Iambic Therapeutics, Inc - Associate Director, Information Security

• Drive and mature the company-wide information security program and strategy including managing policies, standards, risk assessments, and the enterprise risk register • Act as the primary internal authority on information security operations, advising leadership and department heads on risk and priorities • Develop security metrics and reporting for technical and executive stakeholders • Serve as a working technical mentor to security analysts, providing hands-on guidance, knowledge sharing, and day-to-day direction across IT and cloud security domains • Own ISO 27001 certification and maintenance, including audits, evidence collection, and improvement • Directly manage controls rationalization across frameworks (ISO 27001, SOC 2, NIST CSF, SOX ITGC) to support evolving compliance requirements • Lead and execute the vendor and third-party risk management program • Establish and maintain information security controls in alignment with life sciences regulatory requirements, including 21 CFR Part 11 and GxP • Partner with the Software, cloud security, and DevOps teams on expanding industry-standard security practices into the software development lifecycle • Actively participate in security operations across the corporate IT environment, including hands-on involvement in endpoint security, identity and access management, vulnerability management, and security monitoring • Define cloud security governance standards and policies for SaaS-hosted environments and oversee compliance • Own and continuously improve the company-wide security awareness and training program • Champion a realistic, risk-based security culture across a diverse workforce spanning research, clinical, and corporate functions • 12+ years of progressive information security experience with a strong track record of hands-on technical execution • Direct, practitioner-level experience in at least two of the three domains: GRC, IT security operations, and application/cloud security • Experience collaborating with or embedding security within software engineering or product organizations • Deep working knowledge of ISO 27001, including post-certification program management and audit readiness • Familiarity with SOC 2, NIST CSF, HIPAA, SOX IT General Controls, and related frameworks • Hands-on understanding of application security principles, secure SDLC practices, and cloud security (AWS, Azure, or GCP) • Able to write and maintain clear, practical policies and standards directly, without relying on external consultants or pre-built templates • Strong risk assessment skills with the ability to translate technical findings into business impact for non-technical audiences • Experience supporting or preparing for a SOX readiness assessment or IPO-related compliance effort • Direct experience with GRC platforms (Vanta, Drata, Tugboat Logic, or similar) and security tooling across endpoint, identity, SIEM, and AppSec domains • Pragmatic and mission-driven; energized by doing meaningful work in a fast-moving clinical-stage environment