Director, IT Security
Cozen O'Connor

Job Description

The Director, IT Security is a new, hands-on leadership role responsible for both the strategic direction of information security firm-wide and the day-to-day operation of the security function. You will lead and grow a Security Operations team (currently a manager and two security engineers) while remaining personally engaged in technical work - this is a player-coach role, not a purely managerial one.

You will lead the firm's security posture across a hybrid environment that includes a legacy data center backbone and a substantial Microsoft 365 and Azure footprint. Working in close partnership with the other IT Directors, you will ensure that our business systems, endpoints, custom software development, and AI systems all are designed, built and deployed according to the highest industry standards. Working with the Director of IT Risk/Audit - who owns the firm's ISO 27001, SOC 1, and SOC 2 Type II certification programs - you will ensure the security controls underpinning those certifications are operating effectively. As the firm and its clients increasingly adopt artificial intelligence tools, you will also define and lead the firm's approach to AI security, including the risks posed by agentic AI systems and AI access to firm and client data. The Director will represent the firm's security program and standards to clients, auditors, and vendors.

Responsibilities

Strategy and Governance

• Design and execute a multi-year information security strategy aligned with firm objectives and the legal industry threat landscape, including a forward-looking framework for managing AI-related security and data risk.
• Establish and publish firm-wide security standards that peer IT Directors apply to their respective domains - business systems, endpoints, custom software development, and AI deployments - ensuring consistent baseline security across all technology disciplines.
• Partner with the Director of IT Risk/Audit to support the firm's ISO 27001, SOC 1, and SOC 2 Type II programs - implementing and operating required controls, providing technical evidence during audits, monthly metrics, and remediating findings.
• Develop, maintain, and enforce security policies, standards, and procedures across all 33 offices, including policies governing the use of AI tools and agentic systems and their access to firm and client data.
• Advise the CIO and firm leadership on security risk, budget priorities, and emerging threats - including the evolving risk landscape associated with generative AI and agentic AI adoption.
• Respond to client security questionnaires, outside counsel guidelines, and audits; present the firm's security posture credibly to client security teams.

Security Operations (Hands-On)

• Direct daily security operations: monitoring, detection, triage, vulnerability management, and incident response. Serve as senior escalation point and lead incident response when it counts.
• Personally engineer and tune security controls across Microsoft 365 and Azure (Defender XDR, Sentinel, Entra ID, Purview, Conditional Access, Intune) and the firm's on-premises data center infrastructure.
• Own endpoint security strategy and operations across all firm device types - including policy enforcement, EDR tooling, patch management posture, and mobile device management in coordination with the relevant IT Directors.
• Partner with the Director of Software Development to embed application security into the firm's custom software development lifecycle - including secure coding standards, SAST/DAST tooling, code review security requirements, and pre-deployment security sign-off.
• Manage identity and access governance, privileged access, and zero-trust adoption across the hybrid environment - extending those controls to cover AI agents and AI-integrated applications accessing firm systems and data.
• Evaluate and govern the security posture of AI tools and agentic systems deployed or evaluated by the firm, including data access controls, prompt injection risks, output handling, and audit logging.
• Oversee third-party security tooling and managed service relationships; evaluate, select, and rationalize the security stack.
• Run the firm's security awareness, phishing simulation, and training programs, including awareness content specific to AI-related threats and safe AI use.

Leadership

• Lead, mentor, and develop the Security Operations team; build the function's capability, automation, and headcount case as the firm grows.
• Serve as a peer leader and primary security authority within the IT Director team - collaborating across infrastructure, applications, software development, and practice-support disciplines to ensure security is a shared standard, not a gate at the end of delivery.
• Partner with the IS Project Management Office to embed security in projects from the start and certify services are ready for deployment.
• Coordinate with the Director of IT Risk/Audit, General Counsel, Risk, and Compliance on data protection obligations across US, Canadian, and UK jurisdictions (including GDPR/UK GDPR and state privacy laws).

Qualifications

Required

• 10+ years of progressive information security experience, including 5+ years leading security teams, with demonstrated success as a hands-on technical leader.
• Bachelor's degree in computer science, information security, or a related field.
• CISSP required; additional certifications such as CISM, CCSP, GIAC (e.g., GSEC, GCIH), or Microsoft security certifications (SC-100, SC-200) strongly preferred.
• Direct experience operating security controls within ISO 27001, SOC 1, and SOC 2 Type II certified environments, including supporting successful audits.
• Deep technical proficiency securing Microsoft 365 and Azure environments, plus experience securing traditional on-premises data center infrastructure (network, firewall, server, storage).
• Hands-on endpoint security experience - EDR platforms, device policy enforcement, patch posture management, and mobile device/BYOD controls at enterprise scale.
• Application security / DevSecOps experience: integrating security into custom software development lifecycles through secure coding standards, SAST/DAST tooling, and developer-facing security requirements.
• Demonstrated understanding of AI security risk, including the security and data governance implications of agentic AI systems, large language model (LLM) integrations, and AI access to enterprise data stores and data warehouses.
• Proven incident response leadership - you have run real incidents, not just tabletop exercises.
• Experience presenting security programs to external parties (clients, auditors, regulators) with confidence and credibility.
• Ability to work on site in Philadelphia at least 3 days per week.

Preferred

• Master's degree in cybersecurity, information systems, or business administration.
• Experience in legal, professional services, or another client-confidentiality-driven industry.
• Hands-on experience developing or enforcing AI security policies, including controls around AI agent permissions, data access scoping, and AI supply chain risk.
• Experience managing security across multinational operations (US, Canada, UK) and associated regulatory regimes.

---