Engineering Manager - Security Engineering

About The Position

Requirements

• 7+ years of professional experience in security engineering.
• 3+ years in an engineering management or technical lead role with direct reports.
• Proven track record of building and scaling security teams in a cloud-native, SaaS environment.
• Deep technical fluency across at least two of the four pillars (Product Security, Infrastructure Security, D&R, GRC).
• Hands-on experience with major cloud platforms (AWS strongly preferred, GCP or Azure a plus) and infrastructure-as-code (Terraform, CDK, or equivalent).
• Experience owning or contributing to SOC 2 Type II, ISO 27001, or equivalent compliance programmes.
• Demonstrated ability to communicate security risk clearly to non-technical executives and board members.
• Experience running security incident response — from detection through containment, eradication, and post-mortem.

Nice To Haves

• Background in a high-growth B2B SaaS or cloud-communications company.
• Familiarity with VoIP, real-time communications, or telephony security considerations.
• Experience embedding Agentic AI practices into security engineering workflows and securing internal AI tooling and implementation.
• Relevant certifications: CISSP, CISM, AWS Security Specialty, GIAC (GWAPT, GCIA, GCIH), or equivalent.
• Experience running a Bug Bounty programme (HackerOne, Bugcrowd, or similar).
• Contributions to the open-source security community, conference speaking, or published research.
• Familiarity with DORA metrics and the relationship between deployment frequency and security posture.

Responsibilities

• Own the Secure Software Development Lifecycle (SSDLC) from threat modelling through to production deployment.
• Secure Agentic development practices by automating threat modeling, code reviews, internal pentesting and vulnerability remediation by building in-house security AI agents.
• Partner with engineering to embed security reviews, static analysis (SAST), dependency scanning (SCA), and secrets detection into CI/CD pipelines.
• Lead the Aircall Bug Bounty and Vulnerability Disclosure Program (VDP), triaging and remediating reports with engineering teams.
• Drive regular penetration testing cycles for web, mobile, and API surfaces; oversee remediation tracking.
• Champion a developer-centric security culture through security champions, training, and tooling that makes the secure path the easy path.
• Define and maintain the security architecture of Aircall's cloud infrastructure (AWS), with a strong emphasis on zero-trust, least privilege, and defence in depth.
• Own, maintain and expand security observability through CSPM, CNAPP and CWPP tools like Wiz.
• Enable agentic auto-remediations for security vulnerabilities.
• Own network segmentation, secrets management, certificate lifecycle, identity & access management (IAM), and workload isolation, and secure hosting of internal AI applications.
• Lead infrastructure hardening programs: CIS benchmarks, container security, Kubernetes policy enforcement (OPA), and immutable infrastructure practices.
• Manage the security posture of third-party SaaS tools and vendor risk assessments.
• Collaborate with Infrastructure engineering and Product Engineering on shared security responsibilities and runbooks.
• Build and mature Aircall's threat detection capability — SIEM tuning, alert triage playbooks, and investigation workflows.
• Own incident response: develop and test the IR plan, lead tabletop exercises, and act as incident commander for significant security events.
• Drive threat intelligence and threat hunting programs to stay ahead of adversaries targeting the cloud communications sector.
• Establish and track key security metrics: MTTD, MTTR, alert-to-incident conversion rates, and coverage gaps.
• Ensure 24×7 detection coverage through tooling, automation, and on-call rotations, balancing reliability and engineer wellbeing.
• Own and continuously improve Aircall's information security management program, aligned to SOC 2 Type II, and applicable data-protection regulations (GDPR, CCPA).
• Lead audit preparation and evidence collection for external certifications and customer security questionnaires.
• Maintain the corporate risk register for information security, presenting findings and remediation plans to senior leadership and the board as required.
• Define and enforce security policies, standards, and exception processes across the organisation.
• Act as the primary security liaison for enterprise customers, prospects, and partners conducting security due diligence.
• Lead, mentor, and grow a multi-disciplinary security team of 6–10 engineers across the four pillars.
• Run structured 1:1s, career-development conversations, and quarterly goal-setting aligned to company OKRs.
• Hire and onboard exceptional security talent; contribute to employer-branding initiatives in the security community.
• Create an environment where engineers feel psychologically safe to raise concerns, experiment, and learn from failures.
• Balance hands-on technical involvement with delegation — staying close enough to the work to be credible, but trusting the team to execute.
• Partner cross-functionally with Engineering leadership, Legal, People Ops, and Finance to align security initiatives with business priorities.

Benefits

• Competitive salary package & benefits
• Medical, dental, and vision insurance is 100% covered
• 401k plan with company matching!
• Unlimited PTO
• Wellness, internet, and childcare reimbursements
• Generous parental leave policy