Head of Security (NYC / MIA)

Crossmint•New York, NY

9d•$210,000 - $250,000•Hybrid

About The Position

We are hiring a Head of Security to build and own Crossmint's security function as we enter a new phase of scale and regulatory maturity. This is a player-coach role: you will set strategy and own the program at the highest level, while remaining deeply capable of operating hands-on when the situation demands it. No delegation without comprehension. This role carries wide scope. You will be responsible for Crossmint's overall security posture, from application and infrastructure security to corporate IT, from vendor and third-party risk to regulatory audit readiness. You will manage our Senior DevSecOps Engineer, work closely with Engineering, Compliance, Legal, and Ops, and our external security partners, serving as the internal authority on all things security for the leadership team. Crossmint operates at the intersection of fintech and crypto infrastructure under a growing regulatory framework (SOC 2, DORA, MiCA), and an increasingly adversarial environment with AI. Security at Crossmint is not a cost center: it is a product differentiator and a requirement to operate. This role reflects that.

Requirements

8+ years in security, with at least 3 years in a security leadership or program ownership role.
Deep technical fluency in cloud security, application security, and CI/CD security. This is not a policy-only role.
Demonstrated experience owning a security compliance program end-to-end through at least one major audit cycle: SOC 2 Type II strongly preferred.
Software engineering degree or software engineering experience that makes up for it.
Deep familiarity with the latest AI / agentic tools.
Prior experience in fintech, payments, or similarly regulated industries, where concepts like treasury management aren't foreign and security failures carry direct consequences for licensing, customer trust, and business continuity.
Strong written and verbal communication skills, including the ability to brief executive and board-level stakeholders on risk without unnecessary jargon.
Experience managing or mentoring security engineers.
Ability to work flexible hours if an incident arises.

Nice To Haves

Familiarity with DORA, MiCA, or EU financial services regulatory frameworks.
Experience with crypto or blockchain security threat models.
Track record of building a security function from an early or formative stage.
CISSP, CISM, or equivalent certification.

Responsibilities

Define and own Crossmint's security strategy, including roadmap prioritization, risk posture, and security investment decisions.
Operate fluidly across scope levels: board-level risk briefings one hour, hands-on threat model review the next.
Establish and maintain a security program that scales with the company, not one that creates drag on product velocity.
Report to co-founders on security posture, risk landscape, and program progress.
Maintain deep technical fluency across cloud security (AWS primary), application security, CI/CD security, and endpoint and corporate IT.
Review architecture decisions, new product features, and infrastructure changes for security implications before they ship.
Conduct or lead threat modeling exercises across product and infrastructure domains.
Step in as a hands-on practitioner during incidents, complex vulnerability analysis, or high-stakes security reviews where direct expertise is required.
Own security's relationship with auditors, regulators, and compliance frameworks including SOC 2 Type II, DORA, and MiCA-related security requirements.
Lead audit preparation cycles: scope definition, evidence readiness, control documentation, and auditor-facing communication.
Maintain audit-ready posture year-round, not as a sprint before each audit window.
Partner with the Compliance function to ensure security controls satisfy both regulatory requirements and practical risk management objectives.
Own the security review process for new vendors, integrations, and third-party relationships.
Manage relationships with external security partners including our third-party audit firms and 24/7 incident response provider.
Define and oversee our external penetration testing and security assessment program.
Manage and develop the Senior DevSecOps Engineer, with the expectation of growing the security team over time.
Serve as the internal authority on security for Engineering, Product, Compliance, Legal, and People Ops.
Drive security awareness and culture across the company without creating friction that slows down product teams.
Communicate risk clearly to non-technical leadership, translating technical realities into business decisions.

Benefits

Extensive access to leading AI tools and subscriptions, with AI actively encouraged and integrated into daily workflows.
Two performance reviews annually.
Stock options are part of every full-time offer.
Unlimited, flexible PTO.
Parental Leave program.
Flexible work schedule.
Company laptop and allowance for any necessary home equipment.
Daily stipend for commuting to the office and/or meals.
Three company-paid off-sites per year.
Health, dental, vision, life, short-term disability (STD), and long-term disability (LTD) insurances.
401(k) Plan.