Security Lead

Security Lead

Alan is an insurance group focused on prevention and aims to build a global leading company. As a Security Lead, you will bring structure, vision, and people leadership to our security team and help protect our sensitive health data across 10+ countries.

Pillars of the role

• Lead the security team and the topic
• Own security in the AI era
• Scale across 10+ countries
• Build and evolve Alan's security strategy

Responsibilities and traits

• People leadership at scale

  You have led security (or security‑adjacent) teams where people genuinely grow. You can coach, structure, and elevate a team that is already highly technical. You have concrete examples of talent you have developed.

• Gives clarity and direction

  You can cut through ambiguity and set a clear agenda for a team through well‑communicated priorities and structured ownership.

• Combines vision with execution

  You are comfortable setting direction and rolling up your sleeves technically. You do not hide behind strategy when things need to get done. You understand how the product works and contribute value to product‑led discussions.

• Knows when to elevate and when to absorb

  You have the judgment to distinguish between noise and real signal, and to protect the team's focus accordingly.

• Pragmatic risk trade‑offs

  You make sensible risk decisions and keep the business moving rather than chasing perfect security. You understand that security is an enabler rather than a gatekeeper.

• AI security vision

  You have a clear point of view on how AI changes the threat landscape as an attack vector and as a defensive lever. You are thinking seriously about LLM security, agent risks, and AI governance.

• Enables AI adoption safely

  You can design a framework that lets product and engineering teams ship AI‑powered features confidently, without creating bottlenecks. You think in guardrails, not gates.

• Stays current

  You track OWASP LLM Top 10, MITRE ATLAS, EU AI Act, and similar developments. You can translate them into actionable priorities for Alan's context.

• Uses AI for security

  You actively use AI to accelerate threat detection, automate compliance evidence, and improve the team's throughput—you do not just talk about it.

• ISO 27001 ISMS leadership

  You have led at least one full certification or recertification cycle. You know what breaks down in the months between audits and how to run the programme as a living system rather than a point‑in‑time exercise.

• Multi‑regulatory fluency

  You understand DORA, HDS, RGPD, NIS2, and PGSSI‑S— not necessarily as a GRC expert, but well enough to translate regulatory requirements into technical controls and flag implementation gaps. You understand the frameworks’ long‑term dependencies and the possibilities they unlock for the business.

• Health sector context

  You have worked in or closely with regulated industries. Bonus: you understand the ANS framework, CERT Santé requirements, and what it means to handle sensitive health data operationally.

• Risk as a living programme

  You have run security risk cartography (ideally with EBIOS RM) and made it feed into real business and engineering decisions.

• Third‑party risk with real teeth

  You have run vendor security assessments and defined contractual security requirements. You are able to partner with Risk and Audit functions without duplicating work.

• Security as a business asset

  You see security as a long‑term defensive asset and a trust‑builder for members, regulators, and partners, not a cost centre.

• Influences without authority

  You align Legal, DPO, Risk, Engineering, Product, and Operations on security requirements without creating blockers or adversarial dynamics. People come to you early because you make their lives easier, not harder.

• Communicates risk to non‑technical audiences

  You can brief a board or executive committee and make them feel informed, not overwhelmed. You know the difference between a board‑level finding and a quarterly report item.

• Builds security culture, not compliance theatre

  Your awareness programmes land because they are relevant and well‑designed, not because they are mandatory. The goal is teams making better decisions, not teams checking boxes.

• Thrives in a distributed, written culture

  You are comfortable with async communication, written‑first thinking, and working across countries and time zones without needing constant synchronisation.

Expected outcomes in 1 year

• Built the security team with clarity, structure, and direction (includes defining Alan’s security vision, how Security interfaces with the rest of the company, capacity planning, talent density, hiring plans, etc.)
• Shaped how Alan uses AI for security: build an AI security posture that is both rigorous and an accelerator for the team
• Maintained and evolved Alan's compliance backbone across ISO 27001, HDS, DORA, and defined a playbook to ensure consistency across 10+ countries
• Built a living security risk programme that feeds into business and engineering decisions
• Confirmed Alan as a trusted, security‑first company in the eyes of regulators, partners, and members

Position level

This position targets level F+ on our level grid.