Head of Security

About Reach

Reach is merchant of record infrastructure that lets brands sell globally without replatforming. We handle the complexity of cross-border payments, tax compliance, and fraud management, integrating directly with the brand's existing commerce stack. With local acquiring in 70+ countries and pre-built integrations for major platforms, Reach enables mid-market and enterprise brands to scale internationally while maintaining full control of their customer data and technology.

Role Overview

We’re looking for a Head of Security to own and lead information security at Reach. This is a hands-on leadership role: you will set the strategy, own the program end-to-end, and stay actively in the work alongside your team. In a given week you might be writing a policy, triaging a pen test finding, running a phishing campaign, responding to a customer security questionnaire, and presenting the quarterly security update to leadership.

The right person is energized by owning an entire domain end-to-end, is comfortable moving between strategy and execution, and is equally credible with a senior engineer and a SOC 2 auditor. You believe security is most effective when it is practical, measurable, and built into how the business operates.

Key Responsibilities

• Vulnerability management and offensive testing: Own the vuln lifecycle end-to-end — intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA — and manage external pen tests and targeted assessments. Report regularly on status, SLA performance, and trends.
• Security operations and incident response: Manage our MSSP partner for 24/7 SIEM and SOC monitoring; ensure telemetry, detections, and playbooks match our threat model. Serve as incident commander for real events, and run regular tabletops and post-incident reviews.
• Policy, controls, and risk: Define and maintain Reach’s security policies and control framework. Design, implement, and measure the effectiveness of controls; maintain a risk register; and surface material risk decisions to leadership.
• Compliance and audits: Own SOC 2 Type II and PCI DSS end-to-end with continuous control monitoring and evidence collection between audits. Serve as the primary contact for external auditors.
• Application and cloud security: Partner with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection).
• Identity and access management: Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes, in partnership with IT and People.
• Third-party and customer security: Run Reach’s vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews.
• Security awareness and training: Run phishing simulations, ongoing and role-targeted training, and regular company-wide sessions on new threats and best practices.
• Executive reporting: Provide regular security posture updates with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness).
• People, budget, and tooling: Act as a mentor for your report; own the security budget and tool stack — evaluating, procuring, rationalizing, and retiring tools as the program matures.