Head of Security and Compliance
About the role
We’re building Physical AI for the real world—intelligent systems that sense, understand, and act in high-stakes physical environments. Our first application is transforming fire response: combining advanced fluid dynamics, IoT-enabled hardware, real-world operational data, and AI-powered decision support to help firefighters suppress fires faster, use less water, reduce fatigue, and improve safety. By connecting the physical layer of emergency response with predictive intelligence, HEN is building the infrastructure for a safer, more adaptive future.
Responsibilities
Security strategy & engineering leadership. Define the security and compliance roadmap aligned with company goals, customer requirements, and the regulatory environment. Build the team over time.
SOC 2 audit (Type I, then Type II). Own the end-to-end SOC 2 program: auditor relationship, compliance tooling (Vanta/Drata or equivalent), policy authoring, control implementation, evidence collection, and remediation.
Cloud security (GCP). Partner with the Head of Cloud and Data engineering to mature GCP security posture: IAM, VPC and network design, KMS, Secret Manager, Security Command Center, Cloud Logging and detection engineering.
Product security across the stack. Embed security into the SDLC for our cloud platform, web app, mobile apps, firmware, and edge AI components. Drive threat modeling, secure design reviews, SAST/SCA/secret scanning, and penetration testing.
IoT and embedded device security. Partner with the Head of Firmware/IoT on device identity and provisioning, secure boot, signed firmware, OTA update security, code-signing key management, and device fleet hygiene.
AI/ML governance. Partner with the Head of AI/ML to establish governance for models, training data, third-party LLM usage, prompt and output handling, and edge inference. Build a defensible AI risk story for customers and investors.
Identity, access & corporate IT security. Own SSO, MFA, least-privilege access, quarterly access reviews, MDM coverage, and endpoint protection across the company.
Vendor and third-party risk. Build and run the vendor risk program. Maintain sub-processor inventory, DPAs, and SOC 2 collection for critical vendors. Review AI/LLM vendor terms for data handling.
Incident response & business continuity. Own the IR plan, BCP and DR plans. Run tabletop exercises and DR tests. Lead response on any material security incident.
Customer trust & enterprise sales support. Be the executive owner of customer security questionnaires, security one-pagers, the trust page, and customer security calls. Support sales on enterprise and fire-department procurements.
Lead security due diligence, and brief the senior leadership on security posture and risk on a regular cadence.
Regulatory readiness. Stay ahead of the regulatory landscape relevant to fire department customers: where applicable, CJIS, HIPAA (for EMS data), state breach notification laws, federal AI executive orders, and emerging IoT security regulation.
Qualifications
- 12+ years in information security, with at least 4 years leading a security function.
- Personally led at least one company through SOC 2 (Type I and Type II) at a similar-stage company - not just "managed compliance at a larger company."
- Strong cloud security background, ideally GCP (AWS or Azure depth with willingness to ramp on GCP also works).
- Hands-on technical credibility. You can read a Terraform module, review an IAM policy, and have a substantive conversation about TLS configuration.
- Experience embedding security into modern engineering practices: GitHub workflows, CI/CD, IaC, secure SDLC.
- Demonstrated experience running vendor risk, incident response, and customer security questionnaire processes.
- Excellent written and verbal communication - you will be writing policies, responding to customers, and briefing the leadership, often in the same week.
Nice-to-haves
- Direct experience with IoT, embedded, or connected device security (firmware signing, OTA security, device PKI).
- Familiarity with AI/ML security and governance: model risk, third-party LLM data handling, prompt injection, edge model integrity.
- Public sector or first-responder customer experience: CJIS, HIPAA, NG911, FedRAMP-adjacent procurement.
- Relevant certifications (CISSP, CISM, CCSP, GCP Professional Cloud Security Engineer).
Pay and Benefits
The projected base salary for this position in the San Francisco Bay Area ranges from $225,000 to $300,000. Final compensation will be determined based on the specific qualifications and experience of the selected candidate. Additionally, this role may qualify for equity. HEN Technologies provides a robust benefits package, featuring a comprehensive well-being program and flexible time-off policies.