The Director of Information Security & Governance is responsible for developing and leading a comprehensive program to protect the firm’s data, systems, and client confidentiality. This role ensures alignment with legal, regulatory, and client-driven requirements while supporting the secure and effective delivery of legal services. Reporting to the Chief Information Officer (CIO) and working closely with firm leadership, the Director oversees information security, data privacy, and IT governance initiatives across the organization.

Essential Job Functions

• Oversee the ongoing review, maintenance, and annual formal audit of the firm’s Information Security Policies and Procedures, ensuring timely updates to address evolving threats and regulatory changes.
• Partner with the CIO and firm leadership to identify gaps in security capabilities and define a strategic roadmap for maturing the information security program in alignment with business goals.
• Lead internal and client-driven security risk assessments, including penetration and vulnerability testing; collaborate with IT leadership to prioritize findings, assign remediation efforts, and ensure timely resolution.
• Coordinate responses to security questionnaires, RFPs, and audit requests, ensuring the delivery of accurate, timely, and professional information that reflects the firm’s security posture.
• Evaluate, deploy, and upgrade security technologies and continuity systems; assess the impact of new applications and infrastructure on the firm’s risk landscape in close coordination with IT stakeholders.
• Lead the development and execution of incident response protocols; manage communication across affected teams and leadership during incidents to ensure prompt escalation, containment, and resolution.
• Work with IT operations to maintain robust monitoring, logging, and alerting systems; ensure the integrity and performance of the firm’s security infrastructure.
• Monitor changes in laws and regulations impacting security practices and collaborate with firm counsel and the CIO to implement initiatives that ensure ongoing compliance.
• Lead efforts to evaluate, obtain, and maintain relevant industry certifications for the firm, such as ISO 27001, SOC 2, and HITRUST; collaborate with internal stakeholders and external auditors to ensure certification readiness and successful completion of audits.
• Collaborate with firm leadership, IT, and the Technology Education team to deliver security awareness programs, training modules, alerts, and internal communications that reinforce secure practices.
• Regularly analyze audit trails, system logs, and reports to detect anomalies; share findings and recommendations with senior leadership to inform decision-making and risk response.
• Stay abreast of emerging security threats, technologies, and legal developments; maintain professional networks and participate in external forums to benchmark best practices.
• Contribute to firm-wide initiatives, task forces, and project teams focused on risk management, policy development, and technology governance.

• Conduct or support investigations into policy violations, data breaches, or security incidents, ensuring findings are documented and communicated appropriately.
• Use internal and external threat intelligence sources to identify emerging risks and proactively inform mitigation strategies.
• Oversee security components of third-party service arrangements, including contract terms, service-level agreements, and risk evaluations.
• Provide subject matter expertise for firm and IT initiatives to ensure alignment with security policies and risk tolerance.
• Support ongoing information security and governance efforts as needed in alignment with the firm’s strategic objectives.

Minimum Job Qualifications

• Bachelor’s degree in Information Security, Computer Science, or a related field; equivalent experience considered. Master’s degree preferred.
• CISSP certification strongly preferred; additional certifications such as CISM, CISA, CRISC, ISO 27001 Lead Implementer, or HITRUST CCSFP are highly desirable.
• At least 10 years of progressive IT experience, including 5 years in an information security leadership role.
• Experience in a law firm or regulated industry is preferred.
• Strong knowledge of security frameworks and regulations including ISO 27001, NIST, SOC 2, HIPAA, SOX, and GDPR.
• Proven ability to align security strategy with business goals, lead cross-functional initiatives, and drive risk-based decision making.
• Experience developing and enforcing security policies, managing compliance efforts, and supporting audit readiness.
• Hands-on expertise with enterprise security architecture, access controls, endpoint protection, encryption, and identity management.
• Familiarity with security operations tools such as SIEM, DLP, EDR, MFA, and vulnerability management platforms.
• Experience securing hybrid and cloud environments (Microsoft 365, Azure, AWS), including implementation of native controls.
• Skilled in incident response, digital forensics, penetration testing, and remediation planning.
• Strong project management and vendor oversight capabilities, including budgeting and service-level management.
• Excellent communication skills, with the ability to explain technical risks to non-technical stakeholders and represent the firm in client audits and security assessments.
• High degree of discretion and professionalism in handling sensitive firm and client information.

This job description is intended to describe the general nature and level of the work being performed by employees in this job. It is not intended to be a complete list of all responsibilities, duties, and skills required for this job classification.

*This role can be performed in a remote or hybrid model. Candidate must live in a state in which Hinshaw has an office. 

As an EOE/AA employer, Hinshaw & Culbertson LLP will not discriminate in its employment practices due to an applicant's age, race, color, religion, sex, sexual orientation, gender, gender identity, gender expression, national origin, protected veteran or disability status or any other factor prohibited by law.