Location

Paris or remote (from -5h GMT up to +2h GMT to ensure sufficient overlap with the rest of the team).
How we work

We move fast on hard problems in a nascent market with no set playbook: navigating uncertainty is part of the job. You'll be challenged: anyone can question work and decisions must be justified. We keep a high bar and match it with high support: we help each other unblock and share context openly, with low ego. More about our values: morpho.org/jobs.
Role

As Head of Security, you'll define and drive Morpho's security strategy across the entire organization - corporate and IT, cloud and infrastructure, application, supply chain, identity, incident response, threat intelligence, and counterparty security - and you'll build the team and function to deliver it. This is a hands-on leadership role: in the early days you'll personally do the work while you hire, and you'll stay close enough to the technical detail to earn the trust of a deeply technical organization. You'll also be Morpho's credible security voice, internally to leadership, and externally to the integrators, institutions, and ecosystem partners who depend on us. You'll partner closely with Engineering on infrastructure and deployment integrity, and with our Integration team, which works with various partners across the Morpho ecosystem.
Responsibilities

• Own and continuously evolve Morpho's security strategy and roadmap across corporate, cloud/infrastructure, application, supply-chain, identity, and operational security.
• Build and lead the security function - hire, grow, and develop the team, recruiting skillsets across security operations and application security.
• Stay hands-on. Personally execute critical security work - threat modeling, architecture review, control implementation, and incident command - while the team scales.
• Set the governance architecture: a coherent security framework that ties tooling and controls together, rather than accumulating tools in isolation.
• Own incident response end to end - runbooks, incident command, severity and escalation structure, and market communication during an event.
• Build and run a counterparty security program for curators and partners - identity verification, screening, operational diligence, and bidirectional incident-coordination channels.
• Lead Morpho's certification strategy (e.g. SOC 2, ISO 27001), meeting both the spirit and the letter sustainably.
• Represent Morpho's security posture externally - to fintechs, financial institutions, and the broader ecosystem - and internally to executives.
• Partner cross-functionally with Engineering, Protocol, and Integrations, driving security outcomes through both direct ownership and influence.

What Success Looks Like
First 30 Days

• You've built a clear, independent picture of Morpho's posture, architecture, threat model, and in-flight work - and pressure-tested the existing strategy against it.
• You've met the team and established working relationships with the people who own the surfaces you'll most depend on.
• You understand the path-to-funds attack surface in depth and have an early, evidence-based view of the highest-severity risks and quick wins.
• You know exactly where incident-response readiness stands today.

First 60 Days

• You've published a clearly prioritized security roadmap with clear sequencing, owners, and the rationale for what's deferred and aligned leadership behind it.
• You've defined the team build-out plan and opened the first hire.
• You're personally driving the top-severity gaps - identity and authentication enforcement, deployment guardrails, and a documented incident-response runbook among them.
• You've set the governance framework and the certification path in motion.

First 90 Days

• Demonstrable progress closing the highest-priority gaps, with key controls enforced rather than optional.
• A documented incident-response capability that's been validated by at least one tabletop exercise.
• Hiring underway, and a clear operating rhythm established with Engineering, Protocol, and Integrations.
• Morpho's external security posture is taking shape - trust surface, counterparty security program, and ecosystem engagement - and you're recognized internally and externally as Morpho's credible security voice.

Must-have Experience & Skills

• 10+ years in security, several of them building or leading a security function, ideally at a crypto/web3, fintech, or financial-services company where security is core to the business.
• Strong grasp of the crypto/web3 threat model
• Proven experience building and growing a security team from a small base, recruiting across security operations and application/infrastructure security.
• Deep, hands-on technical expertise across cloud, infrastructure, CI/CD, supply-chain, identity, and application security - you do the work, not just direct it.
• Owned incident response end to end, including incident command and external communication.
• Taken an organization through certifications (SOC 2, ISO 27001, or equivalent)
• Sharp prioritization and the ability to galvanize action through hard and soft influence, including driving outcomes through teams you don't own.
• Exceptional, organized, responsive communication - credible to executives and to external audiences from fintechs to Fortune 500 institutions.
• Humble.

Nice to Have

• An established network and public profile in the security or crypto-security community, and comfort representing security work publicly (talks, writing, framework contribution).
• Offensive security depth, or experience standing up red/blue capabilities.
• Familiarity with institutional and regulatory expectations and threat-sharing networks (e.g. Crypto ISAC, TIBER-style frameworks).

Perks & benefits

We design benefits around deep work and growth, so you can do the best work of your career. Expect fair, top-tier compensation, real flexibility, time together in Paris, great health coverage, and support to keep learning.