Head of Security / Senior Security Engineer

We're seeking a hands-on security professional to lead and evolve our established security program. Over the past few years, we've built strong security foundations, including tooling, processes, and practices to support our ISO 27001 and SOC 2 certifications. This role uniquely combines application security, security architecture, compliance oversight, and cross-functional collaboration. You'll be the security voice across engineering, product, sales, customer success, and operations teams - working closely with everyone to maintain and enhance our security posture.

You'll take ownership of our existing security tooling and processes, identify gaps and opportunities for improvement, and drive security initiatives forward. While we have solid foundations, there's a significant opportunity to optimize, modernize, and scale our security program. Initially, expect to be 80% hands-on execution and 20% strategic planning. As we continue to grow, this may shift toward building a team, but hands-on expertise will always be valued.

Inrupt is headquartered in Boston, MA. This role is based in Boston. Our team operates on a hybrid schedule, working from the office two days a week and enjoying remote flexibility on the remaining days.

Key Responsibilities

• Own and optimize security tooling stack for SAST, DAST, SCA, container scanning, and IaC security (e.g., SonarQube, StackHawk, Aikido, Trivy)
• Partner with engineering to create and refine threat models for all new product features and major architectural changes
• Ensure cloud environments adhere to security best practices and evolving compliance requirements
• Review and provide security feedback on technical requirements, design documents, and architecture decisions
• Analyze and triage output from security scanning tools to identify, prioritize, and track vulnerabilities
• Translate security findings into actionable recommendations for development teams with clear prioritization
• Own the security incident response process for products and service incidents
• Conduct post-incident reviews and drive continuous improvement in security practices
• Own and evolve established security policies, standards, and procedures as the company grows
• Manage the enterprise risk register for security risks escalated beyond individual departments
• Lead cross-functional risk management meetings to assess, track, and mitigate security risks
• Maintain ISO 27001 and SOC 2 Type I certifications and drive progression to SOC 2 Type II
• Conduct periodic security audits, assessments, and gap analyses
• Prepare for and lead security audits and customer security assessments
• Develop and deliver security training and awareness programs across all teams
• Partner with sales and customer success during security discussions with enterprise customers and prospects
• Support RFP/RFI responses and customer security questionnaires
• Build security champion programs to distribute security knowledge across teams
• Foster a security-first culture that emphasizes shared responsibility and proactive security practices

About You

Required:

• 5-8+ years in application security, security engineering, cloud security, or similar roles
• Proven ability to work independently and wear multiple hats in a fast-paced, small company environment
• Strong understanding of secure software development lifecycle (SSDLC) practices and DevSecOps principles
• Hands-on experience implementing and managing security tooling, including SAST, DAST, SCA, and container scanning
• Demonstrated experience with cloud security (AWS, Azure, or GCP) and infrastructure as code security
• Working knowledge of threat modeling methodologies (STRIDE, PASTA, or similar)
• Direct experience with ISO 27001 and/or SOC 2 compliance programs from implementation through audit
• Strong understanding of OWASP Top 10, SANS Top 25, and common vulnerability types
• Excellent communication and collaboration skills with the ability to influence across technical and non-technical audiences
• Experience working with distributed/remote teams across multiple time zones
• Comfortable taking ownership of existing systems and processes and making them better
• Programming/scripting skills (Python, Bash, or similar) for automation and tool integration
• Deep knowledge of cloud security controls, IAM, and network security (AWS, Azure, or GCP)
• Experience with IaC security (Terraform, CloudFormation) and policy-as-code tools (Checkov, tfsec, OPA)
• Experience securing CI/CD pipelines with GitHub Actions, Argo CD, Jenkins, or similar

Preferred:

• Experience in taking over and improving established security programs
• Professional security certifications (CISSP, OSCP, CEH, GIAC, or similar)
• Hands-on software development or DevOps background (Python, Java, JavaScript)
• Prior experience managing security incident response and conducting security investigations
• Background as a security champion or embedded security engineer within development teams
• Familiarity with regulatory frameworks (GDPR, CCPA, SOX, HIPAA)
• Experience with security orchestration, automation, and response (SOAR)
• Experience in B2B SaaS or enterprise software companies
• Experience with secrets management (HashiCorp Vault, AWS Secrets Manager)
• Knowledge of identity and access management (SSO, SAML, OAuth, RBAC)
• Experience with security monitoring and logging (SIEM, log aggregation)