Head of Security and Compliance

About The Position

Requirements

• 12+ years in information security, with at least 4 years leading a security function.
• Personally led at least one company through SOC 2 (Type I and Type II) at a similar-stage company - not just "managed compliance at a larger company."
• Strong cloud security background, ideally GCP (AWS or Azure depth with willingness to ramp on GCP also works).
• Hands-on technical credibility. You can read a Terraform module, review an IAM policy, and have a substantive conversation about TLS configuration. Engineering directors will respect you because you understand what they do.
• Experience embedding security into modern engineering practices: GitHub workflows, CI/CD, IaC, secure SDLC.
• Demonstrated experience running vendor risk, incident response, and customer security questionnaire processes.
• Excellent written and verbal communication - you will be writing policies, responding to customers, and briefing the leadership, often in the same week.

Nice To Haves

• Direct experience with IoT, embedded, or connected device security (firmware signing, OTA security, device PKI).
• Familiarity with AI/ML security and governance: model risk, third-party LLM data handling, prompt injection, edge model integrity.
• Public sector or first-responder customer experience: CJIS, HIPAA, NG911, FedRAMP-adjacent procurement.
• Relevant certifications (CISSP, CISM, CCSP, GCP Professional Cloud Security Engineer). Certifications alone do not make a candidate; we care about what you have done.
• Experience taking a company through ISO 27001 or similar frameworks beyond SOC 2.

Responsibilities

• Define the security and compliance roadmap aligned with company goals, customer requirements, and the regulatory environment. Build the team over time.
• Own the end-to-end SOC 2 program: auditor relationship, compliance tooling (Vanta/Drata or equivalent), policy authoring, control implementation, evidence collection, and remediation.
• Partner with the Head of Cloud and Data engineering to mature GCP security posture: IAM, VPC and network design, KMS, Secret Manager, Security Command Center, Cloud Logging and detection engineering.
• Embed security into the SDLC for our cloud platform, web app, mobile apps, firmware, and edge AI components. Drive threat modeling, secure design reviews, SAST/SCA/secret scanning, and penetration testing.
• Partner with the Head of Firmware/IoT on device identity and provisioning, secure boot, signed firmware, OTA update security, code-signing key management, and device fleet hygiene.
• Partner with the Head of AI/ML to establish governance for models, training data, third-party LLM usage, prompt and output handling, and edge inference. Build a defensible AI risk story for customers and investors.
• Own SSO, MFA, least-privilege access, quarterly access reviews, MDM coverage, and endpoint protection across the company.
• Build and run the vendor risk program. Maintain sub-processor inventory, DPAs, and SOC 2 collection for critical vendors. Review AI/LLM vendor terms for data handling.
• Own the IR plan, BCP and DR plans. Run tabletop exercises and DR tests. Lead response on any material security incident.
• Be the executive owner of customer security questionnaires, security one-pagers, the trust page, and customer security calls. Support sales on enterprise and fire-department procurements.
• Lead security due diligence, and brief the senior leadership on security posture and risk on a regular cadence.
• Stay ahead of the regulatory landscape relevant to fire department customers: where applicable, CJIS, HIPAA (for EMS data), state breach notification laws, federal AI executive orders, and emerging IoT security regulation.

Benefits

• Comprehensive well-being program
• Flexible time-off policies