About the role We're a fast-growing startup with a small but talented
engineering team, and we're hiring our first Security & Compliance Lead to
build the foundation for our security program. This is a high-ownership, high-
autonomy role with a broad mandate: you'll own the security and compliance
surface end-to-end, from access management and SOC 2 to infrastructure
security and customer trust. You'll report to CTO with full ownership of the
security and compliance domain. In year one, the work skews toward access
management, SOC 2, and customer-facing security. Over time, the role grows
into broader security engineering: monitoring, incident response, vendor risk,
and architecture review. If you've built a security program from scratch
before and liked it, you'll recognize this job. If you want to build something
from the ground up rather than slot into an existing program, read on. What
you'll own Access & identity management. Production access, service accounts,
SSO, and the lifecycle of both - provisioning, periodic review,
deprovisioning. SOC 2. You'll own the program end-to-end, mapping controls to
our environment, driving evidence collection, and getting us through Type 1
and then Type 2 and other security frameworks. Customer trust. You'll own
security questionnaires, RFP security sections, and the customer-facing trust
narrative (trust center, security overview docs, DPAs). Infrastructure
security. VM lifecycle and patching, baseline hardening, secrets management,
vulnerability management, and cloud security posture. Security engineering
(over time). Logging and monitoring, incident response runbooks, vendor
security reviews, and partnering with engineering on secure design. What we're
looking for 5+ years in security or security-adjacent roles You've driven a
SOC 2 audit - ideally owned one end-to-end, but if you ran the bulk of a
program under a fractional CISO or security leader, that counts Comfortable in
cloud environments (AWS, GCP, or Azure) and writing enough code or Terraform
to automate access and infrastructure workflows You've owned customer security
questionnaires and know how to make them faster Strong written communication
Nice to have A previous tour as the first or early security hire at a startup
Experience with identity tooling (Okta, AWS IAM Identity Center, Teleport,
ConductorOne) Experience with compliance platforms (Vanta, Drata, Secureframe)
Other frameworks beyond SOC 2 (ISO 27001, HIPAA, FedRAMP) Background in
security engineering, detection, or incident response