[Hiring] Head of Security @Protege

Role Description

We're hiring our first Head of Security to own security end-to-end: strategy, architecture, operations, and culture. This is a hands-on leadership role and you won't have a large team beneath you (yet), so you need to be comfortable building the program from the ground up while still getting into the technical weeds. You'll report directly to the VP of Engineering and work closely with engineering, product, and legal. This is a high-impact role where you'll shape how we earn and keep the trust of AI companies and our data partners.

What You’ll Do:

• Mature the Security & Compliance Program
  • Audit and improve the existing security program by identifying gaps, prioritizing improvements, and bringing more structure to what exists.
  • Formalize security policies and frameworks appropriate for our stage.
  • Own and evolve our compliance posture. We have SOC 2 Type II in place and you'll maintain it, improve our controls, and provide automation wherever needed.
  • Ensure compliance with HIPAA and other healthcare data regulations, and build a robust PHI protection program.
• Protect the Data Pipeline
  • Secure the end-to-end lifecycle of training data which includes ingestion, processing, storage, preparation, and delivery.
  • Partner with engineering to embed security into CI/CD pipelines, cloud infrastructure, and data workflows.
• Be Technical and Hands-On
  • Conduct threat modeling, architecture reviews, and code-level security assessments.
  • Lead incident response when things go wrong.
  • Evaluate and deploy security tooling.
• Enable the Business
  • Translate security risks into business language for the executive team and board.
  • Serve as the security face to customers, fielding security questionnaires, supporting sales cycles, and building trust with AI company partners and customers.
  • Build a security-aware culture across the company through training and lightweight processes that don't slow teams down.
• Scale the Function
  • Decide what to build, what to buy, and what to outsource.
  • Set the roadmap for how security evolves from Series A through a rapid growth stage.

What Success Looks Like:

• 30 days: Learn and Assess
  • Complete a thorough audit of the existing security program, infrastructure, tooling, and policies.
  • Meet with every team lead to understand their workflows, data handling practices, and where security creates friction or blind spots.
  • Review our SOC 2 Type II and HIPAA controls and identify areas where we're passing but brittle vs. areas that are solid.
  • Map the full training data lifecycle end-to-end from a security and risk perspective.
• 60 days: Prioritize and Start Building
  • Present a security roadmap with quick wins (first 90 days) and longer-term initiatives (6–12 months), tied to business risk, not just best practices.
  • Close the highest-severity gaps identified in your assessment.
  • Upgrade incident response program.
  • Establish yourself as the go-to security partner for engineering.
  • Identify the highest-leverage automation opportunities.
• 90 days: Fully Own
  • You've taken full ownership of our SOC 2 compliance cycle and have a plan for any additional certifications or frameworks the business needs.
  • You've fielded at least one customer security review or questionnaire and can represent our posture confidently to prospects.
  • The team sees security as an enabler, not a bottleneck.
  • At least one meaningful security workflow has been automated.
  • The security roadmap is in execution with measurable progress.

Qualifications

• 8+ years in security roles, with at least 2 years in a leadership capacity.
• Deep technical foundation: you've worked as or alongside engineers and can credibly review architecture, infrastructure, and code.
• Experience building or significantly maturing a security program at an early-stage or high-growth company (not just maintaining one at a large enterprise).
• Strong understanding of cloud security (AWS, GCP, or Azure), identity/access management, and data protection at scale.
• Hands-on experience with compliance frameworks (SOC 2, ISO 27001). You’ve maintained certifications and know how to expand scope without over-engineering the problem.
• Hands-on experience with HIPAA compliance.
• Comfort operating as an individual contributor and a leader simultaneously.

Nice to Haves

• Experience securing data pipelines or working with data-intensive platforms.
• Experience working in a data infrastructure company.
• Background in AI/ML or companies selling to technical buyers.
• Experience with data provenance, lineage tracking, or data governance in ML contexts.
• Familiarity with supply chain security.
• Prior experience as a customer-facing security leader.