Head of Security (NYC / MIA)
Crossmint · Miami, FL · 1 mo ago
HybridInformation TechnologyFull-time
About the role
We are hiring a Head of Security to build and own Crossmint's security function as we enter a new phase of scale and regulatory maturity. This is a player-coach role: you will set strategy and own the program at the highest level, while remaining deeply capable of operating hands-on when the situation demands it. No delegation without comprehension.
Responsibilities
Program Ownership and Strategy
- Define and own Crossmint's security strategy, including roadmap prioritization, risk posture, and security investment decisions.
- Operate fluidly across scope levels: board-level risk briefings one hour, hands-on threat model review the next.
- Establish and maintain a security program that scales with the company, not one that creates drag on product velocity.
- Report to co-founders on security posture, risk landscape, and program progress.
Technical Oversight and Hands-On Contribution
- Maintain deep technical fluency across cloud security (AWS primary), application security, CI/CD security, and endpoint and corporate IT.
- Review architecture decisions, new product features, and infrastructure changes for security implications before they ship.
- Conduct or lead threat modeling exercises across product and infrastructure domains.
- Step in as a hands-on practitioner during incidents, complex vulnerability analysis, or high-stakes security reviews where direct expertise is required.
Audit and Compliance Leadership
- Own security's relationship with auditors, regulators, and compliance frameworks including SOC 2 Type II, DORA, and MiCA-related security requirements.
- Lead audit preparation cycles: scope definition, evidence readiness, control documentation, and auditor-facing communication.
- Maintain audit-ready posture year-round, not as a sprint before each audit window.
- Partner with the Compliance function to ensure security controls satisfy both regulatory requirements and practical risk management objectives.
Third-Party and Vendor Risk
- Own the security review process for new vendors, integrations, and third-party relationships.
- Manage relationships with external security partners including our third-party audit firms and 24/7 incident response provider.
- Define and oversee our external penetration testing and security assessment program.
Team and Stakeholder Leadership
- Manage and develop the Senior DevSecOps Engineer, with the expectation of growing the security team over time.
- Serve as the internal authority on security for Engineering, Product, Compliance, Legal, and People Ops.
- Drive security awareness and culture across the company without creating friction that slows down product teams.
- Communicate risk clearly to non-technical leadership, translating technical realities into business decisions.
About You
Must Haves
- 8+ years in security, with at least 3 years in a security leadership or program ownership role.
- Deep technical fluency in cloud security, application security, and CI/CD security. This is not a policy-only role.
- Demonstrated experience owning a security compliance program end-to-end through at least one major audit cycle: SOC 2 Type II strongly preferred.
- Software engineering degree or software engineering experience that makes up for it.
- Deep familiarity with the latest AI / agentic tools.
- Prior experience in fintech, payments, or similarly regulated industries, where concepts like treasury management aren't foreign and security failures carry direct consequences for licensing, customer trust, and business continuity.
- Strong written and verbal communication skills, including the ability to brief executive and board-level stakeholders on risk without unnecessary jargon.
- Experience managing or mentoring security engineers.
- Ability to work flexible hours if an incident arises.
Nice to Haves
- Familiarity with DORA, MiCA, or EU financial services regulatory frameworks.
- Experience with crypto or blockchain security threat models.
- Track record of building a security function from an early or formative stage.
- CISSP, CISM, or equivalent certification.