- Own and lead information security at Reach, setting strategy and managing the program end-to-end.
- Own the vulnerability lifecycle end-to-end, including intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA.
- Manage external pen tests and targeted assessments and report regularly on status, SLA performance, and trends.
- Manage MSSP partner for 24/7 SIEM and SOC monitoring, ensuring telemetry, detections, and playbooks match the threat model.
- Serve as incident commander for real events and run regular tabletops and post-incident reviews.
- Define and maintain Reach’s security policies and control framework; design, implement, and measure control effectiveness; maintain a risk register.
- Own SOC 2 Type II and PCI DSS end-to-end with continuous control monitoring and evidence collection, serving as primary contact for external auditors.
- Partner with engineering on secure SDLC, threat modeling, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection).
- Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes.
- Run Reach’s vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews.
- Run phishing simulations, ongoing and role-targeted training, and regular company-wide security sessions.
- Provide regular security posture updates with meaningful metrics to leadership.
- Act as a mentor for direct reports; own the security budget and tool stack.
AWSGCPJira+2 more