Chief Information Security Officer (CISO)

The Chief Information Security Officer (CISO) is an executive reporting to the Chief Technology Officer (CTO), responsible for the development, implementation, and continuous oversight of the company's enterprise-wide information security strategy. In addition to the security function, the CISO leads the company's IT organisation, owning the infrastructure, tools, and services that underpin our satellite operations, ground segment, data processing pipelines, and corporate systems. The CISO will ensure compliance with applicable US and European cybersecurity frameworks, safeguard classified and controlled unclassified information (CUI) as well as proprietary Earth observation data assets, lead government liaison activities, and build a high-performing combined security and IT function. This is a highly visible, cross-functional role requiring deep technical knowledge, executive presence, and extensive experience in regulated aerospace, defense, or space data environments.

KEY RESPONSIBILITIES

Security Strategy & Governance

• Develop and own the company's multi-year information security roadmap aligned with business objectives, government contract requirements, and international obligations.

• Establish and maintain a comprehensive Information Security Management System (ISMS) using NIST SP 800-53, NIST CSF, and ISO 27001 principles.

• Chair the company's Information Security Steering Committee; report directly to the CTO and present security posture updates to the CEO and Board of Directors as required.

• Define and enforce policies for data classification, access management, insider threat, incident response, business continuity, and disaster recovery.

NIST & CMMC Compliance

• Lead the company's certification and maintenance activities under Cybersecurity Maturity Model Certification (CMMC) Level 2 and/or Level 3, ensuring alignment with DFARS 252.204-7012 and 48 CFR Part 204.

• Oversee the System Security Plan (SSP) and Plan of Action & Milestones (POA&M) lifecycle in accordance with NIST SP 800-171 and NIST SP 800-172.

• Direct all CMMC third-party assessment activities (C3PAO engagements), coordinate remediation, and maintain continuous compliance posture.

• Ensure CUI handling, marking, storage, and transmission comply with NARA and DoD requirements across all programs.

Government Liaison & International Affairs

• Serve as the primary security point of contact with US Government agencies including DoD, NASA, NRO, Space Force, and CISA.

• Interface with European government bodies and regulatory authorities including ESA (European Space Agency), national competent authorities, and EU Agency for Cybersecurity (ENISA).

• Support ITAR / EAR compliance in partnership with Legal and the Empowered Official; participate in technology transfer review processes.

• Coordinate with cleared facility (SCIF) requirements and facility security officer (FSO) functions as needed for classified program support.

• Represent the company in industry security working groups, government advisory councils, and NATO-aligned forums.

IT Organisation Leadership

• Own and direct the company's IT function, including corporate infrastructure, end-user computing, productivity platforms, and IT service management (ITSM).

• Manage and operate the company's sovereign cloud environments — AWS GovCloud and Microsoft 365 GCC High — ensuring secure configuration, access governance, cost management, and compliance with applicable government cloud standards.

• Maintain on-premise and hybrid systems supporting corporate operations, ensuring they meet security, availability, and performance requirements.

• Drive IT operational excellence through ITIL-aligned service management practices, SLA governance, and continuous improvement of IT reliability and performance.

• Lead IT vendor and contract management, including selection and oversight of managed service providers, hardware vendors, and software partners.

• Ensure corporate IT systems and services meet the reliability and performance requirements needed to support the wider business, including teams responsible for ground segment and data operations.

• Develop and maintain a technology roadmap for the IT organisation aligned with the company's headcount growth, operational scale, and evolving business needs.

Risk Management & Operations

• Own the enterprise cyber risk register; develop and present risk treatment plans with measurable outcomes to executive leadership.

• Lead incident response planning and execution; act as incident commander for significant cybersecurity events.

• Oversee third-party and supply chain security assessments, including subcontractor CMMC readiness and supplier risk management.

• Drive security architecture reviews for new systems, cloud environments (GovCloud, AWS/Azure sovereign regions), and mission-critical OT/ICS platforms — including the ground segment and data processing pipelines owned by engineering and operations teams.

Team Leadership & Culture

• Recruit, develop, and lead a combined security and IT organisation covering cybersecurity operations, IT infrastructure, end-user support, compliance, identity & access management, and physical security integration.

• Build and sustain a security-aware culture through training programs, tabletop exercises, phishing simulations, and executive education.

• Foster a high-performance IT culture focused on reliability, speed of delivery, and secure-by-design thinking across engineering and operations teams.

• Manage the consolidated security and IT budget; prioritise investments in tooling, personnel, and third-party services to maximise risk reduction and operational capability.

REQUIRED QUALIFICATIONS

• 15+ years of progressive experience spanning information security and IT leadership, with at least 5 years in a senior role (CISO, Deputy CISO, VP IT Security, or equivalent) that included responsibility for IT operations.

• Demonstrated expertise in NIST Cybersecurity Framework (CSF), NIST SP 800-53, NIST SP 800-171/172, and CMMC 2.0 assessment and implementation.

• Proven track record managing an IT organisation, including infrastructure, cloud platforms, and IT service delivery in a technology-intensive environment.

• Direct experience engaging with US federal government customers, contracting officers, and government security representatives.

• Proven ability to interface with European government and regulatory bodies, with knowledge of NIS2 Directive, GDPR data security obligations, and EU dual-use export controls.

• Active US security clearance (TS/SCI strongly preferred); willingness to undergo polygraph and expanded investigation if required.

• Experience with ITAR/EAR compliance in an aerospace, defense, space, or advanced technology environment.

• Strong business acumen and executive communication skills; ability to translate complex security and IT topics for Board-level and non-technical audiences.

• Bachelor's degree in Computer Science, Information Security, Engineering, or a related field (advanced degree preferred).

PREFERRED QUALIFICATIONS

• Certified Information Systems Security Professional (CISSP), CISM, ITIL 4 Strategic Leader, or equivalent industry certification.

• CMMC Registered Practitioner (RP) or Certified Assessor (CA) credentials.

• Experience within the space, Earth observation, satellite, or geospatial data industry — including security advisory responsibilities over ground segments, data downlink systems, and cloud-based data delivery platforms.

• Familiarity with NATO STANAG security standards and allied nation information sharing frameworks (Five Eyes, EU Classified Information).

• Hands-on experience administering AWS GovCloud and/or Microsoft 365 GCC High environments, including FedRAMP High compliance, conditional access policies, and government data boundary controls.

• Experience scaling a combined security and IT function in a high-growth or startup environment.

• Proficiency in a second European language (German, French, or Italian preferred).

Spire operates a hybrid work model, and this position will require you to work a minimum of three days per week in the office.

Access to US export-controlled software and/or technology may be required for this role. If needed, Spire will arrange the necessary licenses—this is not something candidates need to have before applying. #LI-DC1