Reach

Head of Security

🇨🇦 Zdalnie, CA Zdalnie IT Pełny etat Lead Opublikowano Kwi 27, 2026

Aplikuj

LokalizacjaZdalnie, CA

Tryb pracyZdalnie

Forma zatrudnieniaPełny etat

Poziom doświadczeniaLead

KategoriaIT

Kategoria ITInżynier bezpieczeństwa

JęzykEnglish

Opublikowano27 kwietnia 2026

Ostatnio sprawdzono8 maja 2026

About Reach

Reach is merchant of record infrastructure that lets brands sell globally without replatforming. We handle the complexity of cross-border payments, tax compliance, and fraud management, integrating directly with the brand's existing commerce stack. With local acquiring in 70+ countries and pre-built integrations for major platforms, Reach enables mid-market and enterprise brands to scale internationally while maintaining full control of their customer data and technology.

Role Overview

We’re looking for a Head of Security to own and lead information security at Reach. This is a hands-on leadership role: you will set the strategy, own the program end-to-end, and stay actively in the work alongside your team. In a given week you might be writing a policy, triaging a pen test finding, running a phishing campaign, responding to a customer security questionnaire, and presenting the quarterly security update to leadership.

The right person is energized by owning an entire domain end-to-end, is comfortable moving between strategy and execution, and is equally credible with a senior engineer and a SOC 2 auditor. You believe security is most effective when it is practical, measurable, and built into how the business operates.

Key Responsibilities

Vulnerability management and offensive testing: Own the vuln lifecycle end-to-end — intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA — and manage external pen tests and targeted assessments. Report regularly on status, SLA performance, and trends.
Security operations and incident response: Manage our MSSP partner for 24/7 SIEM and SOC monitoring; ensure telemetry, detections, and playbooks match our threat model. Serve as incident commander for real events, and run regular tabletops and post-incident reviews.
Policy, controls, and risk: Define and maintain Reach’s security policies and control framework. Design, implement, and measure the effectiveness of controls; maintain a risk register; and surface material risk decisions to leadership.
Compliance and audits: Own SOC 2 Type II and PCI DSS end-to-end with continuous control monitoring and evidence collection between audits. Serve as the primary contact for external auditors.
Application and cloud security: Partner with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection).
Identity and access management: Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes, in partnership with IT and People.
Third-party and customer security: Run Reach’s vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews.
Security awareness and training: Run phishing simulations, ongoing and role-targeted training, and regular company-wide sessions on new threats and best practices.
Executive reporting: Provide regular security posture updates with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness).
People, budget, and tooling: Act as a mentor for your report; own the security budget and tool stack — evaluating, procuring, rationalizing, and retiring tools as the program matures.