The role

MirrorWeb runs a compliance archiving platform for regulated financial services firms, so our own internal security posture has to be exemplary. The core systems are already in place and working. We need one capable, self-sufficient person to take them over, run them well day to day for a company of close to 100 users, and push our security posture forward as we move into an AI agentic world.

This is not a from-scratch build. Identity through Okta, the Kandji-managed Mac fleet, email on Microsoft 365, endpoint security, and our ISO 27001 and SOC 2 programmes all exist. What we want is someone who keeps that estate running cleanly and handles the harder support escalations, and who brings a builder's instinct to the security layer on top: evaluating and rolling out new tooling, leading our DLP rollout, and rethinking how we secure a fleet of Macs as AI agents become part of daily work. You will own the function without day-to-day oversight, and there is scope to bring on a junior team member reporting to you as the company grows. We run on Claude across the company, so the right person will be at home in a heavily AI-native environment.

How we work with AI

MirrorWeb is a heavily AI-native company and this role sits at the centre of it. We run on Claude, with Claude Code, Cursor and Codex used daily across engineering and an extensive internal ecosystem of MCP servers and agents that the business relies on. We expect you to already be a very strong, hands-on user of Claude and AI coding tools, using them as a force multiplier in your own work rather than as an occasional aid. Just as important, you will help us adopt AI safely: securing the AI surface, governing access for agents and MCP services, and getting ahead of the new questions an agentic environment raises.

What you will own

• Advancing our security posture: this is where the role earns its keep. Continuously look for ways to improve how we protect the business, evaluate and roll out new security tooling, lead our data loss prevention (DLP) rollout across email, endpoints, and AI tooling, and harden the Mac fleet for an environment where agents and AI tools are running on endpoints.
• Identity and access (Okta): Okta is our directory. Administer it day to day, keep SSO, MFA, and conditional access policy healthy, run the joiner-mover-leaver process, maintain least privilege, and run regular access reviews.
• Apple fleet via Kandji: onboarding, configuration, patching, device compliance, and offboarding across a Mac-only estate, with an eye on tightening the security model over time.
• Microsoft 365 (email): Exchange Online administration, mail flow, and email security: anti-phishing, anti-spam, SPF, DKIM, DMARC, and DLP on outbound mail.
• Endpoint and security operations: keep EDR, hardening baselines, vulnerability management, and alerting running, and lead incident response when something happens.
• Internal IT support (escalation): act as the escalation point for internal IT across roughly 100 users. The support team handles level 1; anything more complex comes to you. Hold the triage boundary with the support team and resolve the harder problems.
• AI security and governance: keep AI tooling adopted safely across the company, watch for data leakage through LLMs and shadow AI, maintain access controls for agents and internal MCP services, and keep our AI usage policy enforced and current.
• Compliance operations: run the ISO 27001 ISMS day to day, keep evidence current in Drata, support SOC 2, and turn around customer and investor security questionnaires and DDQs promptly.

What you need

• Several years running IT and security in an established environment, ideally as the sole or lead owner at a regulated or fintech SaaS company.
• A track record of improving security posture, not just maintaining it. You have evaluated, selected, and rolled out security tooling, and ideally led a DLP rollout.
• Hands-on Okta administration: managing SSO, MFA, conditional access, and lifecycle in a live directory.
• Proven management of a Mac fleet through an MDM such as Kandji or Jamf, with a real point of view on securing macOS endpoints. This is a hard requirement, not a nice-to-have.
• Solid Microsoft 365 email administration: Exchange Online, mail flow, and email security (anti-phishing, SPF, DKIM, DMARC).
• Operational security experience: endpoint security, vulnerability management, and handling incidents calmly.
• Comfort maintaining and extending scripts and automation, even if you are not building large systems from scratch.
• Working knowledge of ISO 27001 and SOC 2 as an operator who has kept evidence current and been through audits, plus comfort with GRC tooling like Drata.
• Very good, hands-on experience using Claude and AI coding tools (such as Claude Code or Cursor) in your daily work. This is a core requirement: you should already use AI as a force multiplier and be able to reason about the security questions an agentic environment raises.
• A genuine service mindset. You will be the escalation point for everyone in the company, so you need to handle people well and stay responsive.
• Self-directed and trustworthy. You will hold privileged access to everything, so reliability, judgment, and discretion matter as much as technical skill.

Nice to have

• Exposure to regulated financial services and to responding to investor or customer due diligence.
• AWS security experience.
• Experience securing AI or agentic systems.
• Experience that would let you mentor and lead a junior hire later.
• Relevant certifications (CISSP, Security+, or similar) are a useful signal but not a requirement.

Who you are

You are a reliable operator who keeps things running without being chased, and you are not content to just keep the lights on. You spot gaps before they become problems, bring ideas for how to make us more secure, and follow through on rolling them out. You are comfortable being the only person in the seat for now, you document as you go, you keep the CTO informed rather than asking permission for each step, and you are discreet with the access you hold.

What success looks like in year one

• The estate runs smoothly with nothing slipping: identity, Mac fleet, email, and endpoint security all healthy.
• A DLP solution is rolled out across email, endpoints, and AI tooling.
• The Mac fleet security model is measurably tighter and fit for an agentic AI environment.
• At least one meaningful new security tooling improvement is evaluated and shipped.
• The ISMS runs cleanly through an audit cycle and DDQ turnaround stays quick.
• Internal IT escalations are handled cleanly, with a clear level 1 boundary holding.