Head of Security & Risk

M0

$120K — $180K *
US-AnywhereRemote in New York, NY
Information Technology
5 - 7 years of experience
Job Overview by Ladders

Qualifications

  • 7-10 years in information security, risk, GRC, or compliance with ownership, preferably in fintech, crypto, or B2B SaaS.
  • Proven ability to develop a compliance certification program from scratch, with knowledge of SOC 2 and ISO 27001.
  • Experience with GRC automation tools and cloud security environments, ideally AWS.
  • Proficient in managing end-to-end external audit processes and compliance relationships.
  • Familiarity with AWS, GCP, Azure, and their respective security controls.

Responsibilities

  • Build and own the enterprise risk management program covering various risk types.
  • Manage the organization's compliance with SOC 2, ISO 27001, ensuring audit readiness.
  • Establish an information security operations framework, including incident response and ISMS documentation.
  • Act as the main contact for partner security due diligence and maintain documentation for responses.
  • Design and implement a security awareness training program across the organization.

Benefits

  • Work in a global team with the flexibility to work remotely or from major hubs.
  • Comprehensive healthcare insurance and a wellbeing allowance for physical and mental health.
  • Customized IT setup with high-quality workspace equipment.
  • Annual development budget for skill enhancement and professional opportunities.
Full Job Description
About the Role

Reporting to Deputy COO, you will be M0's first dedicated information security and risk professional - responsible for building the enterprise risk management program, owning the information security compliance certification roadmap, establishing the security operations framework, and responding to partner security due diligence requests. You will work daily across engineering, product, legal, BD, and operations to ensure that M0's security posture is proactive, documented, and defensible.

Key Responsibilities
  • Build and Own Enterprise Risk Management: Build M0's enterprise risk program from scratch. Cover security, operational, regulatory, and counterparty risk, including the risk register, annual assessments, scenario analyses, and escalation framework across all entities.
  • Own the Information Security Compliance Certification Program: Own M0's compliance posture across SOC 2, ISO 27001, and other applicable frameworks - driving all non-technical workstreams (policy writing, auditor coordination, vendor risk, access reviews, third-party SaaS vendor evaluations) and keeping the organization audit-ready at all times.
  • Establish the Information Security Operations Framework: Design and maintain M0's incident response framework, ISMS documentation, and security policies - own external security vendor relationships, facilitate tabletop exercises covering IR, BCP, and DR scenarios, and drive the selection of a security advisory firm for on-call support.
  • Own Partner Information Security Due Diligence: Serve as M0's primary point of contact for institutional partner security due diligence and inbound security questionnaires, build and maintain the reusable documentation package for responding to partner requests, and coordinate with Senior Counsel on information security representations in commercial agreements.
  • Build Information Security Awareness & Culture: Design and own M0's security awareness training program, ensure all employees understand their security obligations, and build a proactive security culture across engineering, operations, legal, and business teams.

Qualifications
  • 7-10 years of experience in information security, risk, GRC, or compliance operations, with meaningful ownership and a preference for fintech, crypto infrastructure, or B2B SaaS backgrounds.
  • Demonstrated track record of building a compliance certification program from scratch, in-depth knowledge of compliance and regulatory frameworks, including hands-on end-to-end ownership of a full SOC 2 audit cycle, ISO 27001 implementation/maintenance, etc.
  • Hands-on experience with GRC automation platforms (Vanta, Drata, or equivalent), cloud security environments (AWS preferred), and BCP/DR program design.
  • Proven experience managing external audit relationships end-to-end (including auditors, penetration testing firms, and compliance vendors) and navigating evidence collection and report production.
  • Working understanding of AWS, GCP, and Azure, including embedding security controls into DevOps workflows and Infrastructure as a Service (IaaS) deployments.
  • Preferred certifications: Cloud+, CySA+, CISSP, or CISM.

Skills & Attributes
  • A Proactive Risk Thinker: You think in terms of likelihood, impact, and mitigation, and you reason from first principles when regulations are unclear, translating complex risk into clear, business-relevant language.
  • Exceptionally Organized and Process-Driven: You maintain rigorous documentation, evidence records, and program trackers across concurrent workstreams. Your outputs need to be right and audit-ready at all times, and you have a track record of improving processes, not just running them.
  • A Builder with High Ownership: You are a self-starter with a "no job too big, no job too small" mentality. You look around corners to creatively solve problems and have a proven ability to own projects from concept to finish.
  • An Excellent Communicator & Partner: You build trust across engineering, legal, product, and business by speaking their language, embedding compliance as a shared operating principle rather than an external checkpoint, and getting things done through influence rather than authority.
  • Adaptable and Intellectually Curious: You have a positive attitude, comfort with ambiguity, and a relentless curiosity about new technologies. You have a passion for or a strong interest in crypto, blockchain technologies, and DeFi.

Nice to Haves
  • Security Certifications: Professional certifications in security risk management such as CISSP, CISM, or CRISC are preferred.
  • Crypto-Native Familiarity: Familiarity with digital assets, stablecoins, or blockchain infrastructure, including smart contract security risk and on-chain monitoring tools (BlockAid, Chainalysis, or similar).
  • Regulatory Exposure: Familiarity with GENIUS Act, MiCA, DORA, or other emerging digital asset and financial services regulatory frameworks and their security and compliance implications.
  • Multi-Entity Experience: Prior experience operating across a multi-entity structure (US operating entity, Cayman HoldCo, Swiss Foundation, or equivalent) is a plus.
  • Location: Ability to work multiple days a week in our main hub office in NYC.
Compensation:
  • Competitive compensation (base salary with equity/token grant) commensurate with experience.
Benefits:
  • Global team and flexibility: Join a truly global team with the flexibility to work remotely or from one of our hubs in NYC or Berlin.
  • Health and wellness: Enjoy comprehensive healthcare insurance coverage as well as a wellbeing allowance and gym membership to support your physical and mental health.
  • Customizable IT setup: Tailor your workspace with access to top-notch IT equipment.
  • Professional development: Benefit from an annual development budget to enhance your skills and grow professionally, including opportunities to participate in conferences and on-site company events worldwide.

Similar Jobs

More Jobs at M0

  • Product Manager
    $120K — $150K *
    Remote
    Finance & Insurance
    Remote in United States
  • Head of Security & Risk
    $120K — $180K *
    Remote
    Information Technology
    Remote in New York, NY
  • Head of Security & Risk
    $120K — $180K *
    New York City, NY 10025 (New York County)
    Information Technology
    In-Person

More Information Technology Jobs

Find similar Head of Security & Risk jobs: