Security Manager

Reply helps thousands of companies automate and scale their sales outreach — and we were among the first to put an AI SDR inside a sales engagement platform. We move fast, stay lean, and solve problems with AI, not headcount.

Now we're looking for a Security & Compliance Manager to own our security and compliance programme as we move upmarket. This is a hands-on, build-from-scratch role: you'll own the programme end-to-end, report directly to the CEO, and have the autonomy to shape how security works here rather than inherit someone else's playbook.

👉 If you like turning risk into clear business decisions — and building systems that make security something the company moves faster because of, not slower — you'll thrive here.

🎯 What you'll do

• Own and run the security and compliance programme end-to-end
• Lead annual SOC 2 Type 2 audits and lay the groundwork for ISO 27001 and other relevant certifications — owning audit readiness throughout: evidence collection, documentation, and representation in audits and regulatory interactions
• Own security and privacy governance: policies, standards, and their full lifecycle, aligned with SOC 2 and relevant frameworks
• Maintain the risk register across access controls, internal processes, data confidentiality and availability, infrastructure, and third parties — and translate identified risks into clear, prioritised treatment plans with owners and timelines
• Own identity and access management across all company systems: onboarding/offboarding, regular access reviews, and least-privilege enforcement
• Run vendor and third-party risk management, embedding security requirements into contracts and SLAs
• Handle inbound security questionnaires and enterprise security reviews from customers and prospects, independently
• Scope, procure, and manage the annual external pentest — you own the process and track remediation through to completion with DevOps
• Build and run a security awareness programme in collaboration with HR: training completion, phishing simulations, and behavioural improvement tracking
• Partner with engineering and DevOps to translate compliance requirements into technical controls
• Treat Claude Code as your core security operating system — use it daily to investigate our systems, automate GRC workflows, build and test controls, and actively challenge our own defences. This role sets the bar for what AI-first security looks like here
• Report to leadership on top risks, incidents, control effectiveness, awareness metrics, and compliance status

🧩 Requirements
Must-have:

• 4+ years in information security or GRC, including hands-on ownership of a SOC 2 programme
• Proven hands-on experience with SOC 2 Type 2 and ISO 27001 in a SaaS or product company
• Working knowledge of GDPR and its implications for a SaaS business
• Experience managing vendor and third-party risk, including security requirements in contracts and SLAs
• Experience handling customer-facing security questionnaires and enterprise security reviews independently
• Able to assess and communicate risk in business terms
• Comfortable working across teams without direct authority
• Comfortable operating in cloud environments (we run on Azure)
• An AI-first operator who reaches for automation before manual effort — ideally already an exceptional Claude Code power user
• Advanced English

Will be a plus:

• ISO 27001 Lead Implementer / Auditor or CISM certification
• Familiarity with GRC tooling such as Drata, Vanta, or similar
• Background in a startup or scale-up where you built processes rather than inherited them

🎁 What we offer

• Full ownership of the security programme — build it from the ground up, with direct CEO access and real autonomy
• Your work directly enables the company to move upmarket and win bigger customers
• High ownership and the freedom to improve systems and processes
• Close collaboration with leadership, engineering, and DevOps
• 100% remote, with minimal meetings and zero bureaucracy
• Coverage for professional courses, gym memberships, or therapy sessions
• AI-first culture — we actively use advanced AI tools and cover premium software costs
• 15 paid vacation days, 🇺🇦 national holidays, and ~10 days of Christmas vacation
• Unlimited sick leave
• Access to internal training, literature, and knowledge sessions

If you're excited about building a security programme from scratch, turning risk into clear decisions, and doing it AI-first — we'd love to hear from you!