Head of Security

Role purpose

Own the organization’s security posture end-to-end. The Head of Security sets strategy,
standards and day-to-day execution across information security, application security,
infrastructure security and (where applicable) physical security. The role balances risk reduction
with business enablement - making security practical, measurable and scalable.

Key responsibilities

1) Security strategy & governance
● Define and maintain the security strategy, roadmap and operating model aligned to the
business goals.
● Establish security policies, standards and secure-by-default guardrails.
● Define and enforce data protection and encryption standards.
● Create security metrics/KPIs and executive reporting.

2) Risk management
● Run an enterprise risk assessment process.
● Assess and prioritize risks across systems, vendors and business processes.
● Own security exception handling and ensure compensating controls are documented
and monitored.

3) Incident response & resilience
● Own the incident response program: playbooks, on-call procedures, tabletop exercises,
evidence handling, postmortems.
● Lead response to security incidents (containment, eradication, recovery) and coordinate
internal/external stakeholders.
● Improve resilience through backups, disaster recovery testing and security
monitoring/alerting.

4) Security operations
● Implement and oversee controls such as IAM, MFA, least privilege, endpoint security,
patching and secure configuration baselines.
● Operate vulnerability management (scanning, triage, remediation SLAs) and penetration
testing coordination.
● Protection and monitoring of sensitive data: implement and operate controls to prevent
unauthorized access, misuse or exfiltration.
● Maintain logs/SIEM, detection engineering and continuous monitoring where
appropriate.

5) Product & application security
● Embed security into SDLC: secure coding standards, code scanning, dependency
management, secrets handling, CI/CD controls.
● Perform/enable threat modeling and security reviews for new features and architectural
changes.
● Drive remediation of application and infrastructure findings with engineering teams.

6) Vendor & third-party security
● Own third-party risk management: due diligence, security questionnaires,
contract/security addendums, ongoing monitoring.
● Ensure vendors meet security requirements and that data-sharing is controlled and
auditable, including encryption and data handling expectations for sensitive data.

7) Security culture & training
● Build a strong security culture via training, phishing simulations and clear processes.

8) Budget, team & leadership
● Build and manage the security budget (tools, vendors, staffing) and justify investments
based on risk and ROI.
● Hire, develop and manage security staff and/or MSSP relationships.
● Establish clear SLAs and service ownership across security domains.

Required experience & skills
● Strong understanding of cloud security (AWS/Azure/GCP), IAM, network security and
endpoint security.
● Strong understanding of data protection and encryption practices.
● Proven incident response leadership and ability to manage crisis communications.
● Ability to translate technical risk into business impact and make pragmatic
recommendations.
● Experience building security programs, policies and metrics from scratch or scaling
them.
● Strong stakeholder management, vendor negotiation and executive communication

---