Director of Information Security

Umbra is an American space technology company delivering advanced systems, from sensors to spacecraft, that empower customers worldwide with unmatched access to critical information from space. Our mission is simple and ambitious: redefine space—for people, systems, and missions in every domain. Umbra’s ecosystem operates through three business units: Remote Sensing (the data), Space Systems (the components), and Mission Solutions (the platforms).Together, our teams develop capabilities that deliver persistent access, resilient performance, and mission-ready solutions, advancing U.S. space leadership while keeping the world safe and informed.

About the Job

We are looking for a Director of Information Security who will lead our information security strategy and operations, ensuring that our systems and data are safeguarded against evolving threats. The Director exercises sound judgement in the face of ambiguity and competing priorities, setting clear organizational direction while empowering functional leads to execute with confidence. Equally critical is the ability to communicate complex security matters risk postures, threat landscapes, and architectural decisions with clarity and conviction to audiences ranging from technical teams to executive leadership and regulators. This pivotal role involves developing and managing robust security protocols and policies, overseeing compliance with industry standards and regulations, and leading our team of security professionals. If you are a strategic thinker with a strong background in information security and a passion for protecting innovative technologies, we would love to hear from you!

This position is based on-site in our Arlington, VA office.

Key Responsibilities

Digital Trust & Governance

• Manage and continuously mature the enterprise information security governance framework, ensuring policies, standards, and controls remain relevant, enforceable, and aligned with business risk appetite and regulatory obligations.
• Lead the development and maintenance of a comprehensive risk management program, including regular risk assessments, treatment plans, risk acceptance processes, and risk reporting to senior leadership.
• Oversee compliance posture across applicable regulatory regimes (e.g., NIST 800-171 & CMMC) and support relationships with external auditors, assessors, and regulators with professionalism and transparency.
• Develop and operationalize a third-party and supply chain risk management program, including vendor due diligence frameworks, contractual security requirements, and ongoing monitoring practices.
• Support the organization's digital trust agenda by embedding resiliency-by-design, data classification, and information lifecycle management principles across relevant teams and functions.
• Develop and maintain meaningful security metrics and KPIs that communicate program health, risk reduction trends, and investment effectiveness to senior leadership.
• Manage the security policy exception process, ensuring deviations are risk-informed, time-bound, and properly authorized.

Cyber Threat Operations

• Provide operational direction for threat detection, monitoring, and response capabilities, including Security Operations Center (SOC) functions, SIEM/SOAR platforms, and threat intelligence programs.
• Lead the enterprise incident response program, ensuring documented playbooks, defined escalation paths, clear roles and responsibilities, and regular tabletop exercises that prepare teams for real-world scenarios.
• Oversee threat intelligence collection, analysis, and dissemination, ensuring actionable intelligence drives proactive defense and informs leadership decision-making during periods of elevated threat activity.
• Direct the vulnerability management lifecycle from identification through remediation, driving accountability across technology owners while balancing operational risk and resource constraints.
• Manage the red team and adversarial simulation program, leveraging findings to validate defensive controls, identify blind spots, and prioritize security improvements.
• Serve as a key point of accountability during significant security incidents, providing steady leadership, coordinating cross-functional response activities, and supporting timely stakeholder communications.
• Ensure threat operations capabilities are continuously calibrated against the current threat landscape, positioning the organization to detect, contain, and recover from sophisticated adversaries.

Systems Security Engineering, Platform Resilience & Operations

• Provide oversight of security architecture and engineering practices, ensuring secure design principles are embedded throughout the systems development lifecycle and infrastructure modernization programs.
• Embrace and promote the Distributed, Immutable, Ephemeral (DIE) model as a foundational resilience principle, ensuring resilience is considered in system design decisions.
• Champion the security of manufacturing, on-premise, and cloud platforms, ensuring appropriate segmentation, hardening, and continuous configuration compliance monitoring are in place.
• Partner with IT and engineering leadership to embed resilience by design, ensuring that recovery time objectives, recovery point objectives, and business continuity requirements are reflected in platform architecture decisions.
• Support the enterprise technology resilience/P.A.C.E program, ensuring that security and resilience controls extend through and do not impede continuity and resiliency scenarios.
• Oversee endpoint, network, application, and data security engineering functions, balancing protection effectiveness with operational performance and user experience.
• Work in partnership with infrastructure and operations teams to ensure platform availability and operational resilience are treated as security outcomes, maintaining availability standards consistent with organizational risk tolerance.

Leadership, Judgement & Communication

• Program Leadership — Develops and executes a clear roadmap for the information security program aligned to organizational priorities. Models consistent, values-based leadership and maintains composure in high-pressure or ambiguous situations.
• Sound Judgement & Risk Acuity — Applies structured, evidence-based reasoning to complex security decisions. Demonstrates mature risk judgement — neither defaulting to excessive caution nor dismissing threats — and remains accountable for outcomes.
• Communication — Communicates the organization's risk posture, threat environment, and security program status with clarity and appropriate context for both technical and non-technical audiences. Prepares security briefings and reporting for senior leadership, translating technical complexity into business-relevant narrative.
• Stakeholder Collaboration — Operates as a collaborative partner across IT, Legal, Risk, HR, Audit, and Operations. Builds strong working relationships and advances the security agenda through influence and credibility, recognizing that sustainable security is a shared organizational responsibility.
• People Leadership & Talent Development — Attracts, develops, and retains high-performing security professionals. Fosters a team culture grounded in intellectual curiosity, continuous learning, psychological safety, and shared accountability. Actively mentors and develops team members across all three pillar functions.
• Incident Leadership — Leads the security team through incidents with composure and sound judgement. Supports timely, accurate, and appropriately calibrated communications to relevant stakeholders in coordination with senior leadership.

Required Qualifications

• 10+ years of experience in information security or a related field, with 5+ years in a leadership role.
• Deep understanding of data security principles, risk management practices, and cybersecurity frameworks.
• Proven track record of building and managing comprehensive information security programs within complex organizations.
• Expertise in U.S. Government compliance frameworks, including NIST, CMMC, and other federal regulations.
• Strong analytical and problem-solving skills, with the ability to manage unforeseen security challenges effectively.
• Exceptional communication skills, both verbal and written, to convey security policies and practices to diverse audiences.
• Strong project management skills, with experience leading cross-functional teams towards shared security objectives.
• Experience with cloud security practices and technologies, particularly in managing SaaS, IaaS, and PaaS environments.
• Experience handling security incidents and developing incident response plans.

Desired Qualifications

• Bachelor's or Master's degree in Computer Science, Cybersecurity, or a related field.
• 15+ years of experience in information security or a related field, with 7+ years in a leadership role.
• Experience in the aerospace, defense, or satellite technology sectors is highly desirable.
• Proven experience in fostering a security-first culture within an organization.
• Understanding of software development lifecycle (SDLC) and DevSecOps practices.

• Flexible Time Off, Sick, Family & Medical Leave
• Medical, Dental, Vision, Life, LTD, STD (employer funded)
• Vol Life, Critical Illness, Accidental, Hospital Indemnity, Pet Insurance (employee funded)
• 401k with 3% non-elective company contribution
• Stock Options
• Free parking in office building or Transit is reimbursed
• Free lunch daily in office

Umbra is an Equal Opportunity Employer. We do not discriminate in hiring on the basis of sex, gender identity, sexual orientation, race, color, religious creed, national origin, physical or mental disability, protected veteran status, or any other characteristic protected by federal, state, or local law.

Employment Eligibility Verification

In compliance with federal laws, all hired persons will be required to verify their identity and eligibility to work in the United States by completing the required Employment Eligibility Verification Form (I-9 Form) upon hire.

ITAR/EAR Requirements

This position may include access to technology and/or data that is subject to U.S. export controls pursuant to ITAR and EAR. To comply with federal export controls, all persons hired must be a U.S. citizen, U.S. national, U.S. lawful permanent resident, refugee or asylee as defined by 8 U.S.C. § 1324b(a)(3), or must otherwise be eligible to obtain the required authorizations from the U.S. Department of State and/or U.S. Department of Commerce as applicable.

Pay Transparency
This job posting may cover multiple career levels. To ensure greater transparency, we provide base salary ranges for all roles, regardless of location. Our standard pay ranges are based on the role’s function and level, benchmarked against similar growth-stage companies. Compensation may vary based on geographical location, as certain regions may have different cost-of-living factors. The final offer will also be influenced by the candidate's skills, responsibilities, and relevant experience.

Compensation Range

The Compensation Range for this role is $220,000 - $250,000 DOE.