Information Security Lead

Sign up or log in to analyse my fit

Lead, Information Security

At Open, we exist because we believe that insurance does not have to be seen as complicated or costly. We’re an AI-powered platform transforming insurance globally – making it more transparent, cost-effective, and customer friendly. Since launching in 2016, we’ve grown into a certified B Corporation, operating across ANZ and the UK, and building modern infrastructure that brings wonder into insurance.

Security is a commercial and operational enabler for us: it underpins the trust our partners and customers place in Open, and we’re building the function to match that ambition. This is a rare opportunity to shape what good security looks like at a scaling AI company: owning the governance framework across two jurisdictions, unblocking commercial partnerships, and building the security foundation that supports Open’s growth from an ANZ-rooted business into an established player in the UK and EU market.

What you’ll do

You’ll be the most senior security practitioner in the business: the person who defines what good looks like and earns the trust of engineers, executives and partners along the way.

Open is at an inflection point: a proven platform in ANZ now scaling into the UK and EU, where the regulatory bar is higher, partner scrutiny is deeper, and security needs to grow with it. Reporting through the Founder’s Office to the co-founders and working closely with the Executive Team, you’ll be a peer to Technology, Data and Partnerships. You will contribute to security standards, driving governance, enabling partners, and driving SecOps capability forwards in an AI-native era. You define policies and procedures, and lead interfacing with our partners. You work closely with Technology and Data to implement the associated controls.

The role requires strong technical depth to be credible with engineers, alongside a grounding in Open’s commercial realities as a partner-led, technology- and AI enabled scale-up. This is critical to be effective with partners, senior stakeholders, and to calibrate Open’s InfoSec capability in line with risk appetite and partner expectations.

Governance & Risk

• Maintain and evolve Open’s information security policy framework across ANZ and UK regulatory requirements (including Australian financial services regulations, SOC 2 Type II, and UK GDPR) – working closely with the regional compliance managers for each geography. Policy direction and sign-off is owned by the co-CEOs.
• Support Open in maintaining and maturing the security risk register – owning operational reporting and translating security risk into business language for senior leadership team reporting.
• Drive the operational programme behind our SOC 2 Type II certification, maintaining audit readiness and compliance as the business scales.
• Own the vendor assessment programme: requesting, reviewing, and managing assessments using our GRC tooling and established AU/UK templates, escalating exceptions to the Founder’s Office and Executive Team as needed.
• Own Open’s data classification and DLP policy framework: defining standards for sensitive data handling across AU and UK operations, with Technology owning tooling enforcement.
• Own Open’s AI governance framework for an environment where everyone is a builder: training data classification, customer-facing AI risk (prompt injection, jailbreaks, content safety), and secure use of GenAI tooling and AI coding assistants.
• Build on existing security awareness initiatives: extending phishing campaigns and team training to include a developer security programme, with a particular focus on secure use of GenAI across engineering, data, and the wider business.
• Maintain the sub-processor register and change-notification process in line with DPA commitments – co-owned with the regional compliance managers.

Partner & Customer Security

• Own the end-to-end partner and carrier security assessment process: responding to SIG, VSA, and bespoke due diligence requests across AU and UK, and reducing the commercial friction that assessment delays create.
• Build and maintain a response library and evidence packs in our GRC platform – enabling faster, consistent turnaround across AU and UK partner requests.
• Work closely with commercial and partnerships teams to anticipate security requirements early in partner onboarding – getting ahead of requests rather than reacting to them.
• Own the security input to Data Processing Agreements with partners, carriers, and customers. This includes defining and maintaining Open’s Technical and Organisational Measures, supporting sub-processor disclosures, and contributing the security view to Transfer Risk Assessments under UK GDPR. Work alongside Legal and the regional compliance managers, who own contract negotiation and broader privacy compliance respectively.

Security Standards & Architecture

• Maintain and evolve security standards and architecture principles across the technology estate in partnership with the Head of TechOps – raising the bar across the technology estate and ensuring the Head of TechOps, data, and engineering squads implement to standard.
• Lead threat modelling and security design reviews for new products, features, and architectural changes, in collaboration with engineering, data and DevOps.
• Establish governance over cloud security posture findings: defining triage processes, remediation SLAs, and escalation criteria across our CSPM (Cloud Security Posture Management) and observability tooling.
• Maintain the AppSec programme: penetration testing cadence, vulnerability disclosure support, and remediation SLAs; with TechOps owning tooling execution. Vulnerability disclosure is managed at C-level; this role supports and feeds into that process.
• Define network security standards and zero trust principles across Open’s technology estate, in collaboration with the Head of TechOps.
• Contribute to secure coding standards, with specific focus on GenAI-assisted development practices and the secure use of AI coding tools across engineering, data, and the wider business.

Security Operations

• Evaluate and recommend an external SOC provider: assess options, define scope, SLAs, and escalation paths, and present a recommendation to the Founder’s Office and Executive Team for decision.
• Own the ongoing SOC relationship post-onboarding, continuously reviewing and improving monitoring, detection, and response quality.
• Serve as the operational lead for incident response – coordinating internally and managing the response process, with escalation to the Founder’s Office and Executive Team for significant security events requiring executive involvement or external communication.
• Maintain and test incident response and business continuity playbooks in collaboration with the Head of TechOps, data and engineering teams.
• Ensure logging, alerting, and detection capabilities across our cloud platforms (e.g. AWS, Snowflake, etc) are appropriate to the threat landscape.

Leadership & Influence

• Build the security function’s roadmap and communicate it clearly at every level, from engineers to the senior leadership team.
• Influence how engineering, data, and TechOps teams approach security – through standards, design reviews, and ongoing collaboration rather than direct authority.
• Foster a culture of psychological safety, candour, and continuous improvement across the teams you work with.

Who this role isn’t for

This is a broad, commercially-oriented security role in a lean, high-trust environment. It rewards people who are energised by ownership and ambiguity – not those looking for a defined lane or a large team to lead. Specifically, it’s probably not the right fit if:

• You’re coming from a large enterprise security function and are looking for a similar structure, support team, or delegation model: this role is hands-on by design.
• Your background is primarily audit, compliance, or governance and you haven’t worked closely with engineering or DevOps teams: technical credibility with builders is essential here.
• You’re an AppSec or security engineering specialist looking to step up: the majority of the workload is governance, partner-facing, and commercial, not technical execution.
• You’re motivated primarily by growing a team: the function is intentionally lean, and that’s unlikely to change significantly in the near term.
• You’re looking for a purely advisory remit: this role owns outcomes, not recommendations.

What you’ll bring

Required

• Proven experience in a senior security role in a technology or scale-up environment.
• Strong governance and compliance background across ANZ and/or UK regulatory frameworks, including policy maintenance and security risk reporting.
• AI-forward security mindset – you understand the risk landscape around GenAI, LLMs, and AI-assisted development, and can build governance frameworks that enable rather than block.
• Sufficient technical depth to contribute credibly to security standards, lead threat modelling, and ensure engineering and data teams are working to standard – without needing to own the tooling.
• Experience evaluating or managing an external SOC: detection scope, incident response, and escalation.
• Experience owning partner and customer security assessments at a commercial level – SIG, VSA, and bespoke due diligence.
• Confident communicator from engineer to senior stakeholder – you translate risk into business language and can uplift security literacy across a leadership team.
• Comfortable operating collaboratively alongside Engineering, Data, and TechOps – effective without direct authority over those functions.
• Solid understanding of AWS security, DevSecOps practices, and secure SDLC principles.
• Practical experience contributing to DPAs and TOMs in a B2B context — comfortable working alongside legal and privacy counterparts on partner contracts.
• Experience operating a sub-processor register and change-notification process in a B2B SaaS or regulated context.

Preferred

• Relevant certification: CISSP, CISM, CRISC, CCSP, or equivalent.
• Familiarity with Cyber Essentials Plus or equivalent UK security certification frameworks.
• Experience with cloud security posture management tooling (e.g. Wiz, or equivalent).
• Experience with SIEM or security observability tooling (e.g. Datadog, GuardDuty, or equivalent).
• Experience operating across multiple geographies (ANZ and UK, or equivalent).
• Exposure to the insurance, fintech, or regulated financial services sector.
• Degree in Computer Science, Information Security, or a related field

Role location

Where you’ll work

This role is based in Sydney, Australia. We work in a hybrid model, with teams in the office on Mondays, Tuesdays, and Thursdays. We’ve found this rhythm genuinely supports collaboration and the kind of fast, high-trust culture we’ve built. You’ll have flexibility on the other days to work in a way that suits you.

Why Open?

Open is on a mission to make it easy for everyone to get the most from their insurance. Insurance is one of the world’s least digitally mature industries – for years it’s remained confusing, paper-based and heavily intermediated. We launched in 2016 to build a global, AI-powered platform that digitises the entire insurance process, making it transparent, less costly and more reliable.

It’s an exciting time to join Open and be part of a tech scale-up. We provide our team with:

• Highly competitive compensation, including share options – we believe in paying people what they’re worth and having everyone in our company share in our success.
• High levels of autonomy and trust so you can do your best work.
• Growth opportunities internally – as you grow, your role can too.
• Flexible working – we are about impact, not time at your desk.
• We encourage freedom and responsibility, including the ability to work from anywhere.
• Paid company parental leave, supporting all parents as they balance career and family.
• Bonus leave – additional paid leave designed to support rest and wellbeing once standard leave has been utilised.
• Personal development allowance – flexible annual benefit to support learning, wellbeing and personal growth.

More about us

Open is a certified B Corporation using business as a force for good, and we’re proud to be an equal opportunity employer committed to building an inclusive, high-performing team.

We encourage you to apply even if your experience doesn’t match every requirement – we’re looking for people who are curious, courageous, innovative, and motivated by impact.

If you want to help build the future of insurance, we’d love to hear from you.