Security Manager

At Shippo, our vision is bold and clear:
we are the shipping layer of the internet. Our mission is to make every merchant successful through excellent shipping, delivering world‑class logistics technology and infrastructure. We’re building the backbone of global e‑commerce — connecting merchants to carriers worldwide through a single API and intuitive dashboard.

As a remote‑first and globally distributed team , we believe flexibility fuels trust, autonomy, and performance. Our diverse perspectives — across continents, cultures, and time zones — drive our innovation and enable us to build solutions used by businesses everywhere. We invest in modern, scalable technology so our teams can build, ship, and iterate with confidence.

Your impact starts here: every person at Shippo plays a direct role in shaping the infrastructure that powers global commerce and makes shipping simpler for businesses around the world.

We’re looking for a Security Manager (Head of Security) to lead and evolve Shippo’s security function.

This role is the single accountable owner for security outcomes at Shippo today. You will define and execute Shippo’s security strategy, drive a focused and impactful security roadmap, and personally lead critical security initiatives hands‑on. You’ll manage a small, high‑leverage security team, while partnering closely with Engineering, Product, Legal, IT, and Leadership to ensure security is built into how Shippo operates and scales.

This is a player‑leader role: deep technical execution, clear ownership, strong judgment, and influence without relying on large team scale.

• Define and own Shippo’s security strategy, translating business goals, customer trust needs, and regulatory requirements into a clear, prioritized security roadmap.
• Plan and execute quarterly security initiatives that deliver meaningful risk reduction and enable business growth.
• Continuously assess Shippo’s threat landscape and adjust priorities as the company, product surface area, and customer needs evolve.

• Secure Shippo’s cloud and application environments, with deep ownership of AWS security architecture and controls.
• Partner with Engineering teams to embed security into the SDLC, including application security reviews, SAST/DAST, dependency management, and secure design practices.
• Own security architecture decisions within your domain, balancing risk, cost, developer velocity, and long‑term maintainability.
• Review infrastructure‑as‑code (Terraform) and cloud configurations to ensure secure‑by‑default standards.

• Own Shippo’s security operations, including incident readiness, response, and post‑incident learning.
• Lead security incidents end‑to‑end – from investigation and containment to postmortems and long‑term remediation – partnering across Engineering, IT, Legal, and Leadership as needed.
• Proactively identify operational gaps, toil, and failure modes; drive automation and process improvements to reduce risk and operational overhead.
• Ensure strong documentation, runbooks, and knowledge sharing across security‑related systems and processes.
• Lead SOC 2 Type II readiness and ongoing compliance, including control design, implementation, evidence collection, audits, and continuous improvement.
• Conduct security risk assessments across applications, infrastructure, vendors, and processes; clearly communicate findings and recommendations to stakeholders.
• Own third‑party and vendor security risk management, ensuring critical vendors meet Shippo’s security expectations.
• Partner with Legal and other stakeholders on data protection, privacy, and regulatory requirements, ensuring security and compliance are built in – not bolted on.

• Serve as the primary security point of contact for customer and partner security inquiries, audits, and escalations.
• Develop and maintain clear, accurate customer‑facing security documentation (e.g., security overviews, questionnaires, trust materials).
• Work with Sales, Support, and Partnerships to ensure security strengthens—not…