Information Security Officer (ISO)

WORK WITH PURPOSE WorkBoard’s Strategy Execution Platform powers the digital operating rhythm for companies around the globe, providing organization-wide clarity, alignment, and insights for growth. AstraZeneca, Ford, 3M, Intel and many others rely on WorkBoard’s platform, playbook, and expertise to accelerate results by aligning OKRs, simplifying business reviews and scorecards, focusing weeklies on outcomes, and leveraging analytics – all with embedded AI. More than 15,000 people are certified in WorkBoard’s OKR coaching and Outcome Mindset Methodology™ which enables their organizations to quickly gain the agility OKRs can provide. Based in Silicon Valley and founded in 2013, WorkBoard investors include Andreessen Horowitz, SoftBank, Notable Capital, Workday Ventures, M12 (Microsoft), Intel Capital, Silicon Valley Bank, and Capital One. THE OPPORTUNITY As our information security officer, you’ll own and evolve WorkBoard’s security posture across our product, infrastructure, and organization. You will lead our compliance initiatives, manage responses to customer and prospect inquiries, and ensure security practices are embedded across teams — from engineering to operations. This is a high-impact role at the intersection of customer trust, product assurance, and operational excellence. Key Responsibilities Security & Compliance Operations • Lead and maintain ongoing SOC 2 Type II and ISO 27001 certification efforts, including audits, controls, evidence collection, and auditor coordination. • Own and continuously improve WorkBoard’s internal security policies, standards, and documentation (e.g., incident response plans, data retention, access management). • Drive regular internal risk assessments and coordinate remediation with engineering and DevOps. • Establish and monitor key security metrics and KPIs to guide program maturity and executive reporting. • Evaluate, procure, and manage security platforms and tools supporting visibility, detection, prevention, and response. • Own third-party vendor risk assessments and ongoing monitoring. Customer & Sales Support • Manage and respond to detailed security questionnaires from prospects and customers. • Participate in security-related meetings with customer/prospect InfoSec and procurement teams. • Provide clear, confident explanations of our security practices and controls to both technical and non-technical audiences. • Partner with Legal and Sales on data protection addenda (DPAs), Master Service Agreements (MSAs), and customer security commitments. Governance & Education • Maintain and update the company’s Information Security Management System (ISMS). • Conduct annual company-wide security training and awareness programs. • Monitor compliance with internal security policies across departments. • Champion a security-first culture by engaging regularly with team leads and department heads. • Conduct or facilitate tabletop exercises for incident response, including cross- functional readiness and communication protocols. Engineering Partnership • Work closely with security engineers to ensure product and infrastructure are continuously assessed for vulnerabilities (static/dynamic testing, dependency scanning, etc.). • Track, prioritize, and drive resolution of identified issues through to closure. • Contribute to secure SDLC practices and deployment pipeline hardening. • Collaborate on architecture reviews, threat modeling, and design-time security input. • Advise on data protection strategies, including encryption, access control, and secure data flows. Requirements Must-Have • 7+ years of experience in information security, including 2+ years driving compliance and audit initiatives (SOC 2, ISO 27001, or similar). • Deep understanding of cloud-native application security and SaaS architectures. • Experience managing security questionnaires and interfacing with enterprise security teams. • Strong knowledge of risk management, vulnerability management, access control, and incident response. • Excellent written and verbal communication skills — able to represent the company externally with confidence. • Demonstrated ability to influence without authority and drive cross-functional alignment around security objectives. • Experience with multi-tenant architecture, customer data isolation, and modern DevOps tooling. Nice-to-Have • Experience in a high-growth SaaS environment. • Familiarity with tools incl. OneTrust, Lacework, Wiz, Stackhawk, GitHub Advanced Security, or similar. • Relevant certifications: CISSP, CCSP, CISM, CISA, or ISO 27001 Lead Implementer/Auditor. • Experience with data privacy regulations (e.g., GDPR, CCPA) and their technical implementation implications. • Understanding of frameworks like NIST CSF, CIS Controls, or HITRUST. Apply tot his job