Information Security Lead

About The Role

Allocate is looking for an Info Sec Lead to own and evolve our information security program as we scale. As a fintech company handling sensitive investor data and financial transactions, security and compliance are foundational to everything we do. This role will consolidate security responsibilities currently distributed across our Product and Engineering leadership, allowing them to focus on their core functions while you build out a mature security practice.

You’ll be responsible for policy enforcement, compliance management (SOC
2), vendor security assessments, and developing our security roadmap, including migration to a Zero Trust architecture. You’ll also oversee our relationship with our IT managed service provider and handle some basic IT functions. This is a high‑impact role with both leadership and IC aspects and significant growth potential; the right person could eventually build out and lead an entire Info Sec team here at Allocate.

• Own and evolve the GRC program in partnership with Legal and our CCO
• Lead all efforts to achieve and maintain critical compliance certifications (SOC 2, potentially ISO 27001)
• Manage external SOC2 audits and coordinate with third‑party auditors (currently 4‑6 week intensive periods annually)
• Conduct quarterly user access reviews and maintain comprehensive access control documentation
• Lead responses to due diligence questionnaires (DDQs) for information security matters

• Develop, maintain, and enforce clear, practical security policies across all departments
• Work cross‑functionally with IT and HR to ensure consistent policy adherence
• Monitor compliance with laptop MDM requirements, 2FA, policy attestations, and security training
• Manage policy updates and communicate changes effectively to the organization
• Review logs, access permissions, and information sharing practices to identify compliance gaps

• Develop and execute a comprehensive information security roadmap aligned with business objectives
• Lead the organization’s migration to a Zero Trust security approach
• Drive cultural change around data protection practices across all business units
• Plan for and implement security improvements to support company growth

• Select, implement, and manage endpoint detection and response (EDR) solutions
• Lead rollout of security technologies across all employee devices
• Establish continuous monitoring protocols for endpoint security
• Manage BYOD policies and company device distribution
• Implement virtual office network capabilities for Allocate devices

• Oversee relationship with our managed IT service provider
• Act as a security‑focused intermediary for IT requests, ensuring appropriate access controls
• Manage general IT operations, including email, machine compliance, and onboarding/offboarding
• Manage support ticket flow and ensure sensitive information is properly protected
• Evaluate and implement ticket management systems for security‑sensitive support requests

• Conduct vendor security reviews, risk assessments, and ongoing monitoring
• Evaluate SaaS tools and API connectors for security implications
• Lead the due diligence evaluation of our vendors
• Manage vendor access and integration security
• Research, evaluate, and select security tools to build a mature, cost‑effective security stack

• Develop and execute security awareness training programs for all employees
• Coordinate phishing tests and manage remediation for failing results
• Ensure cyber security and AML training requirements are met for all employees
• Implement training programs for new hires and ongoing education initiatives
• Build a security‑conscious culture, especially around PII handling and phishing awareness

• 5+ years of experience in information security, with at least 2 years in a leadership or senior individual contributor role
• Experience in fintech, banking, healthcare, payments, or other highly regulated industries
• Proven track record managing SOC 2 compliance, including audit…