TL;DR: We're seeking a passionate and strategic security leader with significant technical experience to help build a new security team and take our product's and corporate security's cornerstones to the next level. You're an engineer first and a manager second.

About Cloudsmith

Cloudsmith is transforming how organizations handle software artifacts and secure their supply chains. As a fully managed multi-tenant Software as a Service (SaaS) built on AWS, our mission is to enable organizations to tackle scale and complexity through best-in-class artifact management and to secure software by default. Our vision is to become the software supply chain itself, powering the future of software delivery.

We are the world's most potent artifact management platform, built by developers for developers. Our platform supports over 30 formats spanning languages, containers, and operating systems, with enterprise-grade features, including vulnerability and security scanning, world-class policy management and enforcement, and web-scale to handle the Fortune 500. Organizations integrate Cloudsmith as critical infrastructure into their development, deployment, and distribution pipelines, trusting us to protect and accelerate, no matter the scale.

Backed by top-tier investors and on a trajectory toward IPO, we're building mission-critical infrastructure that powers software delivery for organizations worldwide. We operate at the cutting edge of cloud-native technology, tackling complex distributed systems challenges that directly impact millions of developers. Now is an exciting time to join us as we revolutionize how organizations deliver and secure software and help write the next chapter of our rocket-ship growth story.

The Role

As Director of Information Security reporting to the CTO, you'll lead and expand Cloudsmith's comprehensive security function across three key pillars: Product/Platform Security, Corporate Security, and Governance/Risk/Compliance (GRC). Building upon our existing ISO 27001-certified security foundation, you'll drive continuous improvement and innovation in our security practices.

This role combines strategic leadership with technical oversight, requiring someone who understands modern security challenges deeply enough to guide architectural decisions and build a high-performing security team. You'll oversee the Application Security team and I.T. Operations function, ensuring a cohesive security strategy across all aspects of our business.

Key Responsibilities

Strategic Leadership

• Partner with the CTO to define and implement Cloudsmith's comprehensive security strategy.
• Build and scale security teams across product, corporate, and GRC functions.
• Oversee I.T. Operations to ensure alignment between corporate and product security initiatives.
• Take ownership of security as a pillar of our engineering culture and champion it internally.
• Drive security architecture decisions that align with our cloud-native, distributed systems approach.
• Represent Cloudsmith's security posture to enterprise customers and during security audits.

Technical Leadership & Oversight

• Guide the technical direction of our security program, aligning it with cloud-native security practices.
• Review and approve security architecture decisions affecting our platform and infrastructure.
• Establish secure development practices and oversee their implementation across engineering teams.
• Define security requirements for our software supply chain security features.
• Oversee the implementation of security monitoring, detection, and response capabilities.

Security Program Development

• Design a comprehensive security program covering application, infrastructure, and corporate security.
• Establish security metrics and KPIs to measure and improve our security posture.
• Build relationships with security researchers and maintain our vulnerability disclosure program.
• Lead incident response planning and oversee security incident management.
• Drive security automation and integration initiatives.

Compliance & Risk Management

• Enhance and expand our security program, building upon our ISO 27001 certification.
• Assume ownership of our ISO 27001 (re)certification and SOC2 compliance programs.
• Lead security assessments and vendor audits, particularly for enterprise customers.
• Develop, implement, and maintain security policies aligned with NIST, OWASP, and industry standards.
• Serve as the primary security representative for customer audits and security reviews.
• Work with I.T. operations to manage the internal corporate security posture.
• Manage our compliance, onboarding, and offboarding via Vanta (or something similar).

Required Experience, Qualities & Skills

Technical Background

• 10+ years of security engineering, with a solid technical foundation in:
  • Cloud-native security architecture and best practices.
  • Modern software development and deployment practices.
  • Infrastructure security and cloud platforms (particularly AWS).
  • Application security principles and secure SDLC.
  • Software supply chain security concepts and tools.
  • Deep knowledge of SAST, DAST, and RASP (Runtime Security).
• Understanding of emerging security technologies and standards in the software supply chain space.
• Experience evaluating and implementing security tools and platforms.
• Experience with building and running SIEM tooling, such as DataDog SIEM.
• Experience with building and running virtual SOC-like on-call rotations.

Leadership Experience

• 5+ years in security leadership roles.
• Track record of building and leading high-performing security teams.
• Experience working in and leading remote teams.
• Strong executive presence and communication skills.
• History of successful security program development and implementation.

Domain Knowledge

• Deep understanding of software supply chain security challenges and solutions.
• Experience securing cloud-native platforms and distributed systems.
• Knowledge of modern development practices and tools.
• Understanding of compliance frameworks and their technical requirements.
• Track record of maintaining and expanding ISO 27001 and other security certifications.

Cultural Values We're Looking For

• Strategic Excellence: Balance big-picture security vision with technical depth while driving automation.
• Technical Leadership: Guide cloud-native security architecture and champion pragmatic solutions.
• People First: Foster a transparent security culture and sustainable team growth.
• Customer Partnership: Drive security improvements through close customer collaboration.
• Collective Growth: Promote shared security ownership and continuous learning across teams.

Impact & Opportunity

This role offers a unique opportunity to shape the security strategy for a platform that aims to revolutionize software supply chain security. You'll build a security program from the ground up, mentor the next generation of security leaders, and help establish Cloudsmith as the trusted source for secure artifact management and software supply chain globally across a range of customers from startups to the Fortune 500.

You'll join an organization that takes security seriously, as evidenced by our ISO 27001 certification and existing security controls. Your role will take our security function to the next level as we scale, building upon our strong foundation to create world-class security capabilities across product, corporate, and compliance domains.

Benefits, Location & Work Environment

Note: You must be based in the U.K. or Ireland (or the USA if the role is located there) and have the right to work independently without requiring sponsorship.

Headlines

• A remote-first position based in Ireland or the United Kingdom.
• A competitive compensation package, including equity.
• With comprehensive health, dental, and vision insurance.
• Plus, generous annual leave and flexible working policies to suit your lifestyle.
• Including a professional development budget for conferences and training.
• In a dynamic, innovative, trust-centric, and supportive work environment.
• With the opportunity to shape a fast-growing Series A startup (and beyond).
• Regular (monthly-ish) travel may be required for team meetings.
• Regular (quarterly-ish) travel may also be required for events and customers.

Health and Wellness

Regardless of your location, we deeply care about our staff's and their families' health and wellness; a sustainable pace is essential. In addition to generous annual leave (PTO), we offer parental leave and health benefits to cover you and your dependents up to 100%. We also offer flexible, family-friendly working policies.

Personal Growth

You will have an enormous opportunity to learn new skills alongside your colleagues, and your continued professional development is essential to us because it's important to you. We will support you with budgets for equipment, training, books, conferences, travel, and certifications. The more powerful you become, the better for all of us.

Hybrid / Remote First

Cloudsmith is headquartered in Belfast, Northern Ireland, and we use our H.Q. regularly for activities like team planning, meets and greets, and sometimes other group activities (like games!). We also hold all-hands offsites in Belfast (or otherwise) thrice yearly, with guest speakers and team activities. Most Cloudsmithers work remotely, close and far, so we rely on our online collaboration tools; Slack is how we work.

About Equal Opportunity

Cloudsmith is an equal-opportunity employer proud to nurture a diverse workplace that welcomes applications from individuals of all races, genders, and ethnic groups. We do not discriminate on age, religion, sexual orientation, citizenship status, military service, or health conditions. We will not tolerate discrimination of any kind within our workforce.

The Final Word

We're looking for someone who can balance strategic thinking with technical depth, has the experience to build a world-class security program, and is fearless in rolling up their sleeves when needed. We're critical infrastructure by developers / for developers and building the world's software supply chain platform and ecosystem. If you're excited to build a security-as-a-function from the ground up, built on top of our existing capabilities, with a lasting impact on the software industry from today until IPO: we want to hear from you.