JOB SUMMARY:

Sportsman’s Warehouse, a Utah-based omni-channel retailer, is seeking a Head of Information Security to lead our enterprise cybersecurity and information risk program. This Director-level role is responsible for developing and executing a comprehensive security strategy that protects the company’s data, systems, and customer information across all retail and e-commerce operations. Reporting to the Chief Information Officer (CIO), the Head of Information Security focuses on cybersecurity (not physical security) and serves as the organization’s top advisor on information protection and compliance matters. Key priorities for the coming year include strengthening security compliance (e.g. SOX, PCI-DSS), enhancing Governance, Risk, and Compliance (GRC) processes, improving intrusion detection and incident response capabilities, and advancing business continuity and disaster recovery readiness. The successful candidate will combine strategic leadership with hands-on expertise to embed security throughout the business in a cost-effective, business-aligned manner, ensuring that legal, regulatory, and operational risks are properly identified and mitigated in line with corporate objectives.

QUALIFICATIONS:

• 10+ years of InfoSec experience across retail, eCommerce, or similar industries with at least 3 years Director+
• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity or a related field (or equivalent additional years of experience). CISSP, CISM, CISA preferred.
• Retail and eCommerce experience strongly preferred.

SKILLS AND COMPETENCIES:

• Experience: Extensive professional experience in information security and IT risk management, including demonstrated success in leading cybersecurity teams or programs at the enterprise level
• Security Knowledge: Strong understanding of information security principles, practices, and frameworks (e.g. NIST Cybersecurity Framework, ISO/IEC 27001) as well as applicable regulatory standards and laws (such as PCI-DSS and Sarbanes-Oxley). In-depth knowledge of governance, risk, and compliance processes and the ability to interpret and apply security policies and controls to meet these standards.
• Technical Expertise: Demonstrated expertise in key security domains and technologies – including risk assessment, incident response, security operations (SIEM/SOC monitoring, intrusion detection systems), identity and access management, and cloud security controls. Broad familiarity with enterprise IT infrastructure and security tools (firewalls, anti-malware, encryption, identity management systems, etc.), across on-premises and cloud environments.
• Leadership & Communication: Excellent leadership, communication, and interpersonal skills, with the ability to articulate cybersecurity risks, requirements, and strategies in clear business terms to both technical and non-technical audiences (including executives and board members). Proven ability to collaborate across teams and influence stakeholders to achieve security objectives.
• Analytical Skills: Strong analytical and problem-solving abilities with keen attention to detail, capable of evaluating complex security issues to identify root causes and effective solutions. Solid project management skills to oversee multiple security initiatives and drive them to completion in a fast-paced environment.
• Results Orientation: Track record of executing security improvements and effectively mitigating risks. Ability to define and monitor relevant security KPIs (e.g. incident rates, compliance metrics, mean time to resolution) and use data to inform decision-making and continuous improvement.

• Security Strategy & Governance: Improve and evolve an organization-wide information security strategy and roadmap aligned with business goals and evolving threats. Establish and maintain security policies, standards, and procedures, and define multi-year plans to mature the company’s security posture.
• Regulatory Compliance & Risk Management: Lead the enterprise GRC program, ensuring security controls and processes meet all relevant regulatory and industry standards (such as PCI-DSS for payment security and SOX for financial controls). Oversee regular security risk assessments across all business units and compliance audits, driving prompt remediation of findings to maintain a high compliance rate and minimize audit issues (e.g. reducing PCI or SOX findings).
• Security Operations & Intrusion Detection: Oversee day-to-day security operations, including management of Security Information and Event Management (SIEM) tools and intrusion detection/prevention systems, to continuously monitor the environment for threats. Lead the incident response process for cybersecurity events – promptly investigating alerts, coordinating response efforts, performing forensic root cause analysis, and implementing remedial actions to prevent recurrence. Continuously refine intrusion detection efficiency and reduce security incident frequency through proactive threat hunting and monitoring.
• Business Continuity & Disaster Recovery: Develop, implement, and routinely update comprehensive business continuity and disaster recovery (BCDR) plans covering all critical systems and business functions. Coordinate regular BCDR drills, scenario tests, and backup recovery tests to ensure rapid recovery capabilities and successful restoration of services with minimal downtime in the event of a disruption.
• Identity & Access Management: Ensure effective identity and access management processes are in place to safeguard systems and data. Enforce the principle of least privilege through strict access controls and periodic access reviews, and oversee identity governance to maintain high access control effectiveness.
• Security Risk Assessment & Testing: Conduct and coordinate regular security assessments and testing to uncover vulnerabilities. This includes managing periodic vulnerability scans, penetration tests, and security audits of applications and infrastructure, then driving the timely remediation of any identified risks or weaknesses. Track and improve metrics such as penetration test success rates and risk assessment coverage across business units as measures of program effectiveness.
• Policy Development & Awareness: Develop and update information security policies and guidelines in accordance with industry best practices and emerging threats. Lead organization-wide security awareness and training initiatives to foster a culture of security, ensuring employees at all levels understand and follow safe practices (recognizing that human factors are critical to reducing incidents).
• Cross-Functional Collaboration: Work closely with other departments and senior leadership to embed security into all business processes and technology projects. Liaise with IT, engineering, Product, Finance, and Loss Prevention teams to ensure secure system and software design, with Legal/Compliance on contracts and data protection initiatives, and with business units to advise on risk management in new project. Serve as the subject matter expert on cybersecurity for internal stakeholders, ensuring security requirements are integrated without impeding business operations.
• Team Leadership & Performance: Lead, mentor, and develop the internal information security team (security analysts, engineers, GRC specialists, etc.) and manage relationships with any external security service providers. Plan and oversee the security program budget and resources, ensuring cost-efficient security investments and compliance efforts. Establish key security metrics (e.g. incident response times, compliance rates, audit remediation time) and regularly report on the security program’s performance and risks to the CIO and executive leadership. Prepare quarterly briefings for the Board of Directors. Champion a culture of accountability and continuous improvement within the security team.