Head of Security & Risk

This is a fully remote position, open to applicants in New York.

📋 Description

• Develop M0's enterprise risk program from the ground up, addressing security, operational, regulatory, and counterparty risks, which includes the risk register, annual assessments, scenario analyses, and escalation framework across all entities.

• Oversee M0's compliance status across SOC 2, ISO 27001, and other relevant frameworks — managing all non-technical workstreams (policy creation, auditor coordination, vendor risk assessments, access reviews, third-party SaaS vendor evaluations) to ensure the organization remains audit-ready at all times.

• Create and sustain M0's incident response framework, ISMS documentation, and security policies — manage external security vendor partnerships, conduct tabletop exercises related to incident response, business continuity planning, and disaster recovery scenarios, and lead the selection process for a security advisory firm for on-call support.

• Act as M0's primary liaison for institutional partner security due diligence and incoming security questionnaires, develop and maintain a reusable documentation package for responding to partner requests, and collaborate with Senior Counsel on information security representations in commercial agreements.

• Design and manage M0's security awareness training program, ensuring all employees are aware of their security responsibilities, and foster a proactive security culture across engineering, operations, legal, and business teams.

⛳️ Requirements

• 7–10 years of experience in information security, risk management, governance, risk and compliance (GRC), or compliance operations, with significant ownership, preferably in fintech, crypto infrastructure, or B2B SaaS sectors.

• Proven history of establishing a compliance certification program from scratch, extensive knowledge of compliance and regulatory frameworks, including hands-on implementation of SOC 2, ISO 27001, CMMC, HIPAA, GDPR, NIST 800-53, etc.

• Practical experience with GRC automation tools (such as Vanta, Drata, or similar), cloud security environments (AWS preferred), and the design of business continuity planning/disaster recovery (BCP/DR) programs.

• Demonstrated experience managing external audit relationships from start to finish (including auditors, penetration testing firms, and compliance vendors) and proficiently handling evidence collection and report generation.

• Fundamental understanding of AWS, GCP, and Azure, including incorporating security controls into DevOps workflows and Infrastructure as a Service (IaaS) deployments.

• Preferred certifications include Cloud+, CySA+, CISSP, or CISM.

🏝️ Benefits

• Global team and flexibility: Become part of a truly global team with the option to work remotely or from one of our locations in NYC or Berlin.

• Health and wellness: Access comprehensive healthcare insurance coverage along with a wellbeing allowance and gym membership to promote your physical and mental health.

• Customizable IT setup: Personalize your workspace with access to high-quality IT equipment.

• Professional development: Take advantage of an annual development budget to enhance your skills and advance your career, including opportunities to attend conferences and participate in on-site company events globally.