Director of Cybersecurity & Compliance

Position SummaryL+M Development Partners is seeking a hands-on Director of Cybersecurity & Compliance to lead and execute the company's information security strategy. This is a practitioner-level role — not a purely advisory or oversight position — requiring someone who can configure controls, manage platforms, and drive real security outcomes alongside the IT team.The Director will own the day-to-day operation of L+M's security stack, manage MDR vendor relationships, lead the company's response to cyber security incidents, build a formal governance and compliance program, and serve as the internal security authority for staff, leadership, and vendors.Key ResponsibilitiesSecurity Operations & Platform ManagementAdminister and optimize Microsoft 365 / Entra ID security configurations, including Conditional Access, MFA policies, and re-authentication session controls.Manage and tune email security platforms, MDR and firewalls for threat detection and PII content filtering;Oversee email security and MDR engagement for 24/7 threat monitoring; serve as primary internal contact for escalation and incident triageAdminister firewall and other network security controls and access policiesManage restrictions on personal email access, personal device access to SharePoint/company resources, and shared drive to OneDrive/SharePoint migration security controlsImplement and maintain DLP policies to prevent PII from being transmitted via email, with programmatic deletion of historical PII from employee mailboxesOwn incident response, remediation and data breach management and reportingInvestigate and document security incidents; produce post-incident reports for leadership and the boardGovernance, Risk & ComplianceBuild and maintain a NIST-aligned cybersecurity governance framework, incorporating the findings from third-party pen tests, cyber assessment and governance strategy engagementDevelop and enforce company-wide information security policies, including acceptable use, data classification, PII handling, and vendor security requirementsCreate a vendor security program with tiered controls based on risk level; ensure new and high-risk vendors meet MFA, cybersecurity training, and contractual security requirementsManage PII data handling policies for all company platforms; define retention, access, and deletion proceduresCoordinate with legal counsel on multi-state regulatory compliance, notification windows, and data privacy obligationsSupport cyber insurance renewals and carrier requirements; work with the Insurance team to assess and close coverage gaps.Security Awareness & CultureDesign and operate an employee security awareness training program; manage phishing simulation campaigns and track employee performanceHelp develop and enforce consequences for repeat security policy violations, including integration of phishing test results into annual performance review processesProvide advance training prior to new policy enforcementCommunicate clearly with non-technical staff on security changes that affect daily workflowsLeadership & Strategic ReportingServe as the internal subject matter expert on cybersecurity for the CTO, executive team, and boardPrepare and present cybersecurity metrics, risk posture updates, and strategic recommendations to leadershipManage vendor relationships and procurement for security tools; evaluate and recommend platformsDefine and track a cybersecurity roadmap aligned with NIST maturity milestonesRequired Qualifications7+ years of progressive experience in cybersecurity, with at least 3 years in a senior or lead technical roleHands-on, practitioner-level expertise — this role requires the ability to configure, operate, and troubleshoot security tools directlyDeep expertise with Microsoft 365 security, Entra ID / Azure AD, Conditional Access, and Defender suiteExperience managing or overseeing Managed Email Security and MDR engagementsExperience with email security platforms.Strong working knowledge of PII handling obligations, data breach notification laws, and multi-state regulatory requirementsFamiliarity with NIST Cybersecurity Framework and the ability to translate it into practical operational controlsExperience developing and enforcing security policies, vendor security requirements, and employee training programsPreferred QualificationsCISSP, CISM, CISA, or equivalent professional certificationExperience in real estate, property management, affordable housing, or regulated industries with PII-intensive operationsFamiliarity with property management platforms and their data security considerationsExperience working with outside legal counsel and cyber insurance carriersBackground conducting or managing external cybersecurity assessmentsExposure to DLP tools, SIEM/SOAR platforms, and network access control within a Microsoft-heavy environment