Head of Security

About Fresha

The AI‑powered operating system for the global beauty, wellness and self‑care industry, connecting and powering everything from salons and barbers to spas, med‑spas, fitness studios and health practices. Trusted by millions of consumers and businesses worldwide. Fresha is used by 140,000+ businesses and 450,000+ stylists and professionals worldwide, processing over 1 billion appointments to date. The company is headquartered in London, United Kingdom, with 15 global offices located across North America, EMEA and APAC.

Reports to:

VP of Security, IT and Compliance

We're looking for someone to own security end‑to‑end 'll shape the security strategy alongside the VP, build and run the controls that protect the business, and be the person everyone — engineers, execs, auditors, customers — looks to regarding security questions.

You'll work alongside the Head of Compliance (who sits under the same VP) as a peer. They own the frameworks, the audits, and the evidence. You own the actual security posture, the tooling, and the response. The two roles need each other to succeed, and we expect you to work closely together rather than carve out territory.

We're a payments business operating in a regulated space, with HIPAA and ISO 27001 behind us and PCI DSS, GDPR, and SOC 2 Type II ahead of us this year. The security bar is not theoretical.

To foster a collaborative environment that thrives on face‑to‑face interactions and teamwork, this role will be based in our dog‑friendly office 5 days per week in London:
The Bower, 207‑122, Old Street, London EC1V 9NR.

• Shape the security strategy together with the VP — the VP sets direction at the exec level, you bring the ground truth, the technical depth, and the detailed plan that turns that direction into something real.
• Own the security roadmap that falls out of it: what we're building, what we're retiring, what we're deferring, and why.
• Make the call on where to invest day‑to‑day: tooling, headcount, external services, automation — within the strategic envelope agreed with the VP.
• Translate that roadmap into something the exec team can actually read and fund.

• Deploy and run the security controls across the estate — endpoint, network, cloud, identity, application.
• Make sure controls are actually working, not just deployed — continuous validation, not annual tick‑boxing.
• Partner with Engineering and IT to get controls in early, rather than bolted on after the fact.

• Run the regular external pentest cadence — application, infrastructure — and make sure findings are triaged and closed.
• Own the vulnerability management programme: scanning, prioritisation, SLAs, and closure.
• Work with the Head of Compliance on the evidence side — they need clean data for audits, you need clean closure on the underlying issues. Same data, different purposes.

• Own the IR process end‑to‑end: detection, triage, containment, eradication, recovery, and post‑incident review.
• Run the on‑call model, the playbooks, the tabletop exercises, and the tooling behind them.
• Be the person in the room when something real happens, and the person writing the honest post‑mortem afterwards.

• Stand up a threat intelligence capability — somewhere past incidents, near‑misses, industry reports, and internal telemetry get captured, tagged, and made useful.
• Build this into a threat intel data warehouse that actually informs decisions: future threat modelling, control design, roadmap prioritisation, and tabletop scenarios. Not a dashboard nobody reads.
• Run threat modelling as a routine practice, not a one‑off — including automated threat modelling using AI against designs, code, and infrastructure changes.

• Keep a forward view on where the threat landscape is heading, especially around LLMs: prompt injection, model abuse, AI‑augmented vulnerability scanning by attackers, and exposure of sensitive data through AI tooling.
• Don't just react to what's hitting us today — make sure we're not blindsided by what's hitting everyone…