InfoSec & IT Lead

About RevOptimal:

RevOptimal is building the future of privacy-conscious identity resolution for advertising. Instead of relying on outdated identifiers like cookies, IP addresses, or device IDs, we resolve identity using deterministic, people-based signals to help advertisers reach real audiences with greater precision and confidence.

Our solutions power smarter audience targeting, cross-device attribution, and curated private marketplaces—helping brands and agencies make their data work harder.

The role:

We are hiring a hands-on InfoSec & IT Lead to design, operate, and mature a security, privacy and compliance program that protects our data, enables secure vendor & partner integrations, and keeps RevOptimal audit-ready for SOC 2 and other certifications. You will help design and build a secure cloud architecture, lead SOC 2 and ISO 27001:2022 readiness, drive Zero Trust adoption, own security operations and incident response, and be accountable for privacy compliance across US state laws and GDPR. The role also includes hands-on IT operations for a small company (<20 employees).

What you'll do:

Security strategy & architecture

• Define and execute the company security strategy and roadmap across cloud, data, application, and infrastructure security.
• Lead the design and pragmatic implementation of Zero Trust architecture principles (identity-centric controls, least-privilege access, micro-segmentation, device posture and conditional access).
• Design and enforce secure cloud architecture patterns (AWS best practices for S3, IAM, KMS, VPCs, cross-account roles and clean-room integrations).
• Implement secure key management, encryption at rest / in transit, and data classification & retention standards appropriate for sensitive data.

• Own SOC 2 readiness, audit lifecycles and evidence automation.
• Lead ISO 27001:2022 readiness and the ISMS lifecycle when appropriate (scoping, risk assessment & treatment, SoA, internal/external audits).
• Own data privacy compliance frameworks across relevant regimes: US state privacy laws (e.g., CPRA/CCPA and other state statutes) and EU GDPR. Responsibilities include:
• • Maintain a comprehensive data map / Record of Processing Activities (RoPA) covering personal data flows, storage locations, retention and processors.
  • Run Data Protection Impact Assessments (DPIAs) for high-risk processing and partner integrations.
  • Operate a DSAR / DSR process (data subject access/deletion/portability requests) and ensure timely responses that meet legal deadlines.
  • Manage Data Processing Agreements (DPAs) and contractual privacy controls with vendors and partners.
  • Implement and enforce privacy-by-design/default controls and data minimization across technical and product solutions.
  • Ensure lawful cross-border data transfer mechanisms (e.g., SCCs, adequacy assessments, and technical safeguards) and document them appropriately.
• Operate and maintain compliance automation tooling (e.g., Vanta) and privacy management tooling; track remediation and evidence collection.

• Build and operate detection & monitoring (centralized logging, alerting and lightweight SIEM).
• Manage vulnerability scanning, third-party pen testing, remediation workflows and risk treatment.

• Secure onboarding and hardening of partner integrations (S3 buckets, IAM roles, cross-account access, clean-room patterns).
• Assess and govern third-party security and privacy posture with technical and contractual controls.

• Manage day-to-day IT for a company <20 people: device lifecycle (MDM), endpoint protection, SSO/MFA, Google Workspace/Slack/Atlassian administration, onboarding/offboarding and enforcement of 2FA.
• Own vendor relationships for IT/security/privacy services and provide escalated IT support.

• Evangelize security and privacy across the company: training, phishing simulations, privacy awareness.
• Report security and privacy KPIs to executives (SOC 2/ISO coverage, Zero Trust adoption, DSAR SLAs, MTTR).

Required Qualifications:

• 6+ years of professional experience in information security, with at least 3 years in a leadership/managerial role.
• Hands-on cloud security experience in AWS (S3, IAM, KMS, CloudTrail, CloudWatch, VPCs, cross-account roles).
• Proven experience leading SOC 2 readiness and audit programs and operating compliance automation tools.
• Practical experience implementing Zero Trust principles in cloud environments.
• Practical experience with GDPR and with US state privacy laws (CCPA/CPRA and/or other modern state privacy statutes), including DSAR/DSR handling, DPIAs, RoPA, DPAs and breach notification processes.
• Strong operational security capabilities (vulnerability management, IR, logging/monitoring, IAM, encryption).
• Practical IT operations experience for small companies (MDM, SSO/MFA, onboarding/offboarding).
• Excellent written and verbal communication skills.
• Formal security certification preferred (CISSP, CISM).

• Experience directly driving or supporting ISO 27001:2022 certification and managing an ISMS.
• Privacy certifications: CIPP/US, CIPP/E or equivalent.
• Experience designing and implementing Zero Trust at scale and familiarity with NIST SP 800-207.
• Familiarity with privacy and governance tooling (OneTrust, TrustArc, BigID) and with SOC 2 automation (Vanta).
• Infrastructure as code experience (Terraform/CloudFormation) and secure CI/CD pipelines.
• Experience with global privacy topics (Schrems II implications, SCCs, adequacy) and with managing cross-border transfer risk.
• Familiarity with CPRA, Virginia, Colorado, Connecticut, Utah privacy rules and breach notification regimes.

• Cloud: AWS — S3, IAM, KMS, CloudTrail, CloudWatch, Inspector/Inspector2, cross-account roles, clean-room patterns.
• Compliance & privacy: Vanta (SOC 2 automation) and privacy management tools (OneTrust/TrustArc or equivalent) for RoPA/DPIAs/DSAR workflows.
• Identity & Zero Trust tooling: SSO/IdP (Okta/AWS SSO), MFA/conditional access, ZTNA/SASE or equivalent.
• Productivity & HR: Google Workspace, Slack, Atlassian (Jira/Confluence), Rippling.
• Detection/EDR/SIEM: CloudWatch/CloudTrail, AWS Inspector/Inspector2, chosen EDR/SIEM tooling.