Security & Compliance Lead

The Role

As Security & Compliance Lead, you'll be the go-to authority on information security across the organisation. You'll own our compliance program, lead security operations, and work hands-on with engineering and platform teams to ensure security is embedded in how we build and operate — not bolted on after the fact. This means getting into the weeds of our cloud infrastructure, shaping how security fits into the SDLC, and driving a DevSecOps mindset across engineering.

You'll report to the Head of Engineering/Platform and work cross-functionally with legal, techops,  engineering, platform, and data teams. As we scale, there's a clear path for this role to grow into managing a small security function.

This is a hands-on senior role. You won't just be writing policies — you'll be monitoring threats, responding to incidents, driving audits, reviewing cloud security posture, and shaping how [Employer hidden] approaches security as we scale across the world.

What you'll be doing

*Security Operations & Cloud Security*

• Monitor for security threats, vulnerabilities, and incidents across our infrastructure, applications, and tooling.
• Create, respond to, and investigate security alerts using SIEM tooling (e.g. Datadog), triaging and escalating as appropriate.
• Own and improve our endpoint security, vulnerability scanning (e.g. Snyk), and cloud security posture management across GCP and AWS.
• Design and implement security architectures across our cloud infrastructure, working hands-on with Kubernetes, Terraform/IaC, and cloud-native services.
• Lead incident response — minimising impact, ensuring rapid recovery, and coordinating post-incident analysis and reporting.
• Coordinate penetration testing and manage remediation of findings.

*Compliance & Governance*

• Take responsibility for all technical aspects of our compliance program ensuring we maintain ISO 27001, SOC 2, and Cyber Essentials certifications.
• Lead the preparation and coordination of external audits, ensuring documentation and evidence are always audit-ready.
• Create, manage, and maintain security and compliance frameworks, including policies, procedures, and guidelines.
• Partner with legal and our DPO on GDPR and data privacy requirements, ensuring our security practices support our data protection obligations.
• Align security strategy with business objectives, managing risks while enabling growth.
• Assist data teams with governance requirements.

*DevSecOps & Engineering Partnership*

• Be the authority on information security within the engineering organisation, ensuring security is embedded throughout the SDLC.
• Work cross-functionally with engineering and platform teams to integrate security into CI/CD pipelines, code review, and infrastructure-as-code workflows.
• Contribute to platform and infrastructure security architecture decisions, providing guidance on secure design patterns and cloud security best practices.
• Promote security awareness across the business, including secure development practices, cloud platform security, and general security hygiene.

*Threat Intelligence*

• Identify and assess emerging threats and vulnerabilities, recommending actionable mitigations to reduce risk exposure.
• Monitor and report on trends in the cyber threat landscape, providing insights to inform organisational security decisions.
• Share threat intelligence and mitigation strategies with relevant teams to enhance awareness and preparedness.

What you'll bring

- 5+ years of experience in security operations, cloud security, or a combined security and compliance role, with a track record of owning and delivering security outcomes independently.

- Strong hands-on experience with cloud security in GCP and/or AWS, including working with Kubernetes, Terraform/IaC, and cloud-native security tooling.

- Deep understanding of compliance frameworks such as ISO 27001 and SOC 2, with experience owning or significantly contributing to audit preparation and certification maintenance.

- Experience with security tooling across SIEM, vulnerability scanning, endpoint security, and cloud security posture management.

- A solid understanding of DevSecOps principles and experience embedding security into the software development lifecycle.

- Working knowledge of GDPR and data privacy requirements, and experience partnering with legal or DPO functions.

- Strong communication skills — you can translate security risks into business language, influence engineering teams, and write documentation that's clear and actionable.

- The ability to work independently, manage competing priorities, and exercise good judgement about where to focus your time.

- A proactive mindset — you spot risks early, propose solutions, and take ownership without being asked.

Even better if you have

- Experience coordinating penetration testing programmes and managing remediation.

- Familiarity with infrastructure-as-code security scanning and policy-as-code approaches.

- Experience with incident response programme design or tabletop exercises.

- Exposure to customer security questionnaires, vendor due diligence, or third-party risk assessments.

- Experience working in a scaling company where you've helped build security processes and culture from the ground up.

- A relevant security certification such as CISSP, CISM, or cloud-specific security certifications (e.g. GCP Professional Cloud Security Engineer).

- Experience mentoring or growing into a people management role.