Head of Security

About the role

You’ll handle executive‑level strategy, build and run security controls, protect the business, and be the go‑to person for security across engineering, executives, auditors, and customers. The role is based in our dog‑friendly office in London.

What you’ll own

• Security strategy and roadmap: Shape the security strategy together with the VP – translating executive direction into realistic, technical plans. Own the security roadmap, deciding what to build, retire, or defer and why. Make day‑to‑day investment decisions on tooling, headcount, external services, and automation within the agreed envelope. Translate the roadmap into clear, executive‑readable funding proposals.
• Controls and protections: Deploy and run security controls across endpoints, network, cloud, identity, and applications. Ensure controls are operational, not just installed, through continuous validation. Partner with Engineering and IT to integrate controls early in the development lifecycle.
• Penetration testing and vulnerability management: Run regular external penetration testing for applications and infrastructure, triaging and closing findings. Own the vulnerability management program, covering scanning, prioritisation, SLAs, and closure. Collaborate with the Head of Compliance on audit evidence, ensuring clean data on both ends.
• Incident response: Own the incident response process end‑to‑end: detection, triage, containment, eradication, recovery, and post‑incident review. Run the on‑call model, playbooks, tabletop exercises, and necessary tooling. Be the person on‑scene during real incidents and author thorough post‑mortems.
• Threat intelligence and threat modelling: Establish a threat intelligence capability that captures incidents, near‑misses, industry reports, and telemetry. Create a threat intelligence data warehouse that informs decisions on threat modelling, control design, roadmap prioritisation, and simulations. Run threat modelling routinely, including automated AI‑driven modelling against designs, code, and infrastructure changes.
• Emerging threats: Maintain a forward view on threat landscapes, especially LLM‑related risks such as prompt injection and AI‑augmented vulnerability scanning. Proactively prepare the organization for future threats beyond current incidents. Translate insights into concrete roadmap items rather than slide decks.
• Security training and awareness: Deliver security‑specific training: phishing simulations, secure coding, threat modelling, incident response tabletop participation, and role‑based learning for sensitive material handling. Partner with Compliance to align training cadence and evidence, ensuring relevance to evolving threats. Ensure training is impactful, not merely tick‑box.
• Automation and AI: Identify recurring manual tasks for automation: triage, alert enrichment, vulnerability prioritisation, evidence gathering, threat modelling, and incident response runbooks. Extend existing tooling and fill gaps with scripts, workflows, or AI where appropriate. Use large language models responsibly for drafting, reviewing, analysing, and automating, while managing introduced risks. Treat the function’s operating model as a product, reducing manual rituals and enhancing coverage and speed.
• Security advisory: Serve as the go‑to for security questions across the business, including architecture reviews, vendor assessments, new product evaluations, acquisitions, and other risks. Provide engineers with clear, actionable guidance rather than policy references or ticket queues.

What we’re looking for

• Experience leading security in a regulated, payment‑centric, or healthcare environment.
• Hands‑on incident response experience with real incidents and authored post‑mortems.
• Deep understanding of modern attack surfaces across cloud, SaaS, identity, supply chain, and application.
• Experience building or significantly improving threat intelligence or threat modelling capabilities.
• Fluency with AI tools and a mindset that balances building automation against managing new risks.
• Comfort co‑owning strategy with a VP, challenging opinions, and aligning once a direction is set.
• Ability to engage effectively with engineers on technical depth and with executives on business framing.
• Bonus: experience in PCI environments, offensive security, or measurable reductions in manual security work through automation.

How you’ll work

You’ll lead a team from day one and work closely with the VP, Head of Compliance, IT, Engineering, Infrastructure, and Product on execution. Expect significant hands‑on involvement in tooling, incidents, and design reviews, not just management.

Inclusive workforce

We do not discriminate based on race, colour, religion, sex, sexual orientation, age, marital status, gender identity, national origin, disability, or any other legally protected characteristics in the location of application. All candidates will receive fair consideration for employment. We welcome accessibility requests for the interview process and beyond.