Data Security Compliance Director
Syllo is on a mission to transform litigation. Our product is an AI-powered litigation workspace that enables lawyers and paralegals to safely harness the power of language models throughout the litigation life cycle. We're looking for a Data Security Compliance Director who will own the compliance-side and business operations related to Company's data security function.
About the role
Syllo is a legal technology company building infrastructure that law firms and legal teams trust with sensitive data.Compliance isn't a checkbox here — it's a product feature.We're looking for a Data Security Compliance Director to own our certification programs, manage vendor security relationships and processes, own the accurate and timely completion of our security disclosures in the sales context, and keep our posture audit-ready year-round.This role sits at the intersection of compliance and engineering.
While this role does not own the security of our technical stack from an engineering perspective, you will work directly with technical teams to implement controls, close evidence gaps, and translate technical postures and requirements into concrete and well communicated action.
Responsibilities
- ISO 27001. Maintain and continuously improve our Information Security Management System. Manage internal audits, corrective actions, and annual surveillance cycles through Vanta.
- SOC 2 Type II. Coordinate evidence collection, liaise with external auditors, and drive remediation across engineering and operations.
- Vendor security. Lead vendor security assessments, manage VSQ responses (inbound and outbound), and maintain a tiered vendor risk register.
- Policy and controls. Author, review, and update security policies, standards, and control mappings across frameworks. Maintain alignment as the business scales.
- Technical guidance. Engage directly with engineering on control implementation — access reviews, logging pipelines, encryption configuration, and infrastructure hardening.
- Customer-facing compliance. Respond to customer security questionnaires and due diligence requests. Represent Syllo's security posture in enterprise sales conversations.
- Risk management. Run the formal risk assessment process. Identify gaps, assign ownership, and track remediation to closure.
- Awareness. Coordinate security awareness training and phishing simulation programs.
- Automation. Work with our Operations Engineering team and broader leadership to design and implement effective automations for as much of the security stack and responsibilities as can be automated.
What we're looking for
Experience
- 5+ years in information security compliance, GRC, or a closely related function
- Hands-on experience managing ISO 27001 and SOC 2 audits — not just supporting them
- Direct experience working with engineering teams on control implementation, log configuration, access reviews, or infrastructure hardening
- Direct experience responding to and issuing VSQs and security questionnaires
- Demonstrated technical experience and fluency
- Familiarity with vendor risk management programs and tiering methodologies
Knowledge
- Working knowledge of common control frameworks: ISO 27001, SOC 2, NIST CSF, CIS Controls
- Hands-on experience with Vanta or a comparable GRC platform (Drata, Secureframe, Tugboat Logic) — we run ISO 27001 and SOC 2 through Vanta and you'll live in it daily
- Cloud IAM and access control models, logging and monitoring pipelines (CloudTrail, SIEM fundamentals), endpoint management, and encryption at rest and in transit
- Working knowledge of cloud-native environments (AWS, GCP, or Azure) and how controls apply in practice
- Familiarity with legal or regulated-industry data requirements is a plus
Skills
- Clear written communication — you'll be writing policies, audit responses, and customer-facing materials
- Technically fluent enough to engage in and evaluate critically architecture reviews and engineering threads, evaluate proposed control fixes, and identify gaps that a purely compliance-focused lens would miss
- Organized under pressure — audit cycles don't move, and you'll manage multiple workstreams simultaneously
- Collaborative — compliance happens through engineering, legal, and operations, not around them
Credentials (one or more preferred)
- CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, or equivalent
- Candidates with a technical background (engineering, infrastructure, DevSecOps) who have moved into GRC are strongly encouraged to apply.
Compensation and benefits
Base salary $140,000–$175,000, commensurate with experience. Equity participation. 100% remote — work from anywhere in the US. Health, dental, and vision coverage. Vacation, Sick, Paid Holidays
Data Security Compliance Director
Syllo is on a mission to transform litigation. Our product is an AI-powered litigation workspace that enables lawyers and paralegals to safely harness the power of language models throughout the litigation life cycle. We're looking for a Data Security Compliance Director who will own the compliance-side and business operations related to Company's data security function.
About the role
Syllo is a legal technology company building infrastructure that law firms and legal teams trust with sensitive data.Compliance isn't a checkbox here — it's a product feature.We're looking for a Data Security Compliance Director to own our certification programs, manage vendor security relationships and processes, own the accurate and timely completion of our security disclosures in the sales context, and keep our posture audit-ready year-round.This role sits at the intersection of compliance and engineering.
While this role does not own the security of our technical stack from an engineering perspective, you will work directly with technical teams to implement controls, close evidence gaps, and translate technical postures and requirements into concrete and well communicated action.
Responsibilities
- ISO 27001. Maintain and continuously improve our Information Security Management System. Manage internal audits, corrective actions, and annual surveillance cycles through Vanta.
- SOC 2 Type II. Coordinate evidence collection, liaise with external auditors, and drive remediation across engineering and operations.
- Vendor security. Lead vendor security assessments, manage VSQ responses (inbound and outbound), and maintain a tiered vendor risk register.
- Policy and controls. Author, review, and update security policies, standards, and control mappings across frameworks. Maintain alignment as the business scales.
- Technical guidance. Engage directly with engineering on control implementation — access reviews, logging pipelines, encryption configuration, and infrastructure hardening.
- Customer-facing compliance. Respond to customer security questionnaires and due diligence requests. Represent Syllo's security posture in enterprise sales conversations.
- Risk management. Run the formal risk assessment process. Identify gaps, assign ownership, and track remediation to closure.
- Awareness. Coordinate security awareness training and phishing simulation programs.
- Automation. Work with our Operations Engineering team and broader leadership to design and implement effective automations for as much of the security stack and responsibilities as can be automated.
What we're looking for
Experience
- 5+ years in information security compliance, GRC, or a closely related function
- Hands-on experience managing ISO 27001 and SOC 2 audits — not just supporting them
- Direct experience working with engineering teams on control implementation, log configuration, access reviews, or infrastructure hardening
- Direct experience responding to and issuing VSQs and security questionnaires
- Demonstrated technical experience and fluency
- Familiarity with vendor risk management programs and tiering methodologies
Knowledge
- Working knowledge of common control frameworks: ISO 27001, SOC 2, NIST CSF, CIS Controls
- Hands-on experience with Vanta or a comparable GRC platform (Drata, Secureframe, Tugboat Logic) — we run ISO 27001 and SOC 2 through Vanta and you'll live in it daily
- Cloud IAM and access control models, logging and monitoring pipelines (CloudTrail, SIEM fundamentals), endpoint management, and encryption at rest and in transit
- Working knowledge of cloud-native environments (AWS, GCP, or Azure) and how controls apply in practice
- Familiarity with legal or regulated-industry data requirements is a plus
Skills
- Clear written communication — you'll be writing policies, audit responses, and customer-facing materials
- Technically fluent enough to engage in and evaluate critically architecture reviews and engineering threads, evaluate proposed control fixes, and identify gaps that a purely compliance-focused lens would miss
- Organized under pressure — audit cycles don't move, and you'll manage multiple workstreams simultaneously
- Collaborative — compliance happens through engineering, legal, and operations, not around them
Credentials (one or more preferred)
- CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, or equivalent
- Candidates with a technical background (engineering, infrastructure, DevSecOps) who have moved into GRC are strongly encouraged to apply.
Compensation and benefits
Base salary $140,000–$175,000, commensurate with experience. Equity participation. 100% remote — work from anywhere in the US. Health, dental, and vision coverage. Vacation, Sick, Paid Holidays
