Apply

Ready to go for it?

AI Apply speeds things up—apply directly if you prefer.

FREE ACCESS
5,000–10,000 jobs/day
JobTailor Logo

See all jobs on JobTailor

Search thousands of fresh jobs every day.

Discover
  • Fresh listings
  • Fast filters
  • No subscription required
Create a free account and start exploring right away.
Reach

Head of Security

Reach

Head of Security managing information security strategy at Reach. Leading end-to-end security efforts for a global ecommerce platform.

Posted 4/27/2026full-timeRemote • 🇨🇦 CanadaLeadWebsite

Tech Stack

Tools & technologies
AWSAzureCloudGoogle Cloud PlatformSDLC

About the role

Key responsibilities & impact
  • Vulnerability management and offensive testing: Own the vuln lifecycle end-to-end — intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA — and manage external pen tests and targeted assessments. Report regularly on status, SLA performance, and trends.
  • Security operations and incident response: Manage our MSSP partner for 24/7 SIEM and SOC monitoring; ensure telemetry, detections, and playbooks match our threat model. Serve as incident commander for real events, and run regular tabletops and post-incident reviews.
  • Policy, controls, and risk: Define and maintain Reach’s security policies and control framework. Design, implement, and measure the effectiveness of controls; maintain a risk register; and surface material risk decisions to leadership.
  • Compliance and audits: Own SOC 2 Type II and PCI DSS end-to-end with continuous control monitoring and evidence collection between audits. Serve as the primary contact for external auditors.
  • Application and cloud security: Partner with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection).
  • Identity and access management: Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes, in partnership with IT and People.
  • Third-party and customer security: Run Reach’s vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews.
  • Security awareness and training: Run phishing simulations, ongoing and role-targeted training, and regular company-wide sessions on new threats and best practices.
  • Executive reporting: Provide regular security posture updates with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness).
  • People, budget, and tooling: Act as a mentor for your report; own the security budget and tool stack — evaluating, procuring, rationalizing, and retiring tools as the program matures.

Requirements

What you’ll need
  • 8+ years in information security, with 3+ years leading a security program or a major security function.
  • Direct experience owning SOC 2 Type II audits end-to-end; PCI DSS experience strongly preferred.
  • Proven, hands-on ownership of vulnerability management programs at scale.
  • Experience managing an MSSP/MDR relationship for SIEM and 24/7 SOC.
  • Strong application and cloud security fundamentals, with hands-on experience in AWS, GCP, or Azure, and the ability to partner credibly with engineering.
  • Experience leading incident response end-to-end, including cross-functional coordination and working with external parties.
  • Experience writing and operationalizing security policies against recognized frameworks (NIST CSF, ISO 27001, CIS Controls).
  • Excellent written and verbal communication — credible with engineers, executives, auditors, and customers.
  • Comfortable as a player-coach in a lean environment, with a strong sense of ownership and bias for action.
  • Additional Assets
  • Experience in fintech, payments, or ecommerce — ideally cross-border or merchant-of-record.
  • Prior experience standing up or scaling a security program at a growth-stage company.
  • Familiarity with GRC/continuous compliance platforms (e.g., Vanta, Drata, Secureframe).
  • AWS experience (our primary cloud) and Atlassian suite (Jira, Confluence) for workflow and documentation.
  • Formal people-management experience.
  • Relevant certifications (e.g., CISSP, CISM, CCSP).

Benefits

Comp & perks
  • Competitive compensation
  • Flexible remote work
  • Comprehensive benefits
  • Opportunity to build and own a security function
  • Direct impact on a global commerce platform
  • Health insurance
  • Retirement plans
  • Paid time off
  • Professional development
  • Bonuses

ATS Keywords

✓ Tailor your resume
Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools
vulnerability managementincident responsesecurity policiescloud securityapplication securitySOC 2 Type IIPCI DSSIAMSASTDAST
Soft Skills
communicationleadershipmentoringownershipcross-functional coordinationbias for actioncredibilitytrainingreportingproblem-solving
Certifications
CISSPCISMCCSP