VP, Security at Stax Bill

Apply

Job Type

Full-time

Description

The VP, Security is a key executive leader responsible for advancing Stax's enterprise security posture across cloud infrastructure, applications, identity and access management, and compliance frameworks. This role oversees all security operations, vulnerability management, audit programs (PCI DSS, SOC 1, SOC 2), and the strategic integration of security tools and controls. The VP, Security directs cross-functional teams, establishes security governance, and ensures alignment between Technology, Engineering, IT, Product, and Compliance on security strategy and execution. This position requires executive presence, hands-on cloud security expertise, and demonstrated ability to manage complex security transformations and third-party vendor relationships.

Responsibilities

Compliance, Audit & GRC Leadership

• Own and oversee Stax's PCI DSS and SOC 2 audit programs, ensuring successful annual execution, evidence collection, and remediation planning in partnership with external auditors
• Lead implementation and oversight of the SOC 1 audit program (Budget allocated for 2026) and coordinate requirements across all relevant business units
• Establish and maintain comprehensive security governance frameworks aligned with PCI DSS, SOC 1, and SOC 2 requirements
• Drive continuous improvement in audit readiness, control testing, and documentation to reduce remediation cycles
• Serve as executive liaison to external auditors, ASVs, and compliance partners
  
  

Cloud Security Architecture & AWS Governance

• Drive automation of security controls through Infrastructure-as-Code and AWS native capabilities
• Align AWS security posture with PCI encryption and network segmentation requirements
• Partner with Engineering and Cloud Architecture teams to embed security controls into CI/CD pipelines and deployment workflows
  
  

Security Operations & Threat Detection

• Direct Security Operations Center (SOC) activities and incident response programs, including: Splunk for SIEM, log analytics, and security event management, CrowdStrike for endpoint detection and response (EDR) and threat hunting, ReliaQuest for managed security services and SOC expansion, Cloudflare for DDoS mitigation, WAF, and perimeter security
• Ensure continuous improvement in detection capabilities, response playbooks, and mean-time-to-respond metrics
• Oversee Security Operations team (Jose Alvarado lead) and secure additional resources as needed for scaling operations
• Maintain operational readiness and cross-training across Splunk, CrowdStrike, ReliaQuest, and Cloudflare platforms
  
  

Vulnerability Management & Remediation

• Oversee comprehensive vulnerability management program using: Tenable for external vulnerability scans (ASV) to ensure PCI compliance, Qualys for enterprise internal vulnerability scanning and analysis, AWS Inspector for cloud-native vulnerability discovery, Snyk for Software Composition Analysis (SCA) and source code vulnerability detection, SonarQube for static application security testing (SAST) and code quality analysis, Aikido for runtime application security and CI/CD pipeline integration
• Monitor and report on vulnerability metrics, including remediation coverage across Stax Bill, BlockChyp, and other key platforms
• Implement blocking policies for critical vulnerabilities in deployment pipelines (in coordination with Aikido rollout)
• Ensure remediation accountability across CMD teams and engineering organizations
  
  

Identity, Access & Authentication

• Own Okta security posture and oversee all Okta upgrade initiatives, including: Okta FastPass passwordless authentication rollout and adoption, Okta governance and access control policy enforcement, Coordination of PCI requirements with IT and Compliance teams
• Establish and enforce least-privilege access principles across all systems and cloud environments
• Partner with IT to maintain Okta security hardening and MFA enforcement
  
  

Application & Code Security

• Oversee GitHub Enterprise security transition to CMD team, ensuring: Code repository security controls and access governance remain aligned with compliance, Executive sponsorship for budget, training, and organizational adoption
• Drive integration of security scanning tools into CI/CD pipelines: Snyk for dependency and composition analysis, SonarQube for SAST and code quality, Human Security for secrets detection and protection, Aikido for runtime protection and deployment gating
• Ensure all security scanning policies and deployment gates are enforced and monitored
  
  

Endpoint, Mobile & Data Protection

• Own endpoint and device security strategy, including: CrowdStrike for EDR and continuous endpoint monitoring, Jamf for macOS device management and compliance enforcement, Microsoft Intune for Windows and mobile device management, Security policy enforcement and remote wipe capabilities
• Oversee Mimecast email security and cross-train teams on operations and threat handling
• Lead Zscaler DLP rollout and data loss prevention capabilities across the organization
• Manage VDI security strategy and access controls for sensitive environments
  
  

Network & Physical Security

• Lead Network Hardening (Portnox) project through legal review and coordinate rollout with IT teams
• Provide executive sponsorship and direction for Orlando Office Access Control implementation
• Own perimeter security strategy using Cloudflare, AWS WAF, and AWS Shield Advanced
  
  

Security Awareness & Training

• Direct KnowBe4 security awareness and phishing campaign program
• Ensure annual security training compliance across all employees in partnership with HR
• Establish metrics for phishing click rates, training completion, and user security awareness improvement
  
  

Netskope & Advanced Network Security

• Oversee Netskope Zero Trust Network Access rollout: Coordinate resume of rollout across Engineering, QA, and Executive teams, Work with executive sponsors to unblock adoption challenges, Align Netskope security policies with zero-trust access principles
  
  

Human Security & Application Integrity

• Oversee Human Security rollout across development applications and infrastructure
• Coordinate rollout completion to BlockChyp and other remaining applications
• Leverage Human Security for secrets management and insider threat prevention
  
  

Team Leadership & Development

• Build and lead a high-performing security team spanning Cloud Security, Application Security, Security Operations, Vulnerability Management, and Governance, Risk & Compliance (GRC)
• Establish clear accountability, KPIs, and career development paths for team members
• Conduct regular one-on-ones, mentoring, and performance management
• Foster a culture of proactive security and compliance across the organization
• Represent security at executive and board-level discussions and strategy sessions
  
  

Key Relationships & Stakeholder Management

• Chief Technology Officer (CTO): Direct reporting relationship; executive alignment on security strategy and resource needs
• CMD Team: Oversee GitHub Enterprise transition, coordinate SCA/SAST tool integration
• VP Finance: Budget planning, vendor negotiations, and compliance-related spending
• Chief Compliance Officer / Audit: Partner on PCI, SOC 1, SOC 2 program execution and external auditor coordination
• HR: Security awareness training, phishing program coordination, and employee onboarding security
  
  

Personal Attributes

• Strategic thinker with ability to translate security requirements into operational execution
• Strong analytical and problem-solving skills
• Results-oriented and metrics-driven in approach to security improvement
• Excellent written and verbal communication skills
• Ability to influence without direct authority across Technology, Engineering, and Business teams
• Comfort with ambiguity and ability to drive clarity and alignment
• Passion for continuous learning in rapidly evolving security landscape
  
  

Core Competencies

• Executive Leadership: Strategic planning, team building, and organizational influence
• Cloud Security Architecture: AWS infrastructure, identity, and data protection
• Compliance & GRC: PCI DSS, SOC 2, audit readiness, and control frameworks
• Security Operations: Incident response, threat detection, and 24/7 operations management
• Vulnerability Management: Assessment, remediation, and risk prioritization
• Stakeholder Management: Executive communication, vendor relationships, and cross-functional alignment
• Technical Depth: Hands-on knowledge of security tools, cloud platforms, and infrastructure
  
  

Compensation & Benefits

• Salary: Competitive, based on experience and qualifications
• Benefits: Comprehensive benefits package including health insurance, 401(k), Open PTO, professional development budget
• Professional Development: Budget for certifications, conferences, and training
  
  

Work Environment & Expectations

• In office, Orlando, FL. preferred.
• May require on-call support during security incidents or critical system events
• Travel for industry conferences, audits, and vendor meetings (estimated 5-10% annually)
• Flexibility to respond to emerging security threats and compliance requirements outside standard business hours when needed
  
  

Requirements

• 10+ years in enterprise or cloud security leadership roles
• Minimum 5 years in a Vice President, Director, or equivalent executive-level security position
• Demonstrated expertise managing AWS security services and cloud-native threat detection (GuardDuty, Security Hub, WAF, Shield)
• Proven track record successfully leading PCI DSS and SOC 2 compliance programs through audit cycles
• Experience building, leading, and scaling security teams (minimum 5 people)
• Strong understanding of vulnerability management, remediation workflows, and security metrics
• Demonstrated ability to manage complex security tool integrations and multi-vendor environments
• Executive presence and communication skills for board-level presentations and stakeholder alignment
  
  

Required Knowledge

• Deep technical knowledge of SIEM platforms (Splunk preferred) and SOC operations
• Familiarity with identity and access management (Okta, Azure AD, or equivalent)
• Understanding of Zero Trust architecture and network access controls
• Knowledge of endpoint security and EDR platforms (CrowdStrike preferred)
• Experience with application security tools and CI/CD pipeline security
• PCI DSS compliance requirements and audit frameworks
• SOC 2 Type II audit requirements and control frameworks
• AWS IAM, networking, encryption, and infrastructure security best practices
  
  

Preferred Certifications

• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• AWS Certified Security – Specialty
• CCSK (Certified Cloud Security Knowledge)
• PCI Qualified Security Assessor (QSA) or related compliance certification