Head of Security
Compound Foundation · United States · 6 days ago
RemoteRemoteInformation Technology$57/hrFull-time
About the role
The Head of Security will own the Foundation's security posture across protocol development, infrastructure, tooling, access, custody interfaces, vendor risk and incident readiness. The role is also ecosystem-facing: the person will help Compound's protocol, contributors, partners and ecosystem remain secure as v4 expands into new markets, assets and institutional integrations. This requires a leader who can operate at both strategic and hands-on levels across smart contract security, infrastructure security, incident response, security vendor management and operational security.
What you'll do
- Own the Foundation security program across protocol, infrastructure, applications, internal tools, vendors and access controls.
- Support protocol and ecosystem security by coordinating secure development practices, audit processes, vulnerability handling, contributor guidance and incident response readiness.
- Manage and coordinate with Compound's security service providers, including audit firms, formal verification specialists and incident response providers, directing scope, priorities and deliverables, and serving as the primary point of accountability for security outcomes across the ecosystem.
- Partner with CTO and engineering team on secure architecture, secure SDLC, code review and deployment practices.
- Implement incident response procedures for vulnerabilities, exploits, access compromise, vendor compromise and operational security events.
- Harden identity, access management, secrets, GitHub, cloud, CI/CD, endpoint and offboarding practices.
- Support wallet, multi-sig, key management and custody security standards in partnership with Finance/Treasury and Risk.
- Evaluate security vendors, auditors, bug bounty platforms and external experts.
- Produce short, decision-ready security updates for leadership; escalate material issues or launch blockers quickly.
Requirements
- 8+ years security experience, including hands-on security engineering, application security or infrastructure security, with demonstrated end-to-end ownership of a security function - whether as a formal security lead or through growing into program ownership from a technical role.
- Direct crypto, DeFi, smart contract, blockchain infrastructure or protocol security experience.
- Strong understanding of smart contract audits, vulnerability management, bug bounties and secure deployment practices.
- Experience hardening cloud, GitHub, CI/CD, identity, access, secrets management and endpoint environments.
- Experience leading incident response for high-severity technical or security events.
- Ability to operate as both security strategist and hands-on builder in a small team.
- Traditional finance or other critical financial infrastructure experience is desirable but not required.
Qualifications
- High urgency and precision when dealing with security risk.
- Strong judgment on security materiality, launch readiness and when to stop or slow execution.
- Able to communicate security trade-offs clearly to technical and non-technical leaders.
- High autonomy and high standards: able to make sound decisions quickly, own outcomes and communicate clearly when escalation is required.
- Precise written communication: clear asks, owners, deadlines, context, risks and recommendations.
- Strong judgment in ambiguous, fast-moving environments; knows when to move fast and when to slow down.
- Uses AI, automation and better tools to increase quality, pace and leverage; avoids unnecessary manual process.
Other preferred experience
- Prior CISO/Security Lead role at a DeFi protocol, crypto foundation, exchange, custodian, security firm or critical financial infrastructure company.
- Hands-on smart contract review capability or deep fluency working with audit teams.
- Experience with formal verification, threat modeling, bug bounty programs and on-chain exploit response.