Head of Security

This is a fully remote position, open to applicants in Canada.

📋 Description

• Manage the vulnerability lifecycle comprehensively — from intake, triage, and prioritization to risk acceptance, ticketing to development teams, and remediation within SLA. Oversee external penetration tests and targeted assessments, while regularly reporting on status, SLA performance, and trends.

• Oversee security operations and incident response by managing our MSSP partner for continuous SIEM and SOC monitoring; ensure that telemetry, detections, and playbooks align with our threat model. Act as the incident commander during actual events, and conduct regular tabletop exercises and post-incident reviews.

• Define and uphold Reach’s security policies and control framework, while designing, implementing, and assessing the effectiveness of controls; maintain a risk register and present significant risk decisions to leadership.

• Take ownership of the SOC 2 Type II and PCI DSS processes from start to finish, including continuous control monitoring and evidence collection between audits. Serve as the primary liaison for external auditors.

• Collaborate with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection).

• Manage IAM policy, conduct periodic access reviews, oversee privileged access, and handle joiner/mover/leaver processes, in collaboration with IT and People teams.

• Oversee Reach’s vendor risk program, including due diligence, questionnaires, DPAs, and ongoing monitoring, while managing responses to security reviews from customers and prospects.

• Facilitate security awareness and training initiatives, including phishing simulations, ongoing role-targeted training, and regular company-wide sessions on emerging threats and best practices.

• Deliver consistent updates on security posture with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness).

• Mentor your direct reports; manage the security budget and tool stack — evaluating, procuring, rationalizing, and retiring tools as the program develops.

⛳️ Requirements

• Minimum of 8 years in information security, with at least 3 years in a leadership role overseeing a security program or significant security function.

• Direct experience managing SOC 2 Type II audits from start to finish; PCI DSS experience is highly desirable.

• Demonstrated hands-on leadership of vulnerability management programs at scale.

• Experience in managing a relationship with an MSSP/MDR for SIEM and 24/7 SOC services.

• Solid application and cloud security fundamentals, with practical experience in AWS, GCP, or Azure, and the ability to engage credibly with engineering teams.

• Proven experience leading incident response efforts from start to finish, including cross-functional coordination and collaboration with external parties.

• Proficient in writing and operationalizing security policies in accordance with recognized frameworks (NIST CSF, ISO 27001, CIS Controls).

• Exceptional written and verbal communication skills — able to gain credibility with engineers, executives, auditors, and customers.

• Comfortable serving as a player-coach in a lean environment, demonstrating a strong sense of ownership and a proactive approach.

• Additional Assets

• Experience in fintech, payments, or e-commerce — preferably with cross-border or merchant-of-record experience.

• Previous experience in establishing or scaling a security program at a growth-stage company.

• Familiarity with GRC/continuous compliance platforms (e.g., Vanta, Drata, Secureframe).

• Experience with AWS (our primary cloud) and the Atlassian suite (Jira, Confluence) for workflow and documentation.

• Formal experience in people management.

• Possession of relevant certifications (e.g., CISSP, CISM, CCSP).

🏝️ Benefits

• Competitive compensation

• Flexible remote work options

• Comprehensive benefits package

• Opportunity to establish and lead a security function

• Direct impact on a global commerce platform

• Health insurance coverage

• Retirement plans

• Paid time off

• Opportunities for professional development

• Performance bonuses