Information Security and Compliance Manager

Location: Montreal, Quebec, Canada

Department: Accounting and Finance

Type: Full Time

Min. Experience: Mid Level

Plusgrade is the world leader in airline upgrade solutions. Plusgrade’s proprietary SaaS platform and program optimization strategies enable 60+ of the world’s leading airlines to maximize the value of their premium cabins and onboard amenities. For the second consecutive year, Plusgrade has achieved the Deloitte Technology Fast 50™ list in Quebec. Plusgrade has its headquarters in downtown Montreal, with an additional office in New York City.

We have a strong engineering group that supports public-facing product under the brands of 60+ world-class airlines, sophisticated administrative applications in use by the revenue management departments of those 60+ airlines, an extensive back-end processing environment which connects to global reservation systems and payment gateways, and a data pipeline feeding data scientists, analysts, and operational decision makers.

The Role:

Plusgrade is searching for an experienced Information Security and Compliance Manager with familiarity with highly regulated industries, business continuity, incident management and/or information security. This individual will assist in conveying business continuity and information security risks. This role will report to Plusgrade’s Head of Finance, and present reports to senior leadership and the Board of Directors.


  • Act as Data Protection Officer on behalf of the company
  • Ensure that the company is compliant with GDPR
  • Report on information security and compliance activities to Plusgrade’s executive leadership and Plusgrade’s audit committee
  • Lead and manage contractual infosec obligations and control requirements with partners, ensure Plusgrade meets its obligations
  • Collaborate with Business Partners and works cross-functionally with departmental team members to achieve compliance needs
  • Scope, design and implement information security controls across Plusgrade’s tech stack. Develop process documentation, standards, policies, and architecture designs that support efficient security operations
  • Implement, manage and maintain the business continuity program (ISO 22301) and the privacy & security compliance program, including EU GDPR, PCI DSS Level 1, and SOC 1 type 2 reporting
  • Manage operational effectiveness of security controls and drive any remediation required. Perform root cause analysis and implement continuous improvement process opportunities   
  • Plan and execute Pen tests for all layers of Plusgrade’s technology stack, leveraging a 3rd party. Ensure all remediation actions from the pen test are prioritized and completed
  • Develop metrics to report on security and privacy compliance performance
  • Manage development of an incident response process to include documentation, training, mock exercises and resource coordination during actual events
  • Monitor and report on required corrective action plans relating to security and/or privacy compliance issues or audit deficiencies or observations
  • Monitor and report on the implementation of intrusion detection, firewall policies and malware software
  • Maintain up-to-date knowledge and understanding of information security threats, vulnerabilities, practices, principles and solutions
  • Inform and advise the organization and its employees about their obligations to comply with the GDPR and other data protection laws
  • Train staff and conduct internal privacy and data security audits


  • BS in Information Systems, Computer Science or related field
  • Professional certifications in the security, privacy, risk management and audit areas highly desirable, such as: CISSP, CRISC, CISM, CISA, CIPP, CIPT, CPA, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, ISO 27005 Risk Manager (CISA/CISM highly desirable)
  • Expert-level knowledge in one or more specific technical areas, such as network/cloud security, malware detection/analysis, threat intelligence, cryptography, vulnerability management, incident response, forensics, social engineering, or hacking techniques
  • Experience in the Technology or highly regulated industry a plus
  • Experience in operations within a PCI DSS Level 1 compliant environment
  • Familiarity with the ISO-22301 business continuity frameworks a plus
  • Basic understanding of IT security industry standards (i.e. NIST; ISO-27001)
  • Familiarity with CSA (Cloud Security Alliance) standards and practices
  • Minimum of 5 years cumulative hands-on security, privacy and compliance experience
  • Artful communication skills and organizational savvy, to steer peers and leadership toward solutions that carefully balance business, risk, compliance, and engineering concern
  • Field experience in leading multiple security and/or privacy audits and/or compliance initiatives, preferably in large audit firms
  • Experience with established and/or emerging compliance programs preferred (GDPR, etc.)
  • Expertise in national and European data protection laws, including an in-depth understanding of the GDPR, PIPEDA and CASL.
  • Knowledge of the business sector and ability to promote a data protection culture within the organization
  • Ability to travel
Apply for this Position
* Required fields
First name*
Last name*
Email address*
Phone number*

Attach resume as .pdf, .doc, .docx, .odt, or .rtf (limit 5MB) or paste resume

Paste your resume here or attach resume file

Cover Letter*
In 150 characters or fewer, tell us what makes you unique. Try to be creative and say something that will catch our eye!*