Head of Security (F/H) - 65K€-75K€

Context
Worklife is a Fin/HR tech that reinvents employee benefits! All your benefits are gathered on ONE app, combined with ONE payment card to facilitate their use.Employee benefits are poorly valued, lack visibility, and no longer meet the real needs of employees or the company. So if you too want to be part of this change and join a growing company, join us!
Opportunities
We help our clients implementing a salary policy that has an impact and meaning for employees and the company. Our expertise and personalized offer place us among the most dynamic players in the employee benefits market and notably the No. 1 player in sustainable mobility 😎Since our launch in Oct 2020, we have experienced great growth and we are currently preparing for the sequel 🔥As a hands-on Head of Security, you’ll lead Worklife’s security and privacy governance, risks and compliance roadmap. You will be responsible for maintaining and improving our Information Security Management System (ISMS), ensuring compliance with laws and standards (specifically ISO 27001, PCI-DSS, GDPR, AI Act, NIS2), driving certifications processes, and spreading a proactive security culture across the company . You will work cross-functionally with HR, the DPO, Legal & Compliance, and Engineering to ensure security is embedded across all processes.Within the tech team, and reporting directly to our CTO, you will have a key position in the development of our product.
Tech team :
Our tech team includes more than 23 engineers, based between Paris and Kyiv.We’re organized into specialized teams:PlatformFrontendBackendQAMobile
Our stack :
- Backend: Microservices in Python (FastAPI), DDD-inspired architecture- Frontend: Nuxt 3 (Vue.js) & React- API Gateway: GraphQL (Apollo)- DevOps & CI/CD: GitLab, Docker, Kubernetes (Helm)- Infrastructure: AWS (Terraform)- Observability: Datadog, Sentry, Paganalyzer- Project Management & Design: Linear, Figma, Notion- Data Stack: Segment, Airflow, Airbyte, DBT, PostgreSQL Data Warehouse- Security stack: Riot, Kandji, SafeBase, Wiz, SonarQube, AWS WAF
Missions
- Define and oversee the Security Roadmap, aligned with ISO 27001 and business goals.- Ensure the ISMS remains operational and up-to-date, with clear ownership across control domains. Drive continuous improvement and lead certification efforts.- Support the DPO in driving compliance with GDPR, CNIL, and other data protection regulations by implementing supporting security measure.- Coordinate internal and external audits and penetration tests, ensuring findings translate into prioritized, tracked remediation actions.- Respond to security and privacy questionnaires and compliance requests as part of RFPs and vendor due diligence processes.- Establish a proactive threat detection posture, working with teams to shift security both left (in development) and right (in production).- Implement a scalable, automated vulnerability management program across code, infrastructure, and third-party dependencies.- Build security and privacy culture through awareness and training, so every employee actively contributes to our risk posture.- Own and enforce IAM and endpoint security policies, including SSO, provisioning, least privilege, and MDM. Continuously monitor and improve coverage.- Maintain and improve incident response readiness, with clear playbooks, roles, and transparent post-incident reviews.- Contribute to secure operational processes during onboarding and offboarding by aligning with HR and DPO on data protection practices.
Expected Results During Onboarding
Ramp up 3 months:
D+30 - Meet your stakeholders and get to know everyone, who they are, and what they do.- Complete onboarding and review existing security roadmap, ISMS documentation, and prior audits.- Identify critical gaps in current security posture (especially IAM, endpoint protection, and incident response).- Begin mapping ownership of ISMS controls and start stakeholder interviews (Tech, HR, Legal, Product).- Draft a security priorities brief for internal alignment (CTO, DPO, COO) based on initial findings.
D+60  - Review ongoing RFPs and compliance requests to standardize questionnaire responses.- Share an updated, actionable Security Roadmap with quarterly milestones and KPIs.- Standardize audit response templates and remediation tracking process (e.g., in Notion or Excel).- Kick off or refresh a company-wide phishing simulation and awareness campaign.- Provide security input to the onboarding/offboarding checklist managed by HR and the DPO.
D+90  - Achieve full ISMS control ownership mapping with updated documentation.- Establish a regular vulnerability scanning policy across environments and teams.- Publish the first company-wide security KPI dashboard (e.g., vulnerabilities, MDM coverage, IAM status).- Run a full internal or external pentest, and track results with follow-up remediation plan in place.- Propose a security budget and roadmap for the next 12 months, including tools and staffing needs.
Profile Sought
We believe that diversity of profiles contributes to the success of Worklife and we therefore make every effort to ensure that inclusion, equity, and accessibility are at the heart of our recruitment processes.
Pre-requisites:
- Minimum of 5 years experience in software security and compliance within an engineering team, with a strong focus on implementing ISO 27001 standards and security & privacy policy development.- Demonstrated knowledge of web application security risks, including OWASP guidelines, and experience with technologies like WAF, IDS/IPS, and RASP.- Cloud security expertise, preferably on AWS, including secure design and operations in Kubernetes-based environments- Hands-on experience with SIEM tools and security incident monitoring, detection and response.- Comfortable with modern web applications, Event-Driven Development, and Micro-services architecture, and adept at using programming languages like Python and infrastructure-as-code tools such as Terraform.- Thorough understanding of data protection and privacy laws, including GDPR compliance. Familiarity with CNIL requirements is considered an asset.- Excellent communication skills in both French and English- Engagement with cybersecurity communities is a plus.- Knowledge of financial compliance regulations like PCI-DSS and AML is a plus.
Our Cultural Fit Criteria
- Be impactful: You are proactive, bold, and take ownership of your work.- Never give up: You uphold high standards, demonstrate resilience, and adapt to challenges.- Level-up: You embrace a test-and-learn approach, take responsibility for your projects, and provide/receive constructive feedback.
Join us in shaping the future of Worklife’s backend ecosystem and driving excellence in engineering!
Employee Benefits
We offer you remuneration at market price, reevaluated each year (based on the market, our performance and your results) as well as +€4,500 in employee benefits (€5,000 if you are parent)👇- 14€ / day worked with meal vouchers, covered at 50% and access to the benefits of our food partners including Frichti- 800€ / year sustainable mobility allowance for your transport (public transport subscription, scooter, purchase of bicycle, single metro ticket, etc.)- 120€ / month personal services (housekeeping help, sports coaching, childcare, etc.), 200€ / month if you are a parent- 300€ / year remote allowance for your expenses related to working from home- 30€ / month for your sporting activity- 100€ / year to contribute to your expenses during your vacations- 100€ / year to contribute to your expenses during the Christmas celebrations- RTT (number of days defined according to the collective agreement, 9 in 2024)- An excellent working environment: an international team, regular events, offsite, offices in the heart of Paris- The pleasure and pride of using our own product on a daily basis (and of testing all the advantages offered!)
Process
- Intro Call with Ariane (hiring expert)- Interview with Farah (CTO) – 1h- Interview with Melati (Head of Legal & DPO) – 45 min- Discussion with two team members (Platform & Engineering Manager) - 1hFinal      - Call with Victoire (DRH)- Reference check & Offer
We do our best to have a process of about 20 days and we send an offer within 48 hours 🤞