[Hiring] Head of Security @Reach

Role Description

We’re looking for a Head of Security to own and lead information security at Reach. This is a hands-on leadership role: you will set the strategy, own the program end-to-end, and stay actively in the work alongside your team. In a given week you might be writing a policy, triaging a pen test finding, running a phishing campaign, responding to a customer security questionnaire, and presenting the quarterly security update to leadership.

The right person is energized by owning an entire domain end-to-end, is comfortable moving between strategy and execution, and is equally credible with a senior engineer and a SOC 2 auditor. You believe security is most effective when it is practical, measurable, and built into how the business operates.

Key Responsibilities

• Vulnerability management and offensive testing: Own the vuln lifecycle end-to-end — intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA — and manage external pen tests and targeted assessments. Report regularly on status, SLA performance, and trends.
• Security operations and incident response: Manage our MSSP partner for 24/7 SIEM and SOC monitoring; ensure telemetry, detections, and playbooks match our threat model. Serve as incident commander for real events, and run regular tabletops and post-incident reviews.
• Policy, controls, and risk: Define and maintain Reach’s security policies and control framework. Design, implement, and measure the effectiveness of controls; maintain a risk register; and surface material risk decisions to leadership.
• Compliance and audits: Own SOC 2 Type II and PCI DSS end-to-end with continuous control monitoring and evidence collection between audits. Serve as the primary contact for external auditors.
• Application and cloud security: Partner with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection).
• Identity and access management: Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes, in partnership with IT and People.
• Third-party and customer security: Run Reach’s vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews.
• Security awareness and training: Run phishing simulations, ongoing and role-targeted training, and regular company-wide sessions on new threats and best practices.
• Executive reporting: Provide regular security posture updates with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness).
• People, budget, and tooling: Act as a mentor for your report; own the security budget and tool stack — evaluating, procuring, rationalizing, and retiring tools as the program matures.

Qualifications

• 8+ years in information security, with 3+ years leading a security program or a major security function.
• Direct experience owning SOC 2 Type II audits end-to-end; PCI DSS experience strongly preferred.
• Proven, hands-on ownership of vulnerability management programs at scale.
• Experience managing an MSSP/MDR relationship for SIEM and 24/7 SOC.
• Strong application and cloud security fundamentals, with hands-on experience in AWS, GCP, or Azure, and the ability to partner credibly with engineering.
• Experience leading incident response end-to-end, including cross-functional coordination and working with external parties.
• Experience writing and operationalizing security policies against recognized frameworks (NIST CSF, ISO 27001, CIS Controls).
• Excellent written and verbal communication — credible with engineers, executives, auditors, and customers.
• Comfortable as a player-coach in a lean environment, with a strong sense of ownership and bias for action.

Additional Assets

• Experience in fintech, payments, or ecommerce — ideally cross-border or merchant-of-record.
• Prior experience standing up or scaling a security program at a growth-stage company.
• Familiarity with GRC/continuous compliance platforms (e.g., Vanta, Drata, Secureframe).
• AWS experience (our primary cloud) and Atlassian suite (Jira, Confluence) for workflow and documentation.
• Formal people-management experience.
• Relevant certifications (e.g., CISSP, CISM, CCSP).

Benefits

• Competitive compensation
• Flexible remote work
• Comprehensive benefits
• Opportunity to build and own a security function
• Direct impact on a global commerce platform

Our Core Values

• We value solving problems and building products by focusing on outcomes
• We value making decisions while considering input from multiple sources
• We value taking action over getting stuck in planning
• We value taking chances and failing fast
• We value teamwork over individual accomplishments
• We value optimizing time to value and achieving outcomes, not checking boxes
• We value work/life balance and a mindset of “it’s a marathon, not a sprint”
• We value using the right technology to solve the right problems

Apply with your CV and a brief cover letter outlining your security leadership experience and your interest in joining Reach.

#LI-Remote