step. That includes everything from the sale of an old car to the financing, purchase, and delivery of a new one. Today, tens of millions of consumers visit CarGurus.com each month, and ~30,000 dealerships use our products. But they're not the only ones who love CarGurus—our employees do, too. We have a people-first culture that fosters kindness, collaboration, and innovation, and empowers our Gurus with tools to fuel their career growth. Disrupting a trillion-dollar industry requires fresh and diverse perspectives. Come join us for the ride!
Role Overview
We are seeking a skilled and strategic cybersecurity leader with publicly traded SaaS company experience to join our team as Director of Information Security. In this role, you will be responsible for maintaining and enhancing our information security program, ensuring implementation of best practices, policies, procedures, and technologies to detect and protect against evolving cyber threats. The leader will align defined information security strategic initiatives with the company's strategic objectives while ensuring the team is informed and focused on those common goals.
As a leader in the organization, you will need to closely collaborate with business stakeholders such as Legal, IT, Enterprise Applications, Product and Engineering in order to ensure adherence to relevant regulations and industry standards coupled with confidentiality, integrity, and availability (CIA) of our systems and data. CarGurus prides itself on teamwork and collaboration.
You will need to have a security-first approach helping to instill a culture of privacy and security throughout the company by educating of standards and best practices using practical business speak. You need to be okay with being on center stage and embracing the spotlight! Wallflowers need not apply.
You must be able to quickly assess the world’s ever changing security landscape and make practical decisions about potential risks and threats to the business. CarGurus runs at a fast pace, and you will need to be able to think quickly on their feet especially when security events arise and escalate when appropriate to senior management.
The role will report directly into the VP of Information Security, Technology and Enterprise Applications and will be responsible for overseeing Security Operations, Application Security, and IT Risk and Compliance.
What You'll Do:
- Manage, lead, mentor, and develop a high-performing security team.
- Conduct annual performance evaluations, build personal development and onboarding plans.
- Form solid, collaborative relationships with peers and key partners across the business.
- Maintain oversight of technical regulatory and compliance requirements.
- Ensure security is embedded in the minds and culture of all employees. This includes being involved with our community and continuously driving awareness through training, conversations, presentations, etc.
- Help manage vendor relationships.
- Own the security budget inclusive of working with the VP on annual budget planning.
- Set forth long-term Information Security strategic plans while including tactical tasks and goals aligning them with business objectives, risk tolerance, and regulatory requirements. Deliver and communicate them to key partners.
- Supervise security controls and the evolution of the company’s information security maturity.
- Ensure that information security policies, standards, and guidelines to mitigate risks, maintain compliance with industry regulations (e.g., GDPR, CPRA) and contractual obligations are enforced and reviewed on an appropriate cadence.
- Work with IT Risk and Compliance to identify, assess, and prioritize information security risks across the organization.
- Report on security metrics, risks, and mitigation strategies to leadership, relevant stakeholders, and the Audit Committee.
Technical Qualifications:
- Bachelor’s Degree or equivalent combination of education and experience in Information Security or Computer Science.
- Prior experience at a Director level; this is not a step-up role.
- Industry certifications such as GIAC certifications (GSLC, GSTRT, GLEG) and others; CISM, CISA, CRISC, are nice to have but if certifications aren’t your thing that is OK too.
- Deep understanding of cybersecurity and privacy principles, standards, and risk frameworks (e.g., NIST Cybersecurity Framework, CIS Controls, PCI-DSS, GDPR, CPRA).
- Prior experience with system audits and IT reporting for SOX (Sarbanes Oxley) and SOC compliance is a must.
- Supervise security controls and the evolution of the company’s Information Security maturity.
- Work closely with the Director of IT and Enterprise Applications on the implementation of large-scale projects and cross-functional initiatives.
- Understand the foundations of cloud and application security. Experience with GCP, AWS or Azure.
- Solid understanding of RBAC models, SSO solutions, identity stores, directory services (SAML 2.0, OAuth 2.0, OIDC) and identity governance.
- Provide feedback to security leaders on technical solutions while allowing them the flexibility to make the technical decisions.
- Proven track record of authoring and maintaining security policies, standards, and procedures.
Non-technical Qualifications:
- Must be able to prioritize projects and tasks in a pragmatic way while understanding the critical impacts and downstream implications to the business. Attention to details and project management skills are required.
- Work with your leaders to build quarterly roadmaps. Present roadmaps to key partners, gain agreement and ensure alignment on initiatives.
- Being well organized is a must!
- Excellent communication and interpersonal skills, with the ability to effectively communicate complex technical concepts to diverse audiences in a personable way.
- Strong writing abilities are a must as you will be writing detailed reports for the Audit Committee and Senior Leadership.
- Adjusts quickly to the security needs of a highly agile organization, must be flexible and adaptable to change.
- Love to learn and grow. If you don’t love staying current on emerging cybersecurity trends, threats, and solutions then this isn’t the job for you.
- Cannot be overly risk averse. We move quickly, innovate, and will try things in contained environments. You have to be OK with operating in this type of environment.
- Integrity, ownership, and accountability must be core to your values.
Working at CarGurus
We reward our Gurus’ curiosity and passion with best-in-class benefits and compensation, including equity for all employees, both when they start and as they continue to grow with us. Our career development and corporate giving programs, as well as our employee resource groups (ERGs) and communities, help people build connections while making an impact in personally meaningful ways. A flexible hybrid model and robust time off policies encourage work-life balance and individual well-being. Thoughtful perks like daily free lunch, a new car discount, meditation and fitness apps, commuting cost coverage, and more help our people create space for what matters most in their personal and professional lives.
We welcome all
CarGurus strives to be a place to which people can bring the ultimate expression of themselves and their potential—starting with our hiring process. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We foster an inclusive environment that values people for their skills, experiences, and unique perspectives. That’s why we hope you’ll apply even if you don’t check every box listed in the job description. We also encourage you to tell your recruiter if you require accommodations to participate in our hiring process due to a disability so we can provide the appropriate support. We want to know what only you can bring to CarGurus. #LI-Hybrid