Information Security & Compliance Leader

About The Position

Requirements

• Proven Program Ownership: You have built or significantly matured an information security program at a company of comparable size and complexity. You have owned a GRC platform like Vanta and know how to operationalize it. You are comfortable being the accountable owner.
• Multi-Framework Expertise: You have led SOC 2 and ISO 27001 engagements and have meaningful exposure to HIPAA, CMMC, or Cyber Essentials. You understand framework overlap and build unified programs rather than treating each certification as a separate initiative.
• Technical Credibility: You can design security into cloud-native platforms and production software, not just audit them after the fact. You understand multi-tenant data isolation, secure SDLC, and identity architecture at a systems level. Engineers trust your judgment because you’ve shipped alongside them, not because you’ve blocked them.
• Pragmatic Security Mindset: You focus on protecting the business and its customers, not accumulating certifications. You understand that in a forward-deployed engineering model, security extends to the systems we build and operate for customers, not just our internal environment. You know how to get to yes.
• Secure Product Development Experience: You have defined security architecture for a product or platform, not just an internal IT environment. You’ve done threat modeling, designed data isolation patterns, defined secure SDLC practices, or owned security reviews in a CI/CD pipeline. You’re comfortable in a codebase, even if you’re not writing features.
• AI-Era Security Awareness: You are thinking actively about the security implications of AI-assisted software development: code generated by AI agents, data flowing through model APIs, prompt injection risks, and the expanding attack surface that comes with using AI to build production software. You don’t need to have all the answers, but you need to be asking the right questions and helping the team navigate uncharted territory.
• Delivery-Embedded Security: You want to be involved in how we build and deploy software for customers, not just how we protect our own systems. You’re energized by working alongside engineering and delivery teams to ensure the systems we ship are secure by design.
• Executive-Level Communication: You can clearly articulate risk to employees, customers, legal teams, and auditors. You translate technical complexity into business impact.
• High Ownership Mentality: You operate independently, close gaps end-to-end, and build scalable systems in environments that are evolving quickly. You embrace a ‘nothing is beneath you’ attitude, tackling any task necessary to achieve the desired outcomes.

Responsibilities

• Certification & Framework Leadership: Own and mature Northslope’s SOC 2, ISO 27001, Cyber Essentials Plus, HIPAA, and CMMC programs. Build a unified control environment that scales globally. Embed security requirements directly into our platform architecture from the start, so compliance is a product feature rather than an afterthought.
• Secure Platform Architecture: Partner closely with our product engineering team as a security architect. Define and enforce security patterns across our platform’s multi-agent orchestration layer, data isolation model, and customer-facing deployment surfaces. Own threat modeling for new platform capabilities and ensure our architecture meets the security bar required by enterprise and defense customers out of the box.
• Customer-Facing Security & Trust: Lead all third-party risk assessments, security questionnaires, and audit engagements. Ensure our platform’s architecture and documentation make it easy to demonstrate compliance to customers. Represent Northslope’s security posture credibly to enterprise buyers, auditors, and legal teams, treating security as a commercial asset that accelerates deal velocity.
• AI & SaaS Governance: Establish governance over AI tools and SaaS used in both internal operations and customer engagements. Define guardrails for how our platform’s AI components handle customer data, including data residency, model access controls, and audit trails. Proactively assess emerging risks as the AI landscape evolves.
• Identity, Access & Tenant Isolation: Own access control strategy across Northslope’s internal systems (SSO, Okta, provisioning/deprovisioning) and across our platform’s multi-tenant architecture. Define how customer data, workspaces, and third-party integrations are isolated. Ensure least-privilege access for both employees and system-level service accounts.
• Governance, Incident Readiness & Secure SDLC: Own and evolve the ISMS, security awareness training, incident response, and business continuity. Define and enforce secure development lifecycle practices for our platform codebase, including dependency management, secret handling, code review security gates, and vulnerability remediation SLAs. Serve as the primary escalation point for security events across both internal systems and the platform.
• Vendor Risk, Background Checks & TechOps Partnership: Lead background check compliance across the US and UK. Oversee third-party vendor risk management, including export controls and data residency. Define device and endpoint security standards in partnership with TechOps. Evaluate and approve third-party services integrated into our platform infrastructure, ensuring they meet the same security bar as our own systems.

Benefits

• Competitive base salary + equity in the form of stock options
• Comprehensive benefits package including health insurance (inclusive of dental and vision) and 401k matching
• Flexible hybrid work environment
• The opportunity to build solutions, systems, and software from the ground up as we scale
• A small, tight-knit team where your contributions directly impacts our ability to execute on our mission
• Occasional travel (less than 10% of your time) for company offsites where you'll connect with teams across our New York and London hubs