You will work closely with Engineering, Platform/Infrastructure, Data, and Enterprise Systems to embed security into how the company builds and operates, and ensure we are ready for serious due diligence from enterprise partners.

1. Security ownership and leadership

• Own and maintain the company security risk register (top risks, owners, timelines, and remediation tracking).
• Define and drive the security strategy and roadmap (capabilities, guardrails, and maturity) across cloud, app security, IAM, and security operations.
• Act as the single point of accountability for security incidents, including triage, coordination, post-incident reviews, and remediation tracking.
• Report security posture and risk trends to leadership with clear actions, owners, and decisions needed.

2. Security policy, standards, and enforcement

• Define and maintain practical, risk-based security policies and standards aligned with business and delivery realities.
• Translate security policies into technical guardrails and automated controls, in close collaboration with Platform, Infrastructure, and Engineering teams.
• Ensure security standards are implemented primarily through systems and tooling, not manual approvals or documentation-heavy processes.
• Establish clear processes for risk acceptance, policy exceptions, and escalation, with appropriate transparency to leadership.
• Monitor adherence to security standards and drive remediation through collaboration and prioritisation, not gatekeeping.

• Define cloud security patterns for IAM, networking, secrets management, logging, and monitoring.
• Partner with Platform/Infrastructure to harden environments without creating delivery bottlenecks.
• Own access governance, including joiner/mover/leaver controls, access reviews, and least-privilege enforcement.

4. Data protection & production access

• Own data protection standards: data classification, encryption-at-rest/in-transit, key management, and secrets handling.
• Define and enforce strict production data access controls (least privilege, approvals, time-bound access, audit trails).
• Ensure logs and telemetry do not leak sensitive data (PII masking, token/credential scrubbing).

5. Security monitoring, detection & response maturity

• Build practical detection coverage using cloud logs, app signals, and alerting so we can detect and respond early.
• Improve incident readiness through tabletop exercises and measurable response improvements (time-to-detect, time-to-contain).
• Drive measurable security telemetry outcomes (e.g., detect X within Y minutes).
• Own the approach for security logging and SIEM/alerting design to ensure actionable detection, not noise.

• Own vulnerability management across cloud, endpoints, containers, code, and dependencies (SAST/DAST/SCA).
• Define remediation SLAs (Critical/High/Medium) and drive closure with Engineering and Platform teams.
• Ensure recurring issues are eliminated via guardrails, automation, and secure-by-default patterns.
• Embed security into CI/CD and engineering workflows (secure SDLC) with minimal friction.

• Own third-party/vendor security assessment and onboarding requirements (e.g., payment, POS, loyalty, analytics, CDP).
• Ensure contracts/SLA/security requirements cover real operational risks (support, access, breach notification, DR assumptions).

8. Incident response and readiness

• Own the security incident response framework, playbooks, and escalation paths.
• Lead or coordinate response to security incidents calmly and decisively.
• Ensure lessons learned translate into concrete improvements.

9. Governance, risk and audit readiness

• Build and maintain lightweight security governance suitable for a growing organisation.
• Drive audit and due-diligence readiness (for enterprise customers and future IPO expectations).
• Maintain security policies, evidence and controls in a state that is always inspection-ready.

10. Enablement and collaboration

• Embed security into engineering and operational workflows through guidance, patterns, and automation.
• Act as a trusted partner to Engineering and Platform teams, not a gatekeeper.
• Raise security awareness pragmatically, focusing on behaviours that materially reduce risk.

11. Team development

• Manage and mentor the security function.
• Define and execute the security hiring/scaling plan based on risk, growth, and delivery needs.

• Security owns security standards, minimum controls, and enforcement through automated guardrails.
• Security may block or pause production changes only for Sev1 security risks (e.g., exposed credentials, active exploitation, material data exposure), with escalation to CTO within the same day.
• All other risk trade-offs are resolved via documented risk acceptance with clear owners and timelines.

• 8+ years in information security, security engineering, or platform security roles.
• Strong hands-on experience securing AWS or similar cloud environments.
• Proven experience handling real security incidents in production.
• Solid understanding of application security for APIs, web, and mobile systems.
• Experience building pragmatic security practices in fast-moving organisations.
• Strong stakeholder management and communication skills.
• Has led security across a real production environment (not just advisory work).
• Has personally driven at least one major security uplift (IAM, segmentation, logging, hardening, incident readiness).
• Comfortable presenting risk to C-level and translating security into business impact.
• Experience with SOC 2, ISO 27001, or similar frameworks.
• Familiarity with CSPM, SIEM/log analysis, vulnerability management, and secrets tooling.
• Exposure to hardware, IoT, or operational technology security.
• Experience withPCI-style thinking / payment security exposure(even if not fully PCI certified)
• Experience working withmobile + APIs(fraud/abuse is a huge real-world risk for retail apps)

a Necessity, not a Luxury

Back Apply