Job Title

About Reach At Reach, we believe that the global ecommerce space is ripe for disruption. Our strategic partnerships with currency exchange providers allow us to offer direct and guaranteed, realtime currency exchange rates. We help retailers grow by understanding global consumers and how changes in their shopping experience affect their business. Role Overview Were looking for a Head of Security to own and lead information security at Reach. This is a handson leadership role: you will set the strategy, own the program endtoend, and stay actively in the work alongside your team. In a given week you might be writing a policy, triaging a pentest finding, running a phishing campaign, responding to a customer security questionnaire, and presenting the quarterly security update to leadership. The right person is energized by owning an entire domain endtoend, is comfortable moving between strategy and execution, and is equally credible with a senior engineer and a SOC2 auditor. You believe security is most effective when it is practical, measurable, and built into how the business operates. Key Responsibilities Vulnerability management and offensive testing: Own the vulnerability lifecycle endtoend intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA and manage external pen tests and targeted assessments. Report regularly on status, SLA performance, and trends. Security operations and incident response: Manage our MSSP partner for 24/7 SIEM and SOC monitoring; ensure telemetry, detections, and playbooks match our threat model. Serve as incident commander for real events, and run regular tabletops and postincident reviews. Policy, controls, and risk: Define and maintain Reachs security policies and control framework. Design, implement, and measure the effectiveness of controls; maintain a risk register; and surface material risk decisions to leadership. Compliance and audits: Own SOC2 TypeII and PCIDSS endtoend with continuous control monitoring and evidence collection between audits. Serve as the primary contact for external auditors. Application and cloud security: Partner with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection). Identity and access management: Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes, in partnership with IT and People. Thirdparty and customer security: Run Reachs vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews. Security awareness and training: Run phishing simulations, ongoing and roletargeted training, and regular companywide sessions on new threats and best practices. Executive reporting: Provide regular security posture updates with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness). People, budget, and tooling: Act as a mentor for your report; own the security budget and tool stack evaluating, procuring, rationalizing, and retiring tools as the program matures. Qualifications 8+ years in information security, with 3+ years leading a security program or a major security function. Direct experience owning SOC2 TypeII audits endtoend; PCIDSS experience strongly preferred. Proven, handson ownership of vulnerability management programs at scale. Experience managing an MSSP/MDR relationship for SIEM and 24/7 SOC. Strong application and cloud security fundamentals, with handson experience in AWS, GCP, or Azure, and the ability to partner credibly with engineering. Experience leading incident response endtoend, including crossfunctional coordination and working with external parties. Experience writing and operationalizing security policies against recognized frameworks (NISTCSF, ISO27001, CIS Controls). Excellent written and verbal communication credible with engineers, executives, auditors, and customers. Comfortable as a playercoach in a lean environment, with a strong sense of ownership and bias for action. Additional Assets Experience in fintech, payments, or ecommerce ideally crossborder or merchantofrecord. Prior experience standing up or scaling a security program at a growthstage company. Familiarity with GRC/continuous compliance platforms (e.g., Vanta, Drata, Secureframe). AWS experience (our primary cloud) and Atlassian suite (Jira, Confluence) for workflow and documentation. Formal peoplemanagement experience. Relevant certifications (e.g., CISSP, CISM, CCSP). Why Join Reach Competitive compensation Flexible remote work Comprehensive benefits Opportunity to build and own a security function Direct impact on a global commerce platform #J-18808-Ljbffr