Job Summary:
Neumo is building a unified Information Security program across five lines of business and three legacy environments — Avenu, ITI, and GovOS. The CISO sets strategy and owns the board and executive relationship; the VP, Deputy CISO owns execution. This is a distinct, operational mandate: you run the program day to day, lead the four functional teams, make the working-level calls on tooling and process, and are personally accountable for the roadmap that gets us to SOC 1, SOC 2, PCI DSS, FedRAMP High, and GovRAMP.
This role exists because compliance commitments at this scale don't run on strategy alone — they run on someone who manages the leads, resolves the conflicts, and keeps evidence collection, scans, and assessments on schedule across three environments that don't yet operate the same way.
Duties and Responsibilities:
Team Leadership
- Directly manage the four functional leads — GRC, AppSec, Cloud/Vulnerability, and SecOps — setting priorities, removing blockers, and holding them accountable to delivery.
- Run the operating cadence for the team: weekly leads sync, sprint/quarter planning, and performance management for direct reports.
- Build a consistent operating model across the four functions so GRC, AppSec, Cloud/Vuln, and SecOps work from shared priorities rather than in silos.
Cross-Entity Execution
- Resolve tooling and process decisions at the working level across Avenu, ITI, and GovOS
- Own the standardization roadmap that brings three legacy environments onto common tooling, control sets, and operating procedures.
- Act as the escalation point when legacy entities disagree on approach; make the call and move the work forward.
Compliance Program Operations
- Own the operational roadmap behind SOC 1 and SOC 2: continuous evidence collection, control owners, and audit readiness ahead of annual audits.
- Own PCI DSS operations: the annual assessment cycle plus quarterly scan cadence, remediation tracking, and scope management.
- Drive the FedRAMP High authorization effort and the parallel GovRAMP pursuit — both multi-year, high-cost programs (FedRAMP High alone typically runs 12–24 months and $500K–$1M+) — translating authorization requirements into workstreams, milestones, and owners.
- Maintain a single rolling roadmap across all frameworks so audit cycles, scan windows, and authorization milestones are sequenced, resourced, and visible — and don't collide.
- Report program status, risks, and resourcing needs to the CISO with enough detail to support executive and board reporting.
Vendor & Audit Management
- Serve as the day-to-day owner of external audit and assessment relationships (e.g., compliance advisory firms, QSAs, 3PAOs), keeping evidence requests, timelines, and findings moving.
- Manage tooling vendors supporting GRC, vulnerability management, and security operations, including renewal and consolidation decisions across the three legacy stacks.
Education and Experience:
- 10+ years in information security, with at least 4 years managing security teams or functional leads directly.
- Direct experience operating through at least one SOC 2 or SOC 1 audit cycle and one PCI DSS assessment cycle as a control owner or program lead.
- Experience with FedRAMP or GovRAMP authorization work — control implementation, SSP development, or 3PAO assessment support — strongly preferred.
- Experience with vulnerability management platforms (e.g., Tenable) and WAF/cloud security tooling a plus
Knowledge, Skills and Abilities:
- Track record of standardizing security tooling or process across multiple business units, products, or post-merger environments.
- Comfortable making and owning tooling/process decisions without escalating every call upward — this role is judged on throughput, not just judgment.
- Working knowledge of NIST CSF 2.0 and how it maps to GRC, AppSec, Cloud/Vuln, and SecOps functions.
Work Environment:
- Office setting with a moderate noise level.
- The employee will work at an individual workstation, using a telephone and computer.
Physical Demands:
- Must be able to remain seated for extended periods.
- Regular use of a computer and other office machinery, such as printers and copy machines.
- Occasional movement around the office.
- Frequent communication via telephone.
Neumo Summary:
With the backing of four decades of public sector expertise and corporate capability, Neumo has successfully supported government services. Neumo was honored and recognized for four (4) consecutive years as a GovTech 100 Company representing the top 100 companies focused on making a difference in and selling to state and local government agencies across the United States.
Neumo is committed to helping communities thrive and brings a wealth of experience combined with innovation. Today, Neumo offers more administrative and financial support to government officials than any other organization. And with a responsive, client-focused approach, we foster partnerships that give our customers the certainty they need to accomplish more.
Neumo offers a competitive benefits and compensation package and are looking for team members who will thrive in our dynamic environment.
Neumo is an Equal Opportunity Employer. Selection for a position will be made without regard to race, religion, national origin, sex, political affiliation, marital status, non-disqualifying physical handicap, and age.