Job Description

 Position Responsibilities

We are hiring a Head of Security (Security & IT Risk) to own the company's security posture end-to-end across cloud, applications, identity/access, and third-party risk.This is a hands-on leadership role focused on measurable risk reduction while enabling teams to move fast safely. You will define security standards, build guardrails through automation, lead incident response, and drive security maturity in a way that fits a high-growth environment.You will work closely with Engineering, Platform/Infrastructure, Data, and Enterprise Systems to embed security into how the company builds and operates, and ensure we are ready for serious due diligence from enterprise partners.

1. Security ownership and leadership

• Own and maintain the company security risk register (top risks, owners, timelines, and remediation tracking).
• Define and drive the security strategy and roadmap (capabilities, guardrails, and maturity) across cloud, app security, IAM, and security operations.
• Act as the single point of accountability for security incidents, including triage, coordination, post-incident reviews, and remediation tracking.
• Report security posture and risk trends to leadership with clear actions, owners, and decisions needed.

2. Security policy, standards, and enforcement

• Define and maintain practical, risk-based security policies and standards aligned with business and delivery realities.
• Translate security policies into technical guardrails and automated controls, in close collaboration with Platform, Infrastructure, and Engineering teams.
• Ensure security standards are implemented primarily through systems and tooling, not manual approvals or documentation-heavy processes.
• Establish clear processes for risk acceptance, policy exceptions, and escalation, with appropriate transparency to leadership.
• Monitor adherence to security standards and drive remediation through collaboration and prioritisation, not gatekeeping.

3. Cloud, platform, and access security

• Define cloud security patterns for IAM, networking, secrets management, logging, and monitoring.
• Partner with Platform/Infrastructure to harden environments without creating delivery bottlenecks.
• Own access governance, including joiner/mover/leaver controls, access reviews, and least-privilege enforcement.

4. Data protection & production access

• Own data protection standards: data classification, encryption-at-rest/in-transit, key management, and secrets handling.
• Define and enforce strict production data access controls (least privilege, approvals, time-bound access, audit trails).
• Ensure logs and telemetry do not leak sensitive data (PII masking, token/credential scrubbing).

5. Security monitoring, detection & response maturity

• Build practical detection coverage using cloud logs, app signals, and alerting so we can detect and respond early.
• Improve incident readiness through tabletop exercises and measurable response improvements (time-to-detect, time-to-contain).
• Drive measurable security telemetry outcomes (e.g., detect X within Y minutes).
• Own the approach for security logging and SIEM/alerting design to ensure actionable detection, not noise.

6. Vulnerability & remediation management

• Own vulnerability management across cloud, endpoints, containers, code, and dependencies (SAST/DAST/SCA).
• Define remediation SLAs (Critical/High/Medium) and drive closure with Engineering and Platform teams.
• Ensure recurring issues are eliminated via guardrails, automation, and secure-by-default patterns.
• Embed security into CI/CD and engineering workflows (secure SDLC) with minimal friction.

7. Third-party & SaaS risk management

• Own third-party/vendor security assessment and onboarding requirements (e.g., payment, POS, loyalty, analytics, CDP).
• Ensure contracts/SLA/security requirements cover real operational risks (support, access, breach notification, DR assumptions).

8. Incident response and readiness

• Own the security incident response framework, playbooks, and escalation paths.
• Lead or coordinate response to security incidents calmly and decisively.
• Ensure lessons learned translate into concrete improvements.

9. Governance, risk and audit readiness

• Build and maintain lightweight security governance suitable for a growing organisation.
• Drive audit and due-diligence readiness (for enterprise customers and future IPO expectations).
• Maintain security policies, evidence and controls in a state that is always inspection-ready.

10. Enablement and collaboration

• Embed security into engineering and operational workflows through guidance, patterns, and automation.
• Act as a trusted partner to Engineering and Platform teams, not a gatekeeper.
• Raise security awareness pragmatically, focusing on behaviours that materially reduce risk.

11. Team development

• Manage and mentor the security function.
• Define and execute the security hiring/scaling plan based on risk, growth, and delivery needs.

Decision Rights (Important)

• Security owns security standards, minimum controls, and enforcement through automated guardrails.
• Security may block or pause production changes only for Sev1 security risks (e.g., exposed credentials, active exploitation, material data exposure), with escalation to CTO within the same day.
• All other risk trade-offs are resolved via documented risk acceptance with clear owners and timelines.

Job Requirements

 Qualification and Experience

• 8+ years in information security, security engineering, or platform security roles.
• Strong hands-on experience securing AWS or similar cloud environments.
• Proven experience handling real security incidents in production.
• Solid understanding of application security for APIs, web, and mobile systems.
• Experience building pragmatic security practices in fast-moving organisations.
• Strong stakeholder management and communication skills.
• Has led security across a real production environment (not just advisory work).
• Has personally driven at least one major security uplift (IAM, segmentation, logging, hardening, incident readiness).
• Comfortable presenting risk to C-level and translating security into business impact.
• Experience with SOC 2, ISO 27001, or similar frameworks.
• Familiarity with CSPM, SIEM/log analysis, vulnerability management, and secrets tooling.
• Exposure to hardware, IoT, or operational technology security.
• Experience with PCI-style thinking / payment security exposure (even if not fully PCI certified)
• Experience working with mobile + APIs(fraud/abuse is a huge real-world risk for retail apps)

a Necessity, not a Luxury

Skills