Security Officer

We are seeking a Security Officer to lead security, privacy, and compliance for our SaaS products and the client projects we deliver as an agency. You will own this capability end to end, from new business through implementation, certification, and ongoing monitoring. This role is central to how we win and deliver projects, protect client and company data, and earn trust through clear, high quality security and privacy practices.

You will be responsible for audit readiness, ensuring applicable privacy requirements are met, and establishing the standards, processes, and tooling needed to run an effective security and privacy program.

• Leadership:

  lead our security program across SaaS products and client projects, setting strategy, priorities, and measurable outcomes

• Certifications:

  lead SOC 2 Type II, ISO 27001, and ISO 42001 readiness and ongoing compliance, including control design, evidence processes, and auditor coordination. Own ISMS and AI governance documentation and oversight

• Privacy:

  lead privacy governance and operational practices, ensuring compliance with applicable requirements including HIPAA, GDPR, and CCPA/CPRA, and addressing data handling, contractual privacy terms, and privacy by design expectations

• SDLC:

  partner with delivery teams to embed security and privacy into how we build, with clear expectations, practical review gates, and patterns for common risks (identity, access, data handling, multi-tenancy, logging, and auditability)

• Project Delivery:

  establish a repeatable client engagement security plan for client work (environment segregation, access provisioning and deprovisioning, client data handling, incident coordination, and delivery requirements)

• Third Party Risk:

  lead vendor security reviews, including due diligence for critical providers, remediation tracking, and ongoing monitoring

• Customer Assurance:

  support customer assurance efforts including security questionnaires, RFPs, client security reviews, and maintaining trust artifacts and standard responses

• Incident Response:

  maintain an incident response program (playbooks, escalation, exercises) and drive post incident improvements

• Culture:

  build a security and privacy culture through clear guidance, lightweight training, and day to day partnership with teams

• Experience:

  8+ years of progressive experience in information security, including leadership in SaaS and/or professional services environments

• Security Fundamentals:

  strong understanding of modern application and cloud security fundamentals (identity and access, encryption and key management, logging and monitoring, vulnerability management)

• Certifications:

  demonstrated ownership of SOC 2 Type II and ISO 27001 programs from readiness through steady state operations

• Privacy:

  strong working knowledge of privacy requirements and practices, including HIPAA, GDPR, and CCPA/CPRA, and experience operationalizing privacy controls in product and client delivery contexts

• Execution:

  experience building security and privacy processes that work in real delivery environments

• Communication:

  clear communication skills, able to represent security and privacy with internal teams, auditors, and client stakeholders with differing levels of technical fluency

• Distributed Teams:

  comfortable operating across a geographically dispersed organization and coordinating work across time zones

• Agency:

  experience in an agency or consulting environment supporting multiple client projects in parallel

• AI:

  experience supporting AI-enabled products and data flows, including model and data risk considerations and familiarity with ISO 42001

• Cloud:

  expertise in at least one major cloud platform (GCP, AWS, or Azure) and common SaaS security patterns

• Operations:

  experience with security monitoring, incident response, and vulnerability management programs in production environments

• Tooling:

  hands on experience with security tooling across CI/CD, cloud infrastructure, vulnerability scanning, and logging and monitoring workflows

• Certifications:

  relevant security and/or privacy certifications such as CISSP, CISM, CCSP, CIPP, CIPT

Born in 2001, Code and Theory is a digital-first creative agency that sits at the center of creativity and technology. We pride ourselves on not only solving consumer and business problems, but also helping to establish new capabilities for our clients. With a global client roster of Fortune 100s and start-ups alike, we crave the hardest problems to solve. With a remote-first approach to our people, we have teams distributed across North America, South America, Europe, and Asia. The Code and Theory global network of agencies is growing and includes Kettle, Instrument, Left Field Labs, Mediacurrent, Rhythm, and TrueLogic.

Striving never to be pigeonholed, we work across every major category: from tech to CPG, financial services to travel & hospitality, government and education to media and publishing. We value the collaboration with our client partners, including but not limited to Adidas, Amazon, Con Edison, Diageo, EY, J.P. Morgan Chase, Lenovo, Marriott, Mars, Microsoft, Thomson Reuters, and TikTok.

The Code and Theory network comprises nearly 2,000 people with 50% engineers and 50% creative talent. We’re always on the lookout for smart, driven, and forward-thinking people to join our team.