Posted: 18-Jun-25
Location: Atlanta, Georgia
Type: Full Time
Salary: $130k-$150k
Required Education:
Additional Information:
The Information Security Officer (ISO) is responsible for developing, implementing, and maintaining the law firm's information security strategy. This role ensures the confidentiality, integrity, and availability of client data, firm documents, and IT infrastructure, with a strong focus on regulatory compliance, client data protection, client audit readiness, and proactive risk management. The ISO will collaborate cross-functionally with legal, IT, compliance, and firm leadership to embed security best practices across all operations. This is a blended, hands-on role with significant operational oversight - initially an individual contributor position, with a clear growth path to lead the infrastructure team and shape the firm’s future technology landscape.
The ideal candidate will bring a strong technical foundation, leadership experience, and an understanding of the unique confidentiality and compliance demands of a law firm or professional services environment.
The ideal candidate will demonstrate deep technical expertise, experience with legal-industry security requirements, and the ability to architect and drive a forward-thinking, resilient security program aligned with client expectations and ethical obligations.
Key Responsibilities:
- Security Strategy & Governance
- Develop and lead the firm’s information security program.
- Establish and enforce security policies, procedures, and standards aligned with legal and regulatory requirements (e.g. HIPAA, ISO/IEC 27001, NIST).
- Conduct risk assessments and implement measures to reduce security threats.
- Incident Management
- Lead the response to security incidents and data breaches, including investigation, mitigation, and reporting.
- Maintain and test the incident response plan and disaster recovery strategies.
- Compliance & Legal
- Ensure compliance with client security requirements, industry regulations, and privacy laws.
- Support audits and client security assessments.
- Security Operations & Solutions Engineering
- Monitor systems for vulnerabilities and threats using tools like SIEM, IDS/IPS, and endpoint protection platforms.
- Manage security technologies, including firewalls, encryption protocols, VPNs, DLP, and mobile device management.
- Training & Awareness
- Lead security awareness programs for attorneys and staff to promote best practices and prevent phishing and social engineering attacks.
- Third Party Risk Management
- Evaluate third-party vendors for security risk and ensure appropriate controls are in place.
- Leadership and Team Management
- Lead and mentor team members promoting a culture of accountability and continuous improvement.
- Coordinate cross-functional security initiatives with IT, compliance, legal, HR, and risk management teams.
- Stay informed of emerging threats, risks, and legal technology trends relevant to the professional services sector
Qualifications:
- Bachelor’s degree in information security, Computer Science, or a related field
- 5+ years of experience in cybersecurity or information security roles, ideally in a legal or professional services environment
- Industry certifications (e.g., CISSP, CISM, CISA, CYSA, SEC+, CCSP)
- Strong understanding of cybersecurity frameworks (e.g., ISO 27001, NIST, etc.) and legal industry compliance requirements
- Experience with SIEMs, firewalls, IDS/IPS, endpoint protection, and IAM systems
- Experience with security requirements related to client RFPs and third-party audits.
- Hands-on experience with cloud security (AWS, Azure)
- Experience with document management systems, legal practice management software and e-discovery tools is a plus
Required Skill and Abilities:
- Strong ethical compass and respect for confidentiality.
- Proactive mindset with excellent problem-solving skills.
- Ability to manage multiple priorities in a fast-paced environment.
- Strong project management and organizational skills.
- Excellent communication skills and the ability to present technical information to non-technical audiences