Head of Information Security and Privacy

Posted Date: Feb-15-2021

Job ID: 19311

Job Type: Full Time

Job Function: Executive Leadership

City: Seattle

State: Washington

Store: Seattle HQ

Remote Eligible: No

Please visit the Covid-19 Hiring Updates before applying

What's cool about this job

The Head of Information Security and Privacy will lead REI’s information security and privacy team and partner across the co-op to identify and manage risk in our technology, data and business practices. This leader will prepare the co-op for the shift to a digital forward retailer as REI grows from a 20-million-member to 50-million-member community by 2030. As the expert advisor for choices the co-op makes to reduce risk, this person leads security architecture and engineering, vulnerability management, security portfolio and program management, security operations center, compliance and risk assessment and management, and identity and rights management. The Head of Information Security and Privacy is the champion and advocate for IT security raising awareness and understanding across technology and the co-op working closely with REI’s enterprise risk management and physical security organization.

At REI Co-op, we believe time outside is fundamental to a life well lives and exist to inspire and enable a life outside for everyone. To deliver on that promise, we are working with our 15,000 employees, 19M members and the broader outdoor community toward a reality where everyone has the opportunity to be themselves, to access opportunities and find their place in the outdoors. For us, that means: 

  • Investing in work that removes the barriers people and communities face to getting outside
  • Delivering relevant products, experiences, and expertise to equip and inspire a new generation of outdoor stewards
  • Cultivating a workforce that reflects the demographics of the markets we serve
  • Leading the industry’s efforts to welcome people and communities historically underrepresented into outdoor media and culture

The Head of Information Security and Privacy contributes to REI’s success by developing, recommending and leading planning, strategies, and implementation of REI’s IT security program to ensure the IT environment (applications, infrastructure, SaaS, Cloud Services, and on-premise data centers) is secure and protected from intentional or inadvertent modification, disclosure or destruction. Leads, coordinates, and collaborates with IT leaders, managers, and staff to implement tools and processes throughout the security development lifecycle for intrusion detection and protection. This leader actively keeps abreast of new technology and IT service delivery methods to ensure REI is up to date with current IT security practices. Reporting to the Chief Technology Officer, Dan Shull, this person will lead a team of 30+ information security professionals.

Bring your passion and expertise

Essential Leadership Behaviors

The Essential Leadership Behaviors required by the future Head of Information Security and Privacy connect directly to the mission, the strategy and the quadruple bottom line that measures success for the co-op.

The Head of information Security and Privacy will do this by:

  • As a member of the Leadership Forum, developing a deep understanding of the current and future information security and privacy program, while effectively communicating and broadly supporting execution of company strategies and priorities.
  • Directs the development, recommendations and championing of IT policy, strategy, standards and procedures for information and system security, disaster recovery and business continuance. Oversees the IT Disaster Recovery and Business Continuity program; ensures plans are in place and tested per policy.
  • Accountable for identifying and assessing IT security-related issues currently and potentially impacting IT and business performance.
  • Oversees IT security architecture including but not limited to roadmaps, assessments, principles, standards and security development lifecycle. Aligns with Enterprise Architecture on architecture principles and standards.
  • Sets, monitors, and enforces security elements within application, infrastructure and data architectures development methodologies. Communicates and collaborates with all other IT disciplines regarding integration and effectiveness of information security measures.
  • Directs the Identity and Access Management organization to include data to day operations, governance, and strategies.
  • Accountable for overseeing security operations center and associated tools.
  • Accountable for IT compliance management (Audit, PCI, data, vulnerability, disaster recovery, encryption, testing, etc.)
  • Directs the development of tools and design or re-engineering of processes for intrusion detection and prevention based on current best practices in the industry.
  • Oversees vulnerability management including scanning, testing, remediation, and reporting.
  • Working in conjunction with REI’s Enterprise Risk Management organization, ensures that the Company’s information systems comply with all applicable federal, state and local information privacy and related laws and regulations.
  • Leads and champions education efforts to ensure knowledge and awareness of company vulnerabilities to technology and information security threats and misuse. Provides guidance and direction for the physical protection of information systems assets to other functional units.
  • Provides reports to leadership regarding effectiveness of data security and makes recommendations for the adoption of new procedures.
  • Participates in division strategic planning, applying a current knowledge and future vision of technology and systems which significantly impact the effective execution of business processes.
  • Prepares budget recommendations for staffing needs, costs of equipment and tools, maintenance, and future projects. Sets IT Security and Risk Management investment portfolio in conjunction with IT leadership.
  • Collaborates with other IT department leaders to identify business needs; plan, schedule, and coordinate work; and ensure integration of business needs and information technology solutions.
  • Leads IT cross-division collaboration to ensure coordination and integration of business needs and solutions.
  • Communicates with team regarding policies and procedures, projects and activities in other groups.
  • Guides the team in the analysis of business requests and needs to ensure effective utilization of staff and equipment.
  • Follows the IT governance process for technology projects, ensuring that project goals and decisions are based upon business priorities.
  • Creates and maintains staffing plans. Ensures the team is properly trained and staffed to handle the projected workload, both from an internal staffing and outsourcing standpoint. Makes recommendations to management regarding long-term contractors and/or additions to staff.
  • Provides management with accurate, timely and relevant information about the status of projects, personnel and activities within the team.
  • Performs basic line supervision, including hiring, firing, conducting performance reviews, setting performance goals, promotions, salary increases, developing subordinates, and managing performance and discipline.
  • Creates support structures to ensure that adequate technical support for end users is maintained at all times. Ensures that required technical tools and training are available to the staff providing support.
  • Keeps abreast of technology changes and innovations in the information technology field generally, and acts as IT “guru” and resource relative to information technology security issues, trends, tools and solutions.
  • Manages or coordinates vendor relationships and contracts for products, services and support.
  • Ensures compliance with regulatory and internal controls.
  • Leading the Co-op Way and role model REI’s Values in Action at all times.

Professional Qualifications and Experience

The Professional Qualifications and Experience required by the future Head of Information Security and Privacy are imperative to the success of the candidate and the long-term success of the co-op. 

  • High Performing Security Engineering and Operations Engineering Leadership – Experience attracting, developing and challenging world class security engineering and operations organization with a passion to drive excellence.
  • Information Security and Privacy - Deep information security and privacy experience for digital forward customer centric organizations. 
  • Risk Assessment and Management – Elevated risk assessment and management for largescale digital organizations collaborating with enterprise risk and physical security.
  • Change Management - Experience working as a change agent to drive innovation and transformational change within organizations. Successfully managed large-scale IT transformations and enterprise wide programs.
  • Technology Strategy and Execution - Experience developing, planning and implementing the company’s technology strategy, with special focus on execution and ensuring timely delivery. Possesses a strong point of view on best practices.
  • Collaboration & Influence - Ability to influence across the organization to get things done. Ability to develop trust to facilitate strong relationships across all levels, internal and external.
  • Team Leadership - Ability to lead, inspire and motivate large teams, strategic relationships and third-party vendors, both on-shore and off-shore. Ability to build exceptional teams, including hiring, developing, mentoring and retaining talent and creating a deep talent pipeline.
  • Results Orientation - Possesses strong project management skills, with the ability to manage the product development roadmap and processes to ensure deliverables are achieved under tight deadlines.
  • Industry Trends & Best Practices - Possesses a thoughtful point of view on industry trends impacting commerce, customer experiences and the role of personal devices. Has an informed perspective on best-in-class experiences and technologies.
  • Decision Making & Judgment - Demonstrates a high degree of professionalism and judgment. Ability to make difficult decisions in a timely way in support of the Co-op’s mission.
  • Strategic Thinking - Ability to have a “big picture” perspective on the marketplace and develop a vision and strategies that create and sustain competitive advantage.
  • Education - Undergraduate degree and MBA from a leading program are highly desirable.


At REI we offer an enviable work environment that Fortune Magazine has recognized on the "100 Best Places to Work" list since the award's inception – 23 years in a row! Sure, we work hard, but it’s balanced with time off to play—a strategy that works for us as we continue to grow and thrive. Want to enjoy a workplace where you can be yourself, be heard and be respected while having a job that challenges you? This is the place.

With more than 160 retail locations (and growing), REI offers unique competitive benefits to its more than 15,000 employees, including healthcare, gear and apparel discounts, free equipment rentals and challenge grants to help employees reach personal outdoor goals, generous retirement plan contributions, public transit subsidy, adoptions assistance, paid sabbaticals, and more.

REI is an Equal Opportunity Employer

ARTICLE 23-A, Section 753

§753. Factors to be considered concerning a previous criminal conviction; presumption.

1. In making a determination pursuant to section seven hundred fifty-two of this chapter, the public agency or private employer shall consider the following factors:

(a) The public policy of this state, as expressed in this act, to encourage the licensure and employment of persons previously convicted of one or more criminal offenses.

(b) The specific duties and responsibilities necessarily related to the license or employment sought or held by the person.

(c) The bearing, if any, the criminal offense or offenses for which the person was previously convicted will have on his fitness or ability to perform one or more such duties or responsibilities.

(d) The time which has elapsed since the occurrence of the criminal offense or offenses.

(e) The age of the person at the time of occurrence of the criminal offense or offenses.

(f) The seriousness of the offense or offenses.

(g) Any information produced by the person, or produced on his behalf, in regard to his rehabilitation and good conduct.

(h) The legitimate interest of the public agency or private employer in protecting property, and the safety and welfare of specific individuals or the general public.

2. In making a determination pursuant to section seven hundred fifty-two of this chapter, the public agency or private employer shall also give consideration to a certificate of relief from disabilities or a certificate of good conduct issued to the applicant, which certificate shall create a presumption of rehabilitation in regard to the offense or offenses specified therein.