protege - Head of Security

• Mature the Security & Compliance Program • Audit and improve the existing security program by identifying gaps, prioritizing improvements, and bringing more structure to what exists. • Formalize security policies and frameworks appropriate for our stage • Own and evolve our compliance posture. We have SOC 2 Type II in place and you'll maintain it, improve our controls, and provide automation wherever needed • Ensure compliance with HIPAA and other healthcare data regulations, and build a robust PHI protection program • Protect the Data Pipeline • Secure the end-to-end lifecycle of training data which includes ingestion, processing, storage, preparation, and delivery • Partner with engineering to embed security into CI/CD pipelines, cloud infrastructure, and data workflows • Be Technical and Hands-On • Conduct threat modeling, architecture reviews, and code-level security assessments • Lead incident response when things go wrong • Evaluate and deploy security tooling • Enable the Business • Translate security risks into business language for the executive team and board • Serve as the security face to customers, fielding security questionnaires, supporting sales cycles, and building trust with AI company partners and customers • Build a security-aware culture across the company through training and lightweight processes that don't slow teams down • Scale the Function • Decide what to build, what to buy, and what to outsource • Set the roadmap for how security evolves from Series A through a rapid growth stage • WHAT SUCCESS LOOKS LIKE: • 30 days: Learn and Assess • Complete a thorough audit of the existing security program, infrastructure, tooling, and policies • Meet with every team lead to understand their workflows, data handling practices, and where security creates friction or blind spots • Review our SOC 2 Type II and HIPAA controls and identify areas where we're passing but brittle vs. areas that are solid • Map the full training data lifecycle end-to-end from a security and risk perspective • 60 days: Prioritize and Start Building • Present a security roadmap with quick wins (first 90 days) and longer-term initiatives (6–12 months), tied to business risk, not just best practices • Close the highest-severity gaps identified in your assessment • Upgrade incident response program • Establish yourself as the go-to security partner for engineering • Identify the highest-leverage automation opportunities • 90 days: Fully Own • You've taken full ownership of our SOC 2 compliance cycle and have a plan for any additional certifications or frameworks the business needs • You've fielded at least one customer security review or questionnaire and can represent our posture confidently to prospects • The team sees security as an enabler, not a bottleneck • At least one meaningful security workflow has been automated • The security roadmap is in execution with measurable progress