Director of Security & IT

About The Position

Requirements

• Proven track record owning security end-to-end at a fast-moving technology company, not just advising but doing, from policy definition through hands-on implementation.
• Deep knowledge of security compliance programs including SOC 2 Type II, with practical experience running audits and managing the evidence lifecycle. Familiarity with ISO 27001 and ISO 42001 is a plus.
• Strong threat modeling and vulnerability assessment skills across both application and infrastructure attack surfaces, with working knowledge of industry frameworks including MITRE ATT&CK, MITRE ATLAS, NIST CSF, and OWASP, including the OWASP LLM Top 10 for agentic and AI-facing systems.
• Practical understanding of security risks introduced by AI-assisted and autonomous development workflows, including agentic coding tools that operate with minimal human oversight. Experience reasoning about prompt injection, data exfiltration, and uncontrolled tool use in both development and production environments. Familiarity with NIST AI RMF is a plus.
• Hands-on experience operating and tuning security tooling including EDR, SIEM, vulnerability scanners, and secrets management systems.
• Solid IT operations background, including hands-on administration of both Google Workspace and Microsoft 365 environments, MDM, IDP management (e.g. Okta, Azure AD, Google Identity), and endpoint security.
• Experience securing cloud infrastructure (AWS, GCP, or Azure), including network segmentation, IAM, and secrets management.
• Experience with access control design and administration across SaaS and cloud platforms at the organizational level.
• Working knowledge of supply chain security risks and practices, including dependency scanning, third-party risk management, and vendor assessments.
• Ability to read and write code in one or more languages is required.
• Ownership mindset. Takes responsibility for outcomes, not just activities. If something is broken and in scope, it gets fixed, not escalated.
• Doer with good judgment. Knows when to move fast and when to slow down and think. Builds solutions that will hold up over time, not just pass the next audit.
• Strong communicator. Can translate technical risk into business language for leadership, customers, and investors. Able to shape how the company talks about security externally, not just answer questions but help craft the narrative. Translates compliance requirements into practical engineering constraints for developers.
• Collaborative by default. Earns influence through expertise and relationships rather than authority. Understands that sustainable security requires buy-in, not just mandates.
• Hungry to grow. Excited to build something from a strong foundation rather than inherit a mature program. Motivated by the scope of the problem, not the size of the team.
• High integrity. Handles sensitive information and access with discretion. Does not cut corners on things that matter.

Nice To Haves

• Familiarity with ISO 27001 and ISO 42001 is a plus.
• Familiarity with NIST AI RMF is a plus.
• Direct application infrastructure experience is a plus (e.g. containers, kubernetes, EKS, EC2)

Responsibilities

• Own company-wide security and compliance, spanning application security, infrastructure security, and IT, including full ownership of audits and compliance programs, such as SOC 2, and future ISO 27001 and ISO 42001 certifications.
• Define, write, implement, and enforce organization-wide security policies, standards, and controls, and ensure they are actually followed.
• Lead security incident preparedness and response, owning the plan, the tooling, and the execution when something goes wrong.
• Own supply chain security across the software lifecycle, including dependency risk, build pipeline integrity, and third-party code provenance. Assess and mitigate security risks introduced by the company's use of AI tooling in development workflows and by agentic AI execution in production.
• Oversee and operate security monitoring infrastructure, including EDR, SIEM, and related tooling, and respond to what you find.
• Own access control across the organization, including identity and access management, provisioning and deprovisioning, and privileged access governance.
• Lead vendor security assessments and manage security and compliance obligations embedded in customer contracts.
• Serve as a subject-matter resource in customer and investor conversations when questions arise about Circuit's security architecture, practices, or compliance posture.
• Own the penetration testing program, coordinating external testers and driving remediation.
• Conduct ongoing vulnerability assessments and threat modeling across both application and business systems.
• Own IT infrastructure and operations across the organization, with sufficient depth across both Google and Microsoft ecosystems to support internal needs and customer-facing requirements.
• Own security across Circuit's applications and application infrastructure. Engineering builds and operates these systems; you ensure they are secure and stay that way.
• Drive near-term security priorities including Vanta deployment, device security hardening, and robustification of our infrastructure and business systems.
• Partner with the go-to-market team and leadership to shape Circuit's external security narrative, including trust pages, security documentation, and customer-facing materials, ensuring they accurately reflect our practices and resonate with enterprise buyers.

Benefits

• Competitive comp
• equity
• 100% paid healthcare
• 401K
• flexible PTO
• a team that truly cares