Information Security Lead (Remote)
Allocate
About Allocate
We founded Allocate with the simple mission of making investing in top-tier private alternatives within the technology sector more accessible for a broader set of investors. We believe that the mark of healthy and efficient markets requires the financial inclusion of all qualified market participants. However, despite significant demand, investing in private technology-focused alternatives is more complex than ever as discovery, investment diligence and selection, access, and deal execution all serve as substantial roadblocks. With Allocate, investors can find, invest (through Allocate SPV feeders), and track highly vetted opportunities through our turnkey digital platform in a single easy-to-use interface.
Job Description
Allocate is looking for an InfoSec Lead to own and evolve our information security program as we scale. As a fintech company handling sensitive investor data and financial transactions, security and compliance are foundational to everything we do. This role will consolidate security responsibilities currently distributed across our Product and Engineering leadership, allowing them to focus on their core functions while you build out a mature security practice.
You'll be responsible for policy enforcement, compliance management (SOC 2), vendor security assessments, and developing our security roadmap, including migration to a Zero Trust architecture. You'll also oversee our relationship with our IT managed service provider and handle some basic IT functions. This is a high-impact role with both leadership and IC aspects and significant growth potential; the right person could eventually build out and lead an entire InfoSec team here at Allocate.
Essential Responsibilities and Duties:
Governance, Risk, and Compliance (GRC)
Own and evolve the GRC program in partnership with Legal and our CCO
Lead all efforts to achieve and maintain critical compliance certifications (SOC 2, potentially ISO 27001)
Manage external SOC2 audits and coordinate with third-party auditors (currently 4-6 week intensive periods annually)
Conduct quarterly user access reviews and maintain comprehensive access control documentation
Lead responses to due diligence questionnaires (DDQs) for information security matters
Policy Enforcement & Management
Develop, maintain, and enforce clear, practical security policies across all departments
Work cross-functionally with IT and HR to ensure consistent policy adherence
Monitor compliance with laptop MDM requirements, 2FA, policy attestations, and security training
Manage policy updates and communicate changes effectively to the organization
Review logs, access permissions, and information sharing practices to identify compliance gaps
Strategy & Planning
Develop and execute a comprehensive information security roadmap aligned with business objectives
Lead the organization's migration to a Zero Trust security approach
Drive cultural change around data protection practices across all business units
Plan for and implement security improvements to support company growth
Endpoint Security & IT Infrastructure
Select, implement, and manage endpoint detection and response (EDR) solutions
Lead rollout of security technologies across all employee devices
Establish continuous monitoring protocols for endpoint security
Manage BYOD policies and company device distribution
Implement virtual office network capabilities for Allocate devices
IT Operations & Vendor Management
Oversee relationship with our managed IT service provider
Act as a security-focused intermediary for IT requests, ensuring appropriate access controls
Manage general IT operations, including email, machine compliance, and onboarding/offboarding
Manage support ticket flow and ensure sensitive information is properly protected
Evaluate and implement ticket management systems for security-sensitive support requests
Third-Party Security
Conduct vendor security reviews, risk assessments, and ongoing monitoring
Evaluate SaaS tools and API connectors for security implications
Lead the due diligence evaluation of our vendors
Manage vendor access and integration security
Research, evaluate, and select security tools to build a mature, cost-effective security stack
Security Awareness & Training
Develop and execute security awareness training programs for all employees
Coordinate phishing tests and manage remediation for failing results
Ensure cyber security and AML training requirements are met for all employees
Implement training programs for new hires and ongoing education initiatives
Build a security-conscious culture, especially around PII handling and phishing awareness
Must Haves:
5+ years of experience in information security, with at least 2 years in a leadership or senior individual contributor role
Experience in fintech, banking, healthcare, payments, or other highly regulated industries
Proven track record managing SOC 2 compliance, including audit preparation and evidence gathering
Deep understanding of GRC frameworks and compliance requirements for fintech companies
Experience developing and enforcing security policies in a rapidly growing organization
Strong knowledge of endpoint security, including EDR solutions and mobile device management
Experience conducting vendor security assessments and managing third-party risk
Hands-on experience with security tools and technologies (SIEM, EDR, vulnerability management, etc.)
Demonstrated ability to work cross-functionally with Legal, HR, Engineering, and Product teams
Excellent written and verbal communication skills, with the ability to explain complex security concepts to non-technical stakeholders
Strong project management skills and ability to manage multiple initiatives simultaneously
Experience working with managed IT service providers or in-house IT teams
Ability to travel to our Palo Alto and/or NYC on a quarterly basis
Nice to Haves:
CISSP, CISM, or similar security certifications
Experience with ISO 27001 certification and maintenance
Familiarity with Zero Trust security architecture principles and implementation
Knowledge of SEC compliance requirements for investment advisers
Experience implementing VPN solutions and network security controls
Familiarity with AWS security services and best practices
Experience with Secureframe or similar GRC platforms
Background in security awareness training program development
Previous experience building out a security team from scratch
Education:
Bachelor's degree in Computer Science, Information Security, Cybersecurity, or related field, or equivalent practical experience
An advanced degree or relevant security certifications are a plus
Essential Values & Culture
Extreme Client Service: We approach every interaction with urgency, clarity, and accountability. Whether supporting investors, partners, or colleagues, we take ownership until the issue is resolved – always aiming to simplify, not complicate.
Relentless Problem Solving: We don’t stop at identifying challenges; we work through them. Our mindset is “How do we make this work?” not “Why won’t it?” Every obstacle is an opportunity to improve, innovate, and deliver solutions that move us forward.
Providing our clients with a world-class experience is our number one priority. We obsessively search for ways to improve the experience for our clients and partners. This requires extraordinary response times, proactivity, and ensuring that everything we do, from product strategy to offline communications, is a top-tier client experience.
Commitment to continuous improvement: We find ways to personally scale each day by pushing ourselves up the learning curve.
Meritocracy, not politics: We place the utmost value on results and rewards through merit, not reward actions driven by political agendas or behavior.
Civil Discourse is embraced: We believe open, intellectually curious conversations are required to consistently arrive at the best decisions. Respect is paramount in our dealings with one another, but our mission is always to get the right answer collectively, not to be right.
Additional Details
Fully Remote Position: A Broadband internet connection is required
Seniority: Lead level
Reporting to: Head of Engineering
Location: All US candidates will be considered
Salary: $175-195K, competitive early-stage fintech startup (salary + bonus + equity)
Benefits: Medical, dental, vision, 401(k), and responsible time off
Employment: Full-time
Submit Your Application
- You have errors in applying