Objectives:
We are seeking an experienced Security Engineer to join the Engineering Team at Red Oak. The ideal candidate will be a strategic thinker with experience in managing complex security operations in an AWS environment. As Head of Information Security, you will have prime accountability for the design and implementation of our cybersecurity posture including oversight and management of our annual SOC 2 Type II audit, RFPs and annual client diligence requests.

SKILLS & QUALIFICATIONS

• 7+ years of experience in information security roles, with at least 2+ years in a leadership or principal-level position.
• Proven experience managing SOC 2 Type II or equivalent audit processes from end to end.
• Strong understanding of cloud-native security principles (especially AWS), infrastructure-as-code, and web application security.
• Familiarity with frameworks like NIST CSF, ISO 27001, and GDPR/CCPA.
• Experience coordinating penetration testing, vulnerability scanning, threat modeling, and secure CI/CD workflows.
• Excellent communication skills with both technical teams and external stakeholders.
• Certifications such as CISSP, CISM, or OSCP are highly preferred.
• Preference experience with security tools like AWS Security Hub, Snyk, Burp Suite, Terraform Sentinel, or Open Policy Agent (OPA).
• Familiarity with PCI-DSS, especially in the context of integrating with third-party payment providers is highly preferred
• Previous experience building or scaling a security program in a B2B SaaS product company is ideal.

• Governance, Risk & Compliance.
• Own Red Oak’s SOC 2 Type II audit program, including control definition, gap assessments, evidence gathering, and renewals.
• Respond to customer RFPs, security questionnaires, and vendor risk reviews.
• Guide implementation and alignment with frameworks like NIST Cybersecurity.
• Framework (CSF), ISO 27001, and GDPR/CCPA.
• Maintain and evolve security policies, training programs, and internal documentation.
• Partner with Legal, Sales, and Engineering to ensure contractual and regulatory security obligations are met.
• Security Operations & Testing.
• Lead ongoing vulnerability management, penetration testing coordination, and threat modeling.
• Monitor security risks across infrastructure, application, and third-party services.
• Build or integrate with a lightweight Security Operations Center (SOC) model, including incident response playbooks and post-incident analysis.
• Drive adoption of security automation, alerting, and monitoring tools.
• Product & Application Security.
• Partner with Engineering on secure development practices, including code reviews, dependency scanning, and CI/CD hardening.
• Participate in architecture reviews to ensure secure-by-default system design.
• Help enforce PII handling standards, encryption policies, and access controls in line with privacy regulations.
• Strategy, Metrics & Leadership.
• Define and evolve Red Oak’s security roadmap, including tool selection, team growth, and control maturity.
• Track and report on key security KPIs (e.g., patch compliance, audit control health, incident response time).
• Represent Red Oak’s security posture to customers, partners, and executive stakeholders.
• Build and lead a security team over time as business needs grow.