Security & Compliance Lead

What you'll own

• Access & identity management: Production access, service accounts, SSO, and the lifecycle of both - provisioning, periodic review, deprovisioning.
• SOC 2: Own the program end-to-end, mapping controls to our environment, driving evidence collection, and getting us through Type 1 and then Type 2 and other security frameworks.
• Customer trust: Own security questionnaires, RFP security sections, and the customer-facing trust narrative (trust center, security overview docs, DPAs).
• Infrastructure security: VM lifecycle and patching, baseline hardening, secrets management, vulnerability management, and cloud security posture.
• Security engineering (over time): Logging and monitoring, incident response runbooks, vendor security reviews, and partnering with engineering on secure design.

What we're looking for

• 5+ years in security or security-adjacent roles
• You've driven a SOC 2 audit - ideally owned one end-to-end, but if you ran the bulk of a program under a fractional CISO or security leader, that counts
• Comfortable in cloud environments (AWS, GCP, or Azure) and writing enough code or Terraform to automate access and infrastructure workflows
• You've owned customer security questionnaires and know how to make them faster
• Strong written communication

Nice to have

• A previous tour as the first or early security hire at a startup
• Experience with identity tooling (Okta, AWS IAM Identity Center, Teleport, ConductorOne)
• Experience with compliance platforms (Vanta, Drata, Secureframe)
• Other frameworks beyond SOC 2 (ISO 27001, HIPAA, FedRAMP)
• Background in security engineering, detection, or incident response