About RevOptimal:
RevOptimal is building the future of privacy-conscious identity resolution for advertising. Instead of relying on outdated identifiers like cookies, IP addresses, or device IDs, we resolve identity using deterministic, people-based signals to help advertisers reach real audiences with greater precision and confidence.
Our solutions power smarter audience targeting, cross-device attribution, and curated private marketplaces—helping brands and agencies make their data work harder.
The role:
We are hiring a hands-on InfoSec & IT Lead to design, operate, and mature a security, privacy and compliance program that protects our data, enables secure vendor & partner integrations, and keeps RevOptimal audit-ready for SOC 2 and other certifications. You will help design and build a secure cloud architecture, lead SOC 2 and ISO 27001:2022 readiness, drive Zero Trust adoption, own security operations and incident response, and be accountable for privacy compliance across US state laws and GDPR. The role also includes hands-on IT operations for a small company (<20 employees).
What you'll do:
Security strategy & architecture
Define and execute the company security strategy and roadmap across cloud, data, application, and infrastructure security.
Lead the design and pragmatic implementation of Zero Trust architecture principles (identity-centric controls, least-privilege access, micro-segmentation, device posture and conditional access).
Design and enforce secure cloud architecture patterns (AWS best practices for S3, IAM, KMS, VPCs, cross-account roles and clean-room integrations).
Implement secure key management, encryption at rest / in transit, and data classification & retention standards appropriate for sensitive data.
Compliance, GRC & Privacy (SOC 2, ISO 27001 & Data Privacy)
Own SOC 2 readiness, audit lifecycles and evidence automation.
Lead ISO 27001:2022 readiness and the ISMS lifecycle when appropriate (scoping, risk assessment & treatment, SoA, internal/external audits).
Own data privacy compliance frameworks across relevant regimes: US state privacy laws (e.g., CPRA/CCPA and other state statutes) and EU GDPR. Responsibilities include:
Maintain a comprehensive data map / Record of Processing Activities (RoPA) covering personal data flows, storage locations, retention and processors.
Run Data Protection Impact Assessments (DPIAs) for high-risk processing and partner integrations.
Operate a DSAR / DSR process (data subject access/deletion/portability requests) and ensure timely responses that meet legal deadlines.
Manage Data Processing Agreements (DPAs) and contractual privacy controls with vendors and partners.
Implement and enforce privacy-by-design/default controls and data minimization across technical and product solutions.
Ensure lawful cross-border data transfer mechanisms (e.g., SCCs, adequacy assessments, and technical safeguards) and document them appropriately.
Operate and maintain compliance automation tooling (e.g., Vanta) and privacy management tooling; track remediation and evidence collection.
Security operations & engineering
Build and operate detection & monitoring (centralized logging, alerting and lightweight SIEM).
Manage vulnerability scanning, third-party pen testing, remediation workflows and risk treatment.
Partner & cloud integrations
Secure onboarding and hardening of partner integrations (S3 buckets, IAM roles, cross-account access, clean-room patterns).
Assess and govern third-party security and privacy posture with technical and contractual controls.
IT operations & employee support
Manage day-to-day IT for a company <20 people: device lifecycle (MDM), endpoint protection, SSO/MFA, Google Workspace/Slack/Atlassian administration, onboarding/offboarding and enforcement of 2FA.
Own vendor relationships for IT/security/privacy services and provide escalated IT support.
Team, communication & culture
Evangelize security and privacy across the company: training, phishing simulations, privacy awareness.
Report security and privacy KPIs to executives (SOC 2/ISO coverage, Zero Trust adoption, DSAR SLAs, MTTR).
Required Qualifications:
6+ years of professional experience in information security, with at least 3 years in a leadership/managerial role.
Hands-on cloud security experience in AWS (S3, IAM, KMS, CloudTrail, CloudWatch, VPCs, cross-account roles).
Proven experience leading SOC 2 readiness and audit programs and operating compliance automation tools.
Practical experience implementing Zero Trust principles in cloud environments.
Practical experience with GDPR and with US state privacy laws (CCPA/CPRA and/or other modern state privacy statutes), including DSAR/DSR handling, DPIAs, RoPA, DPAs and breach notification processes.
Strong operational security capabilities (vulnerability management, IR, logging/monitoring, IAM, encryption).
Practical IT operations experience for small companies (MDM, SSO/MFA, onboarding/offboarding).
Excellent written and verbal communication skills.
Formal security certification preferred (CISSP, CISM).
Preferred / nice-to-have
Experience directly driving or supporting ISO 27001:2022 certification and managing an ISMS.
Privacy certifications: CIPP/US, CIPP/E or equivalent.
Experience designing and implementing Zero Trust at scale and familiarity with NIST SP 800-207.
Familiarity with privacy and governance tooling (OneTrust, TrustArc, BigID) and with SOC 2 automation (Vanta).
Infrastructure as code experience (Terraform/CloudFormation) and secure CI/CD pipelines.
Experience with global privacy topics (Schrems II implications, SCCs, adequacy) and with managing cross-border transfer risk.
Familiarity with CPRA, Virginia, Colorado, Connecticut, Utah privacy rules and breach notification regimes.
Tools & technical environment (what you’ll use)
Cloud: AWS — S3, IAM, KMS, CloudTrail, CloudWatch, Inspector/Inspector2, cross-account roles, clean-room patterns.
Compliance & privacy: Vanta (SOC 2 automation) and privacy management tools (OneTrust/TrustArc or equivalent) for RoPA/DPIAs/DSAR workflows.
Identity & Zero Trust tooling: SSO/IdP (Okta/AWS SSO), MFA/conditional access, ZTNA/SASE or equivalent.
Productivity & HR: Google Workspace, Slack, Atlassian (Jira/Confluence), Rippling.
Detection/EDR/SIEM: CloudWatch/CloudTrail, AWS Inspector/Inspector2, chosen EDR/SIEM tooling.