We are redirecting you to the source. If you are not redirected in 3 seconds, please click here.

Information Security Officer at Ona. Remote Location: UK or Germany. We're hiring an Information Security Officer at Ona.. Reporting to our Head of Finance & Operations, you'll own Ona’s full security and compliance program - building the architecture, automations, and trust infrastructure that seamlessly enables complex partnerships with some of the world’s largest enterprises.. Who we are. We're a talent-dense group of people who transform how software is created, working to empower every company, every team, and every individual to succeed in a software-first world. We've found product-market-fit and are scaling with high velocity towards repeatable go-to-market fit.. We care deeply, and for many of us, building Ona is our life's work. Our . operating principles. are an honest representation of how we build relationships and make decisions. We choose colleagues carefully based on merit and their authentic alignment with these principles. . If you're energized by the above, we'd love for you to apply!. Role responsibilities. Our . operating principles. are a core responsibility of every role. We expect anyone that joins the team to take an active part in forming and enhancing our culture by living out these principles and holding others accountable towards them.. Role-specific responsibilities:. Future-proof Ona's SOC 2 compliance posture for the AI era: continuous control monitoring, audit readiness, policy architecture, and program evolution as our product and threat model change. Elevate the Ona’s Trust Center to become primarily self-serve: customers get answers on demand, prospects convert faster, and the team spends zero cycles on questions documentation already answers. Steward GDPR and CCPA across the full data lifecycle and stay ahead of the shifting compliance landscape so Ona's privacy posture leads rather than chases it. Drive IAM to zero-touch and carry every incident from infrastructure alert to engineering diagnosis. Forge a queryable layer across Ona's full compliance posture that every internal team can draw on without routing through you. At the end of your first 30 days, you will have:. Owned SOC 2 program from day one: published your plan of attack, with control design documentation and sample selection materials on track before August 10. Delivered a written assessment of how Ona's upcoming product and infrastructure changes affect the SOC 2 control environment — specific controls named, specific risks flagged. Produced an independent written compliance opinion on a live technical artifact without support from PDE. Transformed external-facing security documentation into something that answers prospect questions before they are asked. Automated at least one high-leverage compliance process — or delivered a sequenced build plan for it — with IAM as the primary candidate. About you. You work in alignment with our . operating principles. You treat compliance as a revenue asset. . You've seen firsthand the impact that security posture has on complex enterprise deals. You have a superhuman ability to anticipate every question and requirement that a highly regulated prospect will raise before they raise it. Your documentation is as simple as it is comprehensive and you are exceptional at automating process to make things easier for everyone. Your proactivity doesn't just speed up the compliance stage, it essentially eliminates it. Security, in your hands, is something the sales team leans on rather than works around.. You leverage AI and automation. . You treat automation as the default and manual work as the exception. Configuring a workflow, writing a policy as machine-readable data, prompting a tool to be your thought partner: all of your work is done in partnership with AI. When someone asks about your scope of work, you show them a system, not a calendar. You’re equally passionate about enabling the team to do the same. You understand that automation is the future of work and build compliance around that vision.. You bring technical fluency to everything you own. . You were a senior software engineer in a past life. You can read technical artifacts and form independent judgment from them. You have a strong mental model that lets you easily follow and digest architectural and product changes to understand what a given shift means for your threat model without needing someone to translate. When you don’t know the answer, you know how to find it. The gap between security officer and security engineer is a spectrum, and you close it through strong context and curiosity.. Additionally, we're looking for someone with most of the following:. Owned a SOC 2 Type II program end-to-end — the controls, the evidence, the auditor, the roadmap. Hands-on AWS security experience: triage first, escalate second. Operated inside a technical product company where understanding the product was part of the job. Managed access management at organizational scale with a demonstrated bias toward automation. Worked with compliance automation tooling — Vanta, Drata, or equivalent. Familiar with GDPR, CCPA, or equivalent privacy frameworks at an operational level. Security certifications (CISSP, CISM, CCSP) noted, not required. We use these tools and expect you to have familiarity with most of them:. AWS (IAM, CloudTrail, GuardDuty, Security Hub). Vanta, Drata, or equivalent compliance automation platform. Git — reading diffs, following architectural changes, understanding what changed and why. Okta or equivalent identity and access management tooling. AI tools for research, synthesis, and workflow automation — we expect you to reach for them. Slack, Notion, Linear as operational infrastructure. Ona, Claude, GPT as AI infrastructure. 1Password, Kolide. Trust center platforms (SafeBase, Conveyor, or equivalent). Socket.dev. Benefits. Flexible paid time off including holidays that are most meaningful to you. Employee-friendly equity terms (extended exercise). Health insurance (country-specific). Retirement (country-specific). Wellness allowance. Premium work-from-home equipment. Regular company off-sites. Interview process. We are remote-first and so is our hiring process. We are conscious of your time and are committed to being as efficient as possible.. We'll start the process with an intro call.. Next, you'll complete a series of interviews designed to thoroughly evaluate our mutual compatibility.. Hiring Manager. Head of People. Peer Chat. Project and Panel Presentation. CEO. As a final step, we’ll set reference calls with people that can speak directly to your performance. Additionally, we will run a full background check (location dependent).