Director of Information Security

Experience Level: 12-15 years
Location: Boston, MA

Position Overview:

The Director of Information Security will lead the NEPC’s information security operations, shaping and executing strategies to protect systems, data, and client trust. This role blends strategic leadership, hands-on execution, and business-aligned risk management. The ideal candidate will be an articulate, business-savvy communicator who can engage with diverse stakeholders, from executive leadership and auditors to technical teams and client-facing teams.

This position will interface directly with Risk Committees, Compliance leadership, Technology Operations, Technology leadership, and external auditors, and must possess the presence, clarity, and discretion to influence at the highest levels.

Key Responsibilities:

Security Strategy, Operations & Compliance

• Implement and maintain a firmwide security program tailored to business and regulatory requirements.
• Translate enterprise-level security strategies into practical execution plans aligned with firm needs.
• Develop and adapt information security policies that address current risks and regulatory expectations (SEC, RIA).
• Ensure efficient day-to-day security operations and establish measurable KPIs (e.g., incident response time, control effectiveness).
• Lead internal and external audit readiness; represent Information Security during audits, exams, and due diligence.

Risk Management & Incident Response

• Lead proactive risk assessments and drive mitigation planning for both technical and business risks.
• Oversee threat detection, incident triage, response, and post-incident review activities.
• Document and present risk posture, security metrics, and control effectiveness to executive and risk committees.

Stakeholder Engagement & Business Enablement

• Serve as the primary security liaison to Risk Committees, Compliance, Legal, and the broader business.
• Respond to security inquiries from clients, prospects, regulators, and external partners.
• Interface directly with financial advisors and leadership to align security with business goals.
• Simplify complex security topics into business-aligned narratives for diverse audiences.
• Foster a culture of security awareness through targeted education programs.

Leadership, Collaboration & Strategic Alignment

• Partner with the CTO and enterprise security team to align local security programs with broader enterprise goals.
• Mentor and lead internal security and risk resources to build internal expertise.
• Contribute to budgeting, roadmap planning, and the prioritization of security initiatives.
• Participate in industry discussions and forums to stay ahead of evolving threats.

Qualifications:

• 12-15 years of progressive experience in cybersecurity, 5+ years in a security leadership.
• Experience working within financial services, ideally in an SEC-regulated environment, playing a leading role in building an information security program.
• Proven experience preparing for and leading regulatory audits, exams, and risk committee presentations.
• Deep knowledge of cybersecurity frameworks (e.g., NIST CSF, CIS Controls, ISO 27001).
• Demonstrated success translating technical risk into business impact for senior stakeholders.
• Bachelor's degree in Computer Science, Information Security, or related discipline; advanced degree a plus.
• Required certifications: CISSP, CISM, or CRISC.

Interpersonal Competencies:

• Ability to brief C-level audiences and boards with confidence and clarity.
• Strong interpersonal and influencing skills; able to navigate complex stakeholder dynamics.
• High emotional intelligence and ability to adapt communication styles for different personalities.
• Strong business acumen and the ability to align security priorities with organizational goals.
• Track record of building trusted relationships across business, compliance, and technology teams.

Success Measures:

• No significant findings in regulatory or compliance audits.
• Timely and effective incident detection and resolution.
• Security program maturity growth year-over-year.
• Timely remediation of vulnerabilities.
• Improved metrics in security awareness and phishing simulations.
• Positive stakeholder feedback and support for security initiatives.

Company Background:

NEPC, LLC is a full-service investment consulting firm based in Boston, Massachusetts. We were founded in 1986 and now have approximately 375 employees and over 400 clients.  We help governments, institutions, families, and individuals preserve and grow their capital across different asset classes and market cycles. We provide a variety of consulting services such as asset allocation, performance measurement, policy formulation, investment manager research, and discretionary portfolio management. Our clients include defined benefit, defined contribution, endowments, foundations, trusts, public, corporate, Taft-Hartley, health & welfare, high net worth, insurance, and private plans. 

Culture is important to us here at NEPC – our values include putting clients first, doing the right thing, bringing your whole self to work, building trust, embracing change, and having a “we before me” approach in our work. Advancing diversity and inclusion within our firm and industry is also a core initiative at NEPC. We are a strong advocate of promotion from within, so excellent potential exists for professional growth. We’re a fun (but demanding) company with excellent working conditions, a very supportive, team-oriented environment, and a full benefits program to support your life and well-being. We offer a competitive salary and bonuses (when applicable).           

NEPC is an Affirmative Action/Equal Opportunity Employer (July 2025)