Information Security Lead

Open

Lead, Information Security

At Open, we exist because we believe insurance doesn't have to be complicated or costly. We're an AI-powered platform transforming insurance globally - making it more transparent, cost-effective, and customer-friendly. Since launching in 2016, we've grown into a certified B Corporation, operating across ANZ and the UK, building modern infrastructure that brings wonder into insurance.

Security is a commercial and operational enabler for us: it underpins the trust our partners and customers place in Open, and we're building the function to match that ambition. This is a rare opportunity to shape what good security looks like at a scaling AI company - owning the governance framework across two jurisdictions, unblocking commercial partnerships, and building the security foundation that supports Open's growth from an ANZ-rooted business into an established player in the UK and EU market.

The Role

You'll be the most senior security practitioner in the business: the person who defines what good looks like and earns the trust of engineers, executives, and partners. Reporting through the Founder's Office to the co-founders and working closely with the Executive Team, you'll be a peer to Technology, Data, and Partnerships. You define policies and procedures, lead interfacing with our partners, and work closely with Technology and Data to implement the associated controls.

The role requires strong technical depth to be credible with engineers, alongside a grounding in Open's commercial realities as a partner-led, AI-enabled scale-up.

What You'll Do

Governance & Risk

Maintain and evolve Open's information security policy framework across ANZ and UK regulatory requirements (Australian financial services regulations, SOC 2 Type II, UK GDPR), working closely with regional compliance managers
Drive the operational programme behind our SOC 2 Type II certification, maintaining audit readiness as the business scales
Own the vendor assessment programme, data classification and DLP policy framework, and sub-processor register
Own Open's AI governance framework - training data classification, customer-facing AI risk (prompt injection, jailbreaks, content safety), and secure use of GenAI tooling and AI coding assistants
Translate security risk into business language for senior leadership reporting

Partner & Customer Security

Own the end-to-end partner and carrier security assessment process: responding to SIG, VSA, and bespoke due diligence requests across AU and UK, reducing the commercial friction that assessment delays create
Build and maintain a response library and evidence packs in our GRC platform for faster, consistent turnaround
Work closely with commercial and partnerships teams to anticipate security requirements early in partner onboarding - getting ahead of requests rather than reacting to them
Own the security input to Data Processing Agreements with partners, carriers, and customers, including Open's Technical and Organisational Measures and Transfer Risk Assessments under UK GDPR

Security Standards & Architecture

Maintain and evolve security standards and architecture principles across the technology estate in partnership with the Head of TechOps
Lead threat modelling and security design reviews for new products, features, and architectural changes
Establish governance over cloud security posture findings: triage processes, remediation SLAs, and escalation criteria across our CSPM and observability tooling
Maintain the AppSec programme - penetration testing cadence, vulnerability disclosure support, and remediation SLAs
Define network security standards and zero trust principles; contribute to secure coding standards with specific focus on GenAI-assisted development

Security Operations

Evaluate and recommend an external SOC provider, then own that relationship ongoing - continuously improving monitoring, detection, and response quality
Serve as the operational lead for incident response, coordinating internally and managing the response process
Maintain and test incident response and business continuity playbooks in collaboration with TechOps, data, and engineering
Ensure logging, alerting, and detection capabilities across our cloud platforms (AWS, Snowflake, etc.) are appropriate to the threat landscape

Leadership & Influence

Build the security function's roadmap and communicate it clearly from engineers to the senior leadership team
Influence how engineering, data, and TechOps teams approach security through standards, design reviews, and collaboration - rather than direct authority
Foster a culture of psychological safety, candour, and continuous improvement across the teams you work with

Who This Role Isn't For

This is a broad, commercially-oriented security role in a lean, high-trust environment. It's probably not the right fit if:

You're coming from a large enterprise security function looking for similar structure, support team, or delegation model - this role is hands-on by design
Your background is primarily audit, compliance, or governance without close engineering or DevOps exposure - technical credibility with builders is essential
You're an AppSec or security engineering specialist looking to step up - the majority of the workload is governance, partner-facing, and commercial
You're motivated primarily by growing a team - the function is intentionally lean and that's unlikely to change significantly
You're looking for a purely advisory remit - this role owns outcomes, not recommendations

What You'll Bring

Required:

Proven experience in a senior security role in a technology or scale-up environment
Strong governance and compliance background across ANZ and/or UK regulatory frameworks
AI-forward security mindset - you understand GenAI and LLM risk and can build governance frameworks that enable rather than block
Sufficient technical depth to lead threat modelling and hold engineering teams to standard without owning the tooling
Experience evaluating or managing an external SOC: detection scope, incident response, and escalation
Experience owning partner and customer security assessments at a commercial level (SIG, VSA, bespoke due diligence)
Confident communicator from engineer to senior stakeholder; able to uplift security literacy across a leadership team
Solid understanding of AWS security, DevSecOps practices, and secure SDLC
Practical experience contributing to DPAs and TOMs in a B2B context
Experience operating a sub-processor register in a B2B SaaS or regulated context

Preferred

CISSP, CISM, CRISC, CCSP, or equivalent
Familiarity with Cyber Essentials Plus or equivalent UK security certification frameworks
Experience with CSPM tooling (e.g. Wiz) or SIEM/observability tooling (e.g. Datadog, GuardDuty)
Experience operating across multiple geographies (ANZ and UK)
Exposure to insurance, fintech, or regulated financial services
Degree in Computer Science, Information Security, or a related field

Where You'll Work

This role is based in Sydney, Australia. We work in a hybrid model, with teams in the office on Mondays, Tuesdays, and Thursdays. We've found this rhythm genuinely supports collaboration and the kind of fast, high-trust culture we've built. You'll have flexibility on the other days to work in a way that suits you.

What We Offer

Highly competitive compensation including share options - we believe in paying people what they're worth and having everyone share in our success
High autonomy and trust to do your best work
Internal growth opportunities - as you grow, your role can too
Flexible working and the ability to work from anywhere
Paid company parental leave
Bonus leave for rest and wellbeing
Personal development allowance for learning, wellbeing, and personal growth

Open is a certified B Corporation using business as a force for good. We're an equal opportunity employer committed to building an inclusive, high-performing team. We encourage you to apply even if your experience doesn't match every requirement - we're looking for curious, courageous people motivated by impact.