Head of Security

Head of Security Role purpose Own the organization’s security posture end-to-end. The Head of Security sets strategy, standards and day-to-day execution across information security, application security, infrastructure security and (where applicable) physical security. The role balances risk reduction with business enablement - making security practical, measurable and scalable. Key responsibilities 1) Security strategy & governance ● Define and maintain the security strategy, roadmap and operating model aligned to the business goals. ● Establish security policies, standards and secure-by-default guardrails. ● Define and enforce data protection and encryption standards. ● Create security metrics/KPIs and executive reporting. 2) Risk management ● Run an enterprise risk assessment process. ● Assess and prioritize risks across systems, vendors and business processes. ● Own security exception handling and ensure compensating controls are documented and monitored. 3) Incident response & resilience ● Own the incident response program: playbooks, on-call procedures, tabletop exercises, evidence handling, postmortems. ● Lead response to security incidents (containment, eradication, recovery) and coordinate internal/external stakeholders. ● Improve resilience through backups, disaster recovery testing and security monitoring/alerting. 4) Security operations ● Implement and oversee controls such as IAM, MFA, least privilege, endpoint security, patching and secure configuration baselines. ● Operate vulnerability management (scanning, triage, remediation SLAs) and penetration testing coordination. ● Protection and monitoring of sensitive data: implement and operate controls to prevent unauthorized access, misuse or exfiltration. ● Maintain logs/SIEM, detection engineering and continuous monitoring where appropriate. 5) Product & application security ● Embed security into SDLC: secure coding standards, code scanning, dependency management, secrets handling, CI/CD controls. ● Perform/enable threat modeling and security reviews for new features and architectural changes. ● Drive remediation of application and infrastructure findings with engineering teams. 6) Vendor & third-party security ● Own third-party risk management: due diligence, security questionnaires, contract/security addendums, ongoing monitoring. ● Ensure vendors meet security requirements and that data-sharing is controlled and auditable, including encryption and data handling expectations for sensitive data. 7) Security culture & training ● Build a strong security culture via training, phishing simulations and clear processes. 8) Budget, team & leadership ● Build and manage the security budget (tools, vendors, staffing) and justify investments based on risk and ROI. ● Hire, develop and manage security staff and/or MSSP relationships. ● Establish clear SLAs and service ownership across security domains. Required experience & skills ● Strong understanding of cloud security (AWS/Azure/GCP), IAM, network security and endpoint security. ● Strong understanding of data protection and encryption practices. ● Proven incident response leadership and ability to manage crisis communications. ● Ability to translate technical risk into business impact and make pragmatic recommendations. ● Experience building security programs, policies and metrics from scratch or scaling them. ● Strong stakeholder management, vendor negotiation and executive communication Location Remote Department IT Employment Type Full-Time Minimum Experience Manager/Supervisor