Head of Security managing information security strategy at Reach. Leading end-to-end security efforts for a global ecommerce platform.
Responsibilities
Vulnerability management and offensive testing: Own the vuln lifecycle end-to-end — intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA — and manage external pen tests and targeted assessments. Report regularly on status, SLA performance, and trends.
Security operations and incident response: Manage our MSSP partner for 24/7 SIEM and SOC monitoring; ensure telemetry, detections, and playbooks match our threat model. Serve as incident commander for real events, and run regular tabletops and post-incident reviews.
Policy, controls, and risk: Define and maintain Reach’s security policies and control framework. Design, implement, and measure the effectiveness of controls; maintain a risk register; and surface material risk decisions to leadership.
Compliance and audits: Own SOC 2 Type II and PCI DSS end-to-end with continuous control monitoring and evidence collection between audits. Serve as the primary contact for external auditors.
Application and cloud security: Partner with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection).
Identity and access management: Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes, in partnership with IT and People.
Third-party and customer security: Run Reach’s vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews.
Security awareness and training: Run phishing simulations, ongoing and role-targeted training, and regular company-wide sessions on new threats and best practices.
Executive reporting: Provide regular security posture updates with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness).
People, budget, and tooling: Act as a mentor for your report; own the security budget and tool stack — evaluating, procuring, rationalizing, and retiring tools as the program matures.
Requirements
8+ years in information security, with 3+ years leading a security program or a major security function.
Direct experience owning SOC 2 Type II audits end-to-end; PCI DSS experience strongly preferred.
Proven, hands-on ownership of vulnerability management programs at scale.
Experience managing an MSSP/MDR relationship for SIEM and 24/7 SOC.
Strong application and cloud security fundamentals, with hands-on experience in AWS, GCP, or Azure, and the ability to partner credibly with engineering.
Experience leading incident response end-to-end, including cross-functional coordination and working with external parties.
Experience writing and operationalizing security policies against recognized frameworks (NIST CSF, ISO 27001, CIS Controls).
Excellent written and verbal communication — credible with engineers, executives, auditors, and customers.
Comfortable as a player-coach in a lean environment, with a strong sense of ownership and bias for action.
Additional Assets
Experience in fintech, payments, or ecommerce — ideally cross-border or merchant-of-record.
Prior experience standing up or scaling a security program at a growth-stage company.
Familiarity with GRC/continuous compliance platforms (e.g., Vanta, Drata, Secureframe).
AWS experience (our primary cloud) and Atlassian suite (Jira, Confluence) for workflow and documentation.
Lead AI Red Team focusing on adversarial testing and security for enterprise - scale AI systems. Collaborate with engineering and compliance to map vulnerabilities and document findings.
Intern in operational security at Investissement Québec, supporting security alert management and vulnerability tracking in a supervised learning environment.
IT Information Security Lead at Mirego, responsible for technology and information security management. Overseeing compliance and IT strategies while maintaining operational efficiency.
Cybersecurity Specialist focusing on offensive security for Exposant 3. Performing penetration testing, security audits, and team knowledge transfer in a hybrid work setup.
Financial security advisor in life and health insurance, developing and maintaining client relationships. Selling insurance products and assessing customer needs to provide personalized solutions.
Senior Security Engineer designing and maintaining Microsoft 365 security solutions at ResMed. Focusing on compliance, incident response, and collaboration with global teams.
Senior Infrastructure professional solving practical security challenges and improving enterprise systems security at Confluence. Focused on implementation, remediation, and secure operations across Windows and Linux environments.
Senior infrastructure professional responsible for vulnerability remediation and security improvements across enterprise systems at Confluence. Hands - on role involving Windows and Linux environments with strong collaboration with Cybersecurity team.
Enterprise Security Architect responsible for implementing information security best practices at SecureOps. Collaborating with clients to analyze networks and provide effective security solutions.
Health, safety, and environment advisor responsible for maintaining compliance and promoting safety practices. Supporting project teams and developing SSE programs to manage risks in the workplace.