Job Description

About Us:

At apexanalytix, we’re lifelong innovators! Since the date of our founding nearly four decades ago we’ve been consistently growing, profitable, and delivering the best procure-to-pay solutions to the world. We’re the perfect balance of established company and start-up. You will find a unique home here.

And you’ll recognize the names of our clients. Most of them are on The Global 2000. They trust us to give them the latest in controls, audit and analytics software every day. Industry analysts consistently rank us as a top supplier management solution, and you’ll be helping build that reputation.

Read more about apexanalytix - https://www.apexanalytix.com/about/

The Role:

The Manager — Information Security and Compliance operate and matures our company-wide security, risk, and compliance program across the US and Europe. You'll lead a small team, own the security budget, drive cloud and Kubernetes security, run our audit and certification programs, and bring innovative ideas that move our posture forward year over year.

The Work :

•Lead the information security and IT risk program; report posture, KPIs, and incidents to the CIO and senior leadership.

•Own Azure security — Defender for Cloud, Entra ID with Conditional Access policies (risk-based sign-in, device compliance, phishing-resistant MFA / FIDO2 / passkeys, session controls, break-glass hygiene) and PIM, Key Vault, and Azure Policy.

•Drive the Microsoft 365 Defender suite (MDE, MDO, MDI, MDCA), Microsoft Purview (DLP, Information Protection), and Microsoft Sentinel (SIEM/SOAR).

•Own Kubernetes and container security — admission control, image signing, runtime protection, secrets management — plus DevSecOps (SAST/DAST/SCA, IaC scanning, secure SDLC).

•Run a comprehensive SBOM program (SPDX / CycloneDX, VEX) and supply-chain controls aligned to SLSA and NIST SSDF.

•Own vulnerability management on Tenable (Tenable.io / sc / WAS) — scan coverage, SLA-driven remediation, EPSS / KEV-based prioritization, exception workflow.

•Drive web application security testing with Burp Suite Professional / Enterprise — authenticated scans, manual exploitation, API testing, and CI/CD integration; oversee external penetration testing engagements end-to-end (scoping, vendor management, finding triage, retesting, reporting).

•Run SOC 1 / SOC 2 Type II programs end-to-end with external auditors.

•Lead US regulatory compliance — SOX ITGC, HIPAA / HITECH, GLBA, CCPA / CPRA + state privacy laws, NYDFS Part 500; track FedRAMP / StateRAMP readiness.

•Lead European compliance — EU and UK GDPR (DPIAs, ROPAs, SCCs / UK IDTA), NIS2, and DORA readiness for in-scope clients.

•Maintain alignment with NIST CSF 2.0, NIST 800-53, CIS Controls v8, and PCI DSS v4.0 where relevant.

•Own the vendor and client assurance function — TPRM, security questionnaires, RFPs, customer audits, and contract security clauses.

•Lead incident response and manage breach-notification timelines (SEC 8-K Item 1.05, HIPAA, NYDFS 72-hour, GDPR Article 33, NIS2).

•Own the annual security budget — CapEx/OpEx planning, vendor negotiation, ROI tracking, and 12/24/36-month capability roadmaps.

•Champion innovation — pilot AI-assisted SOC, autonomous pen testing, deception, ITDR, and CNAPP consolidation; run purple-team and tabletop exercises.

•Lead, coach, and grow a team of security and compliance analysts.

The Must-Haves :

•8+ years across information security, risk, and IT, with direct people-management experience.

•Deep hands-on Azure security (Defender for Cloud, Entra ID Conditional Access design and tuning, PIM, Sentinel) and Microsoft 365 Defender / Purview.

•Practical Kubernetes / container security and DevSecOps experience.

•Hands-on Tenable vulnerability management at scale, plus Burp Suite Professional for web app and API penetration testing.

•SBOM and supply-chain security experience (SPDX / CycloneDX, SLSA, NIST SSDF).

•Track record leading SOC 1 / SOC 2 Type II and ISO 27001 cycles end-to-end.

•Working command of US (SOX, HIPAA, GLBA, CCPA/CPRA, NYDFS Part 500) and EU/UK (GDPR, NIS2, DORA) frameworks.

•Solid grounding in NIST CSF 2.0, NIST 800-53, CIS v8, and MITRE ATT&CK.

•Experience owning a security budget and negotiating with vendors.

•Incident response leadership across multiple US and EU jurisdictions.

•Strong executive communication — translating risk into business language.

•Bachelor's degree in CS, InfoSec, or related field (or equivalent experience), plus CISSP, CISM, or CISA.

Preferred to Have:

•Cisco Umbrella DNS-layer security experience.

•FedRAMP / StateRAMP or HITRUST CSF program experience.

•Azure Security Engineer (AZ-500), Microsoft Cybersecurity Architect (SC-100), CCSP, or ISO 27001 Lead Auditor.

•CNAPP, ITDR, or deception technology experience.

•Familiarity with AI/ML governance (NIST AI RMF, ISO 42001, EU AI Act).

•Exposure to procure-to-pay, fintech, or supplier-data environments.

Over the years, we’ve discovered that the most effective and successful associates at apexanalytix are people who have a specific combination of values, skills, and behaviors that we call “The apex Way”. Read more about The apex Way - https://www.apexanalytix.com/careers/

Benefits

At apexanalytix we know that our associates are the reason behind our successes. We truly value you as an associate and part of our professional family. Our goal is to offer the very best benefits possible to you and your loved ones. When it comes to benefits, whether for yourself or your family the most important aspect is choice. And we get that. apexanalytix offers competitive benefits for the countries that we serve, in addition to our BeWell@apex initiative that encourages employees’ growth in six key wellness areas: Emotional, Physical, Community, Financial, Social, and Intelligence.

With resources such as a strong Mentor Program, Internal Training Portal, plus Education, Tuition, and Certification Assistance, we provide tools for our associates to grow and develop.