Director, Information Security

With world attention on both the environment and the economy, Environmental Defense Fund (EDF) is where policymakers and business leaders turn for win-win solutions. By focusing on strong science, uncommon partnerships and market-based approaches, we tackle urgent threats with practical solutions. We are one of the world’s largest environmental organizations, with more than two million members and a staff of approximately 630 scientists, economists, policy experts, and other professionals around the world. We operate in 22 geographies with unique projects running across four programs. You will be part of a vibrant workplace that welcomes diverse perspectives, talents and contributions, where innovation and results are a way of life.

The Director Information Security will be responsible for building and maintaining the vision, strategy, and programs necessary to ensure Environmental Defense Fund (EDF) information assets and technologies and data are adequately secured. As the champion of the organization’s next generation strategy, this individual will also drive the success of a platform of state of the art global shared security services. This individual is also responsible for providing leadership and guidance on the adherence to and implementation of the Company’s IT security policies and controls. The role will also be responsible for promoting IT security policies, practices and decisions through the consulting services offered by the team.


This leader also represents Information Security Architecture on various working groups. This role leads and develops others technical curiosity, careers and deliverables while leading by example through hands-on engineering consulting and relationship development across the EDF.


Key Competencies:


  • Proven expertise in Developing and maintaining plans to implement the information security strategy.

  • Specify the activities to be performed within the information security program.

  • Ensure alignment between the information security program and other assurance functions (e.g., physical, human resources, quality, IT).

  • Identify internal and external resources (e.g., finances, people, equipment, and systems) required to execute the security program.

  • Ensure the development of information security architectures (e.g., people, processes, technology).

  • Establish, communicate and maintain information security policies that support the security strategy.

  • Design and develop a program for information security awareness, training and education.

  • Ensure the development, communication and maintenance of standards, procedures and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.

  • Integrate information security requirements into the organization’s processes (e.g., change control, mergers and acquisitions) and life cycle activities (e.g., development, employment, procurement).

  • Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).

  • Establish metrics to evaluate the effectiveness of the information security program.





  • Leading the development and publishing of up-to-date security policies, standards and guidelines, and the enterprise-wide training and dissemination of security policies and practices.

  • Managing the enterprise’s security organization, including hiring, training, talent development and performance management.

  • Ensuring that security programs are in compliance with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.

  • Setting and implementing consistent standards for IT security operations and support (i.e. intrusion detection systems, cyber security, firewalls, vulnerability assessment systems, penetration testing, secure email system, access control & identity management systems, network security, etc.).

  • Managing research and development activities designed to assess need, analyze costs and benefits, and develops strategies for deploying and integrating progressive security techniques and technologies.

  • Coordinating the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.

  • Providing strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.

  • Creating, communicating and implementing a risk-based process for vendor risk management, including assessment and treatment for risks that may result from partners, consultants and other service providers.

  • Facilitating a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitating appropriate resource allocation, and increasing the maturity of the security.

  • The ideal candidate will be a thought leader in the area of information security and privacy. He or She will be a consensus builder with a track record of integrating people and processes to drive a cohesive security strategy for a globally complex and diverse enterprise.



Basic Qualifications


  • Minimum 15 years in technology organizations

  • 10+ years of success leading a security discipline within large organizations

  • Experience with Digital Rights Management technology

  • Deep experience with:

    • AWS / Azure / other cloud platforms

    • PCI Standards

    • Service Organization and Controls

    • Media/Video Transport systems

  • Familiarity with GDPR and similar data privacy regulations for other countries

  • Proven technical knowledge to enable efficient team management

  • Proven record of delivering business critical projects within challenging time frames, multiple stakeholders groups and competing priorities

  • Demonstrated experience in information security, privacy or a data protection-related function

  • Proven understanding of information security risk assessment and risk management procedures and methodologies

  • Ability to correlate enterprise risk with appropriate administrative, physical and technical security controls

  • Strong knowledge of information security principles, standards, practices and technologies

  • Strong knowledge of industry and regulatory requirements (i.e., PCI, SOX, Safe Harbor)

  • Proven strong background in IT Security and Operational processes


Required Education

  • BA/BS in business or computer science or bachelors and appropriate work experience

  • Require one of the following certification: CISSP, CISM, CISA or industry equivalent

Environmental Defense Fund is an equal opportunity employer where an applicant's qualifications are considered without regard to race, color, religion, sex, national origin, age, disability, veteran status, genetic information, sexual orientation, gender identity or expression, or any other basis prohibited by law.