Director of corporate Information Security

Role Purpose

The Director / Head of Information Security will lead Chargebee’s Corporate Information Security function, working in close partnership with the Enterprise Cyber security (ECS) which manages product and infrastructure security and Corporate IT (which manages employee systems, devices, and operations) teams.

This role focuses on strengthening enterprise-wide governance, compliance, and risk management by designing new security capabilities while leveraging existing technical and operational controls across the broader ecosystem.

The leader will own the ISMS (ISO 27001 Program), Incident Management, Data Protection, Endpoint Security, and other GRC (Governance, Risk & Compliance) programs that protect our people, systems, and customers.

The ideal candidate will enable Chargebee to stay audit-ready, resilient, and trusted by customers as we continue to scale globally.

Key Responsibilities

1. Information Security Strategy & Governance

• Lead the design and execution of Chargebee’s enterprise security strategy aligned with business goals
• Own and continuously improve the Information Security Management System (ISMS) under ISO 27001, SOC 2, PCI DSS, and GDPR.
• Establish and maintain the security governance framework, policies, and standards across business units.
• Drive adoption of a unified security maturity model and track progress across all security domains.
• Report quarterly to senior leadership on posture, risks, incidents, and roadmap progress.

2. Program Ownership Across Core AORs

Own and mature the following functions and teams:

1. ISMS & ISO 27001 Program – Governance, internal audits, controls, SoA, and certification management.
3. Corporate Incident Management (CIM) – Centralized IR process, playbooks, RCA/CAPA, and coordination of each incident, coordinating Product security, Global Technology Infrastructure and internal operations team
4. Data Leakage Prevention (DLP) – Policy, enforcement, and insider data risk management of corporate systems and corporate technology (Collaboration and knowledge management systems).
5. AI information Security Governance – AI risk reviews, usage policy, vendor evaluation, and compliance oversight of corporate information systems and Corporate Technology.
6. Security Awareness Program – Continuous education, phishing simulation, and behavioral improvement of corporate information systems and Corporate Technology.
7. Corporate IT Risk Management – Risk register, reviews, and treatment lifecycle of corporate information systems and Corporate Technology.
8. Business Continuity Program (BCP) & Data Recovery (DR) (Corporate) – Continuity governance, simulation testing, recovery validation of corporate information systems and Corporate Technology.
9. Policy Governance – Centralized authoring, review, communication, and adoption tracking of corporate information systems and Corporate Technology.
10. Access Governance (RBAC) – Access policy, JML automation, and certification reviews of all systems, product operations and corporate systems and technology.
11. Endpoint Security (Systems & Hardware) – Device hardening, monitoring, and compliance visibility of corporate information systems and Corporate Technology.
12. GTM Trust Enablement (RFP/RFI) – Customer trust documentation, security questionnaires, SLAs in response to processes and governance related questions referring to Chargebee’s corporate information systems and Corporate Technology.

3. Operational Execution & Oversight

• Establish a centralized incident classification and escalation model for all business functions.
• Drive RCA & CAPA closure across incidents and audits; ensure risks are documented and tracked.
• Maintain audit and evidence readiness for customer and external certifications.
• Oversee DLP and endpoint monitoring, ensuring response workflows are automated and integrated.
• Partner with ECS and IT to embed security by design into products, infrastructure, and employee systems.
• Assist in responding to customer RFP’s to clarify and confirm Chargebee’s information security and corporate systems compliance

4. Risk, Compliance, and Reporting

• Maintain the enterprise security risk register; ensure high/critical risks have defined treatment and ownership.
• Manage ISO internal audits and, surveillance reviews, and customer due diligence requests.
• Develop and publish quarterly security KPIs and KRIs, including metrics on incidents, risk aging, compliance, and awareness.
• Lead regular security governance reviews with senior leadership, providing updates on posture, risks, and strategic initiatives

5. People Leadership & Culture

• Build and lead a high-performing infosec team across GRC, Risk, DLP, IR, and Awareness.
• Partner cross-functionally with IT, ECS, Legal, HR, Comms, Risk & Compliance, and GTM enablement functions..
• Promote a culture where security is everyone’s responsibility through communication, enablement, and collaboration.
• Mentor, coach, and grow internal talent to scale the security program sustainably.