Director, Information Technology

Position Summary:

The Director, Cybersecurity, Compliance & Resilience will lead Karman’s cybersecurity, compliance, technology risk, and cyber resilience function within the Chief Information & Artificial Intelligence Officer organization. This role is responsible for protecting Karman’s systems, data, users, regulated operations, and customer obligations across a multi-site aerospace and defense environment.

The top near-term priority for this role is driving Karman’s CMMC readiness and certification activities, including CMMC Level 2 execution, NIST 800-171 alignment, DFARS requirements, CUI protection, remediation tracking, evidence readiness, and audit preparedness. The role will also oversee cybersecurity risk management, SOX IT general controls support, identity and access controls, vulnerability management, incident response, disaster recovery, and business continuity alignment.

This is a hands-on leadership role requiring strong cybersecurity judgment, compliance discipline, executive communication, and the ability to drive practical execution across IT, Business Systems, Engineering, Operations, Finance, Legal, HR, Corporate Security, external partners, and site leadership.

About Us:

Karman Space & Defense provides concept-to-production solutions for mission-critical systems on spacecraft, launch vehicles, missiles, hypersonics, and integrated defense systems. We believe that solving the industry’s most complex and mission-critical challenges requires relentless determination and a willingness to push the boundaries of possibility. Karman Space & Defense brings to bear unparalleled production capabilities, unmatched engineering expertise, and unflinching analysis to render the impossible, possible.

Key Responsibilities:

CMMC, NIST, DFARS, and CUI Compliance

• Lead Karman’s CMMC readiness and certification efforts, with CMMC Level 2 as the top near-term priority.
• Drive alignment with NIST 800-171, DFARS cybersecurity requirements, CUI handling expectations, and related defense industrial base compliance obligations.
• Own cybersecurity compliance planning, remediation tracking, evidence collection, policy alignment, and assessment readiness.
• Partner with site leaders, Engineering, Operations, Corporate Security, Legal, and IT teams to ensure CUI controls are practical, understood, and consistently executed.
• Coordinate with consultants, assessors, auditors, and internal stakeholders to support mock assessments, readiness reviews, and certification activities.
• Provide clear status reporting on CMMC progress, open risks, blockers, remediation needs, and required leadership decisions.

Cybersecurity Risk and Governance

• Establish and mature cybersecurity governance, risk management, policy, standards, and control processes.
• Identify, assess, prioritize, and communicate cybersecurity risks in business terms.
• Partner with the CIAIO and technology leadership team to ensure cybersecurity is embedded into technology strategy, enterprise platforms, infrastructure, AI enablement, and integration efforts.
• Support security and compliance considerations in vendor management, cloud platforms, ERP/business systems, M&A integration, and site standardization.
• Maintain discipline around cybersecurity exceptions, risk acceptance, remediation ownership, and executive visibility.

Identity, Vulnerability, and Security Operations

• Lead identity and access management risk oversight, including privileged access, account lifecycle controls, access reviews, and user access governance.
• Drive vulnerability management strategy, prioritization, remediation tracking, and SLA discipline.
• Partner with Infrastructure & Site Operations to strengthen endpoint security, network security, M365 / GCC High security posture, asset management, and monitoring.
• Improve operational security processes, including alert triage, incident escalation, control monitoring, and remediation follow-through.
• Help reduce security backlog and improve visibility into the highest-risk vulnerabilities and control gaps.

SOX ITGC, Audit, and Control Readiness

• Support IT compliance activities related to SOX IT general controls, including access management, change management, backup/recovery, system operations, and evidence production.
• Partner with Finance, Internal Audit, Business Systems, and external auditors to ensure IT controls are documented, repeatable, and audit-ready.
• Align CMMC, SOX, cybersecurity, and resilience activities where possible to reduce duplication and improve control efficiency.
• Establish repeatable processes for control testing, issue remediation, evidence management, and audit support.

Incident Response, Resilience, and Business Continuity

• Own cybersecurity incident response planning, playbooks, escalation protocols, tabletop exercises, and post-incident improvement actions.
• Partner with infrastructure, business systems, operations, and site leadership on disaster recovery, backup strategy, business continuity, and resilience planning.
• Ensure critical systems and regulated business processes have appropriate recovery and continuity plans.
• Improve organizational readiness to detect, respond to, recover from, and learn from cybersecurity incidents.
• Support a practical resilience model that protects business continuity, customer trust, and compliance obligations.

Team Leadership and Development

• Build, lead, and mature the Cybersecurity, Compliance & Resilience function.
• Provide leadership for cybersecurity GRC, security engineering, identity, vulnerability management, and incident response capabilities.
• Define team priorities, responsibilities, operating cadence, performance expectations, and development plans.
• Create a culture of accountability, urgency, transparency, compliance discipline, and practical risk management.
• Partner with peer technology leaders to stabilize, standardize, prioritize, and scale the broader CIAIO organization.

Required Qualifications:

• 10+ years of progressive experience in cybersecurity, IT risk, compliance, infrastructure security, audit, or related technology leadership roles.
• 5+ years of leadership experience managing cybersecurity, compliance, GRC, security engineering, infrastructure security, or security operations teams.
• Strong working knowledge of CMMC, NIST 800-171, DFARS cybersecurity requirements, and CUI protection.
• Experience leading cybersecurity compliance programs, audits, assessments, remediation plans, and evidence collection.
• Strong understanding of identity and access management, privileged access, vulnerability management, endpoint security, cloud security, network security, and incident response.
• Experience supporting SOX IT general controls or similar regulated IT control environments.
• Ability to communicate cybersecurity risks, compliance status, and remediation priorities clearly to executive, technical, and operational audiences.
• Demonstrated ability to lead cross-functional initiatives in complex, multi-site environments.
• Strong vendor, consultant, assessor, and auditor management skills.
• Excellent judgment, prioritization, documentation, stakeholder management, and executive reporting skills.

Preferred Qualifications:

• Experience in aerospace and defense, government contracting, manufacturing, or another highly regulated industry.
• Direct experience supporting CMMC Level 2 readiness, mock assessments, final assessment preparation, or certification activities.
• Experience with Microsoft GCC High, M365 security, Entra ID, Defender, endpoint management, and related Microsoft security platforms.
• Familiarity with ERP, manufacturing systems, engineering systems, PLM/CAD environments, and regulated data environments.
• Experience supporting post-merger integration, site standardization, or acquisition-related cybersecurity alignment.
• Experience building or maturing cybersecurity programs in a scaling organization.
• Relevant certifications such as CISSP, CISM, CISA, CRISC, CCSP, Security+, or similar.

Key Competencies:

• CMMC execution leadership
• Cybersecurity risk management
• Compliance and audit readiness
• Identity and vulnerability management
• SOX ITGC alignment
• Incident response and resilience
• Business continuity and disaster recovery awareness
• Executive communication
• Cross-functional leadership
• Practical business alignment
• Team development and accountability

Success Measures:

• CMMC Level 2 readiness and certification activities are clearly led, governed, and advanced with urgency.
• CUI, NIST, DFARS, and CMMC requirements are translated into practical controls across sites and business operations.
• Executive leadership has clear visibility into cybersecurity risks, remediation progress, compliance posture, and open decisions.
• Vulnerability management, identity governance, access controls, and incident response maturity measurably improve.
• SOX ITGC support is reliable, documented, repeatable, and aligned with Finance and audit expectations.
• Cybersecurity is embedded into technology governance, vendor management, site operations, M&A integration, and enterprise platform decisions.
• The Cybersecurity, Compliance & Resilience team becomes a trusted business partner that reduces risk while enabling growth.

Reporting Relationship:

This role reports to the Chief Information & Artificial Intelligence Officer and serves as a member of the CIAIO leadership team.

ITAR REQUIREMENTS:

To conform to U.S. Government export regulations, certain positions may require applicants to be a (i) U.S. citizen or national, (ii) U.S. lawful, permanent resident (aka green card holder), (iii) Refugee under 8 U.S.C. § 1157, or (iv) Asylee under 8 U.S.C. § 1158, or be eligible to obtain the required authorizations from the U.S. Department of State. Learn more about the ITAR here. 

EQUAL OPPORTUNITY EMPLOYER:

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities. The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information.

Karman is committed to equal employment opportunity. We will not discriminate against employees or applicants for employment on any legally recognized basis (“protected class”) including, but not limited to race; color; religion; genetic information; national origin; sex; pregnancy, childbirth, or related medical conditions; age; disability; citizenship status; uniform servicemember status; or any other protected class under federal, state, or local law. Our management is dedicated to ensuring the fulfillment of this policy with respect to hiring, placement, promotion, transfer, demotion, layoff, termination, recruitment advertising, pay, and other forms of compensation, training, and general treatment during employment.