Senior Director, Information Security & Compliance

About Beeline Medicines:

Beeline Medicines is a clinical‑stage biotechnology company focused on developing and delivering category-leading precision therapies to transform the lives of people living with autoimmune and inflammatory diseases. With a portfolio of potential best-in-class and first-in-disease therapeutic candidates that directly target key pathways governing dysregulated immunological and inflammatory responses, the Company is developing medicines that have the opportunity to provide durable, life-changing impact. Led by an established executive team and backed by world-class life science investors, each day Beeline Medicines is determined to bring the scientific rigor and operational excellence to get to what matters for patients – realizing a world where people with immune-mediated diseases can live life fully.

Job Summary:

The Senior Director, Information Security & Compliance is responsible for building, operating, and continuously improving the company's information security program. This role owns security governance, risk management, regulatory compliance, and security operations across all IT systems and data. The Senior Director establishes the security policy framework, manages relationships with managed security service providers, coordinates external security assessments, and ensures the company maintains a security and compliance posture appropriate for a clinical-stage biopharma preparing for public company obligations. This is a hands-on leadership role. At a company of this size, the Senior Director operates as a solo security practitioner with significant leverage through managed security partners (SentinelOne Vigilance MDR, Huntress ITDR/SIEM, Zscaler ZIA) and external assessment firms. The role reports to the VP of IT and works closely with Quality, Legal, Finance, and external auditors to ensure security controls satisfy SOX, GDPR, GxP, and FDA regulatory requirements.

Work Arrangement & Location: 

Remote - This position is designated as remote; the incumbent will be expected to travel to Beeline Medicines’ offices on a periodic basis to support in-person collaboration, team engagement, and business operations. The frequency and scheduling of such visits will be determined at the company's discretion based on business need.

Essential Duties and Responsibilities:

• Security Governance & Policy. Own the information security policy framework, including development, maintenance, and periodic review of all security policies, standards, and procedures. Ensure policies align with NIST CSF 2.0, NIST SP 800-53, and applicable regulatory requirements (SOX, GDPR, GxP). Present the security posture and risk landscape to IT leadership and executive stakeholders.
• Risk Management & Vendor Security. Lead IT risk management activities, including risk identification, assessment, treatment planning, and risk register maintenance. Conduct and coordinate vendor security risk assessments for third-party service providers. Support the company's broader enterprise risk management process with IT-specific risk inputs.
• Compliance & External Assessments. Own IT General Controls (ITGCs) for SOX compliance readiness, including access controls, change management controls, computer operations, and audit evidence preparation. Coordinate with external SOX auditors, providing documentation, walkthroughs, and remediation of findings. Manage relationships with external firms performing penetration testing, NIST controls mapping, and security control assessments
• Security Operations & MSSP Management. Manage the company's managed security service provider ecosystem, including SentinelOne Vigilance MDR (endpoint detection and response), Huntress (identity threat detection, SIEM), and Zscaler ZIA (network security). Define alert escalation procedures, review detection efficacy, and ensure coordinated incident response across all providers.
• Incident Response. Own the security incident response program, including the incident response plan, tabletop exercises, breach notification procedures, and post-incident reviews. Serve as the primary technical incident coordinator, working with managed security providers for detection and containment and with Legal and the external DPO for regulatory notification obligations.
• Identity & Access Governance. Design and enforce identity and access management controls in Microsoft Entra ID, including Conditional Access policies, privileged access governance, access reviews, and role-based access control. Ensure access controls satisfy SOX ITGC requirements, FDA 21 CFR Part 11 electronic access provisions, and GDPR data access minimization principles.
• Security Awareness & Training. Own security awareness and training program execution in coordination with KnowBe4, including phishing simulation campaigns, security awareness training content, completion tracking, and remedial training for failed simulations. Maintain training records as audit evidence for SOX and GxP compliance.
• Perform other duties and responsibilities as assigned

Qualifications:

• Education: Bachelor's degree in Information Security, Computer Science, Information Technology, or a related discipline; equivalent professional experience accepted.
• 12+ years of progressive information security experience with at least 5 years in a security leadership role (Manager, Director, or equivalent) preferred.
• Demonstrated experience building or significantly maturing an information security program, including policy development, risk management, and compliance framework implementation.
• Experience with security frameworks: NIST CSF, NIST SP 800-53, ISO 27001, or equivalent.
• Direct experience with SOX IT General Controls — either implementing ITGCs for IPO readiness or supporting ongoing SOX compliance at a public company.
• Strong working knowledge of Microsoft 365 security controls, including Entra ID, Conditional Access, Defender, and Purview.
• Demonstrated experience building or significantly maturing an information security program, including policy development, risk management, and compliance framework implementation.
• Experience managing managed security service providers (MDR, MSSP, or similar) and coordinating external security assessments (penetration testing, controls testing, risk assessments).
• Demonstrated experience building or significantly maturing an information security program, including policy development, risk management, and compliance framework implementation
• Independent judgment and self-direction — this role operates as a solo security practitioner at a small company and must prioritize effectively without day-to-day supervision.
• Strong written and verbal communication with the ability to translate security risks into business terms for executive and non-technical audiences.

Benefits:

We offer a comprehensive benefits package tailored to the country and region in which you are hired, in compliance with local laws and practices. Benefits may include, but are not limited to:

• Competitive health and wellness coverage (structure and premiums vary by country)
• Paid time off, public holidays, and additional leave entitlements in accordance with local requirements
• Flexible work arrangements / hybrid schedule

Benefits vary by location and are subject to eligibility requirements, local regulations, and plan terms. Specific benefit details applicable to your country or region will be provided during the offer process.

Equal Employment Opportunity:

Beeline Medicines is an Equal Opportunity Employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity or expression, national origin, disability, age, protected veteran status, or any other characteristic protected by applicable federal, state, or local law.

Reasonable Accommodation:

If you require a reasonable accommodation to participate in the application or interview process, please contact careers@beelinemedicines.com to request an accommodation. We are committed to providing equal access to all candidates.

Privacy

Upon submission of this form I understand that Beeline Medicines is based in the United States and personal data submitted in the form will be transferred and accessed in the U.S., Information about Beeline Medicines privacy practices can be found at Privacy Policy - Beeline Medicines