Head of Security

Overview

Security Strategy & Leadership

• Own and evolve the enterprise security strategy, roadmap, and operating model across cloud, network, endpoint, physical, and GRC, aligned to Salla's growth and public-listing readiness
• Act as the organization's principal security advisor; brief the executive team and the Board on cyber risk posture, investment priorities, and regulatory exposure
• Define and steward the security budget, headcount plan, and tooling portfolio; drive measurable return on security investment
• Establish security KPIs, OKRs, and a metrics-driven reporting cadence for leadership and audit committees

Cloud Security

• Lead cloud security across the platform, including landing-zone hardening, network segmentation, secrets management, and workload protection (AWS strongly preferred)
• Govern Infrastructure-as-Code security, container and Kubernetes security (image scanning, admission control, runtime protection), and CI/CD pipeline integrity
• Drive Cloud Security Posture Management, workload protection, and continuous compliance against recognized cloud control frameworks and CIS benchmarks
• Partner with SRE and Platform Engineering to embed secure-by-default guardrails that protect velocity rather than slow it

Network Security

• Own network security architecture, including edge protection, DDoS mitigation, web application firewall, segmentation, and zero-trust network access
• Govern the CDN and edge security stack, bot management, rate limiting, and origin lockdown for high-traffic, merchant-facing services
• Oversee secure connectivity, private connectivity, VPN, and DNS security

Endpoint Security

• Lead endpoint protection across corporate and engineering fleets, including EDR/XDR, device hardening, mobile device management, and disk encryption
• Run a continuous vulnerability and patch management program with clear remediation SLAs
• Define and enforce endpoint baselines and data loss prevention controls

Physical & Facility Security

• Own physical security for Salla's offices and facilities in Makkah and other sites, including access control, CCTV, visitor management, and environmental controls
• Align physical and logical access policies; govern physical access to sensitive areas and equipment
• Coordinate with Facilities, HR, and local authorities on safety, badging, and on-site incident response

Identity & Access Management (Zero Trust)

• Lead IAM strategy across cloud and corporate systems, including single sign-on, multi-factor authentication, privileged access management, and least-privilege enforcement
• Automate joiner, mover, and leaver workflows and run periodic access recertification
• Advance the organization toward a mature zero-trust architecture

Security Operations & Incident Response

• Build and run the security operations capability, including SIEM, detection engineering, threat intelligence, and continuous monitoring
• Own the incident response lifecycle from preparation through detection, containment, eradication, recovery, and blameless post-incident review
• Lead tabletop exercises, red and purple teaming, and breach-readiness drills; maintain crisis-communication and breach-notification playbooks

Governance, Risk & Compliance (GRC)

• Own the GRC function and the enterprise risk register; run the risk assessment and treatment lifecycle
• Lead certification and audit programs spanning ISO/IEC 27001, SOC 2, and PCI DSS, with alignment to the NCA Essential Cybersecurity Controls and Cloud Cybersecurity Controls, and to the SAMA Cyber Security Framework where applicable
• Own data protection and privacy compliance under the Saudi Personal Data Protection Law and SDAIA requirements, including data inventories, processing agreements, and cross-border transfer controls
• Prepare Salla's security and IT-governance posture for Tadawul listing, including controls maturity, evidence collection, and auditor readiness
• Author, ratify, and maintain the full lifecycle of security policies, standards, and procedures

Third-Party & Vendor Risk

• Establish and run the third-party risk program, including security due diligence, contractual security terms, and continuous monitoring of critical suppliers
• Embed security requirements into procurement and vendor onboarding

Security Awareness & Culture

• Build a company-wide security awareness, training, and phishing-simulation program
• Champion a positive, blameless security culture in which security is a shared responsibility

Team Leadership & Organization Building

• Lead, mentor, and grow a multidisciplinary security organization spanning cloud security, SecOps, GRC, and physical security
• Set objectives, develop talent, and build the hiring plan to scale the function with the business
• Forge cross-functional partnerships with Engineering, SRE, IT, Legal, HR, and Finance

Requirements

• 12+ years in information and cyber security, including 5+ years in senior security leadership (Head of Security, Director, or CISO-track) at a SaaS, fintech, or e-commerce organization
• Demonstrated ownership of security across multiple domains: cloud, network, endpoint, physical, and GRC
• Deep hands-on and architectural knowledge of cloud security (AWS strongly preferred), including Kubernetes and modern CI/CD
• Proven track record building and operating security operations and incident response at scale
• Strong GRC experience across ISO 27001, PCI DSS, GDPR and Saudi regulatory frameworks (NCA ECC and CCC, PDPL and SDAIA; SAMA CSF a plus)
• Experience leading audits and certifications, ideally including IPO or regulatory-readiness programs
• Excellent executive communication; able to translate technical risk into business and regulatory language for the Board
• Bachelor's degree in Computer Science, Engineering, Information Security, or a related field
• Willingness and eligibility to work on-site in Makkah, Saudi Arabia