Head of Security

Hi 👋🏾, I’m Abhik https://www.linkedin.com/in/abhikpramanik/, Ashby’s Co-Founder and VP of Engineering. I’m seeking a knowledgeable, collaborative, and creative leader to scale our security program and build out our security team. Hopefully, you fit the bill!

As our Head of Security, you won’t have to build from scratch. You’ll inherit a good but nascent security program that I started, and then our former Head of Security & IT https://www.ashbyhq.com/blog/culture/letter-frank-weigel-joining-ashby improved. We want you to scale this program and team through our next phase of high growth.

I think it’s important to share a bit about the broader company as context for this role. Ashby builds powerful and easy-to-use recruiting software that replaces several venture-backed companies' worth of products (often with a better experience). We have notable customers like Notion, Linear, Shopify, and Snowflake. Our growth and retention metrics are best-in-class among our peers: we have tens of millions in ARR, thousands of customers (including Enterprise customers), growing >120% year over year, very low churn, and many years of runway.

As a result of our success, Ashby manages a significant amount of sensitive information and PII on behalf of candidates and customers (from candidate addresses to offer details to company calendars), and the volume and types of sensitive data are only increasing as we expand the product.

This presents fascinating security challenges that you’ll lead and collaborate with other departments to solve.

Your first challenge will be building out our security team and scaling our security program. It’s been a team of one so far, but we’ve added many automations (e.g., one-click offboarding) and services (e.g., SecurityPal https://www.securitypalhq.com/) to help. We also collaborate with other departments (e.g., Support triages security@) to manage a good portion of routine Security work. That being said, you’ll still need to be a hands-on security generalist to start. By the end of the year, you’ll have added people (1-3 individuals), processes, and automation to scale yourself out of more of the routine work.

Some other examples of challenges you’ll work on:

• LLMs and AI products are powerful technologies, and new startups today have an advantage in utilizing these technologies because they have higher risk tolerance. Despite our scale, we must continue to adopt new technologies at a similar pace, but with the right security and privacy controls in place to match our maturity. You’ll help us navigate that with our IT and leadership teams by building policies, processes, and systems for departments to adopt at startup speed.

• This same technology also poses challenges for the recruiting industry, including mass bot applications and fraudulent candidates. You’ll lend your expertise to our Product and Engineering teams to help them build counters in our product (example here https://www.ashbyhq.com/product-updates/introducing-fraudulent-candidate-detection-and-management-to-help-you-focus-on-legitimate-candidates). You’ll also work with our customers and the broader industry to help them build strategies in their own processes (example here https://www.ashbyhq.com/blog/recruiting/fake-candidates).

• As we move into people workflows and capture more sensitive data, we’ll need to address the additional risk that brings, but, at the same time, not hinder our ability to provide excellent support to our customers. You’ll partner with Engineering, IT, and Customer Support to develop tools, integrations, and safeguards that enable us to practice least privilege through smart automations rather than slow, manual approvals.

WHAT WE’RE LOOKING FOR

Most importantly, I’m looking for someone who is collaborative and approaches security from a first-principles perspective. In past companies, we’ve worked with security teams that blindly follow industry norms and standards, or view their job as reducing risk to zero, both at the expense of velocity and innovation in other departments. Instead, you view Security’s goal as identifying, exposing, and educating on risk, then collaborating with others to determine when it makes sense to mitigate and when it makes sense to compromise. You help us make the right decisions for the business – putting objectivity and first principles above comfort or familiarity when it comes to both risks and methods.

Secondly, I am looking for someone who builds high-quality, scalable processes. You should be able to zoom out from hands-on work to realize when you need to shift to building a process or playbook. You should also be technically proficient enough to identify opportunities for automation, rather than always relying on people to solve problems, and either build these automations yourself or with our IT and Engineering teams.

Finally, I’m looking for someone who is an excellent communicator both externally and internally. Customers need to feel confident that their data is secure with Ashby. You achieve this not just by keeping Ashby secure, but also by addressing common concerns and questions through empathetic and thorough documentation https://www.ashbyhq.com/resources/security, and, for our larger customers, one-on-one meetings with their Security team. Internally, the policies, processes, and influence you have within the organization affect over 250 people today and more than 500 people by the end of the year. Your words matter, and you use them effectively to navigate opinions and situations, communicate Security priorities, and build a strong security awareness within the team.

The types of background we're looking for include candidates who have been the Head of Security at a startup, built a security program from the ground up, and overseen a security program at scale. An exceptional candidate would be someone with a background in Engineering, but it’s not required for the role.

WHY YOU SHOULDN’T APPLY

• You’ve never managed information security personnel. You will build a team of 1-3 over the next year, and unfortunately, we don’t have the bandwidth to coach someone new to management.

• You’ve always been a line manager or middle manager. You will set the strategy and roadmap for our Security program and posture, and we are looking for someone who has had that responsibility before.

• You’ve never managed a security program near our scale of business (e.g., thousands of customers and hundreds of employees). As we add more employees, Enterprise customers, and expand into additional products, we expect you to have the expertise to navigate the security concerns and risks that come with it.

• You don’t enjoy interacting with other departments, customers, or the broader industry. You are the face of Ashby Security, and we need you to project your expertise and competence to everyone we engage in Security conversations with.

• You don’t see security as a customer-service function. As with our own product, we believe that customer service through education, challenge, and delight is essential to a Security function that is seen as an enabler, not a roadblock. We need you to embody this as the Head of Security.

WHAT WE’RE BUILDING

Benji (CEO and Co-Founder) and I are engineers, and we are used to tooling that makes us better at what we do. When we started Ashby, we saw the opposite with Talent Acquisition software. Recruiting teams were leveling up how they did their work, but instead of software meeting this new standard, it held them back.

Scheduling a final round is an excellent example. Recruiting teams wanted to schedule candidates faster, track interviewer preparation and quality, and do it with half the headcount. A recruiter needed to manually collect availability from the candidate, identify qualified interviewers, perform “Calendar Tetris” to find who is available to interview the candidate, schedule on the earliest date possible, and make any last-minute adjustments as