Head of Security

As our Head of Security, you won’t have to build from scratch. You’ll inherit a good but nascent security program that I started, and then our former Head of Security & IT improved. We want you to scale this program and team through our next phase of high growth.

I think it’s important to share a bit about the broader company as context for this role. Ashby builds powerful and easy-to-use recruiting software that replaces several venture-backed companies’ worth of products (often with a better experience). We have notable customers like Notion, Linear, Shopify, and Snowflake. Our growth and retention metrics are best-in-class among our peers: we have tens of millions in ARR, thousands of customers (including Enterprise customers), growing >120% year over year, very low churn, and many years of runway.

As a result of our success, Ashby manages a significant amount of sensitive information and PII on behalf of candidates and customers (from candidate addresses to offer details to company calendars), and the volume and types of sensitive data are only increasing as we expand the product.

This presents fascinating security challenges that you’ll lead and collaborate with other departments to solve.

Your first challenge will be building out our security team and scaling our security program. It’s been a team of one so far, but we’ve added many automations (e.g., one-click offboarding) and services (e.g., SecurityPal) to help. We also collaborate with other departments (e.g., Support triages security@) to manage a good portion of routine Security work. That being said, you’ll still need to be a hands-on security generalist to start. By the end of the year, you’ll have added people (1-3 individuals), processes, and automation to scale yourself out of more of the routine work.

Some Other Examples Of Challenges You’ll Work On

• LLMs and AI products are powerful technologies, and new startups today have an advantage in utilizing these technologies because they have higher risk tolerance. Despite our scale, we must continue to adopt new technologies at a similar pace, but with the right security and privacy controls in place to match our maturity. You’ll help us navigate that with our IT and leadership teams by building policies, processes, and systems for departments to adopt at startup speed.
• This same technology also poses challenges for the recruiting industry, including mass bot applications and fraudulent candidates. You’ll lend your expertise to our Product and Engineering teams to help them build counters in our product (example here). You’ll also work with our customers and the broader industry to help them build strategies in their own processes (example here).
• As we move into people workflows and capture more sensitive data, we’ll need to address the additional risk that brings, but, at the same time, not hinder our ability to provide excellent support to our customers. You’ll partner with Engineering, IT, and Customer Support to develop tools, integrations, and safeguards that enable us to practice least privilege through smart automations rather than slow, manual approvals.

What We’re Looking For

Most importantly, I’m looking for someone who is collaborative and approaches security from a first-principles perspective. In past companies, we’ve worked with security teams that blindly follow industry norms and standards, or view their job as reducing risk to zero, both at the expense of velocity and innovation in other departments. Instead, you view Security’s goal as identifying, exposing, and educating on risk, then collaborating with others to determine when it makes sense to mitigate and when it makes sense to compromise. You help us make the right decisions for the business – putting objectivity and first principles above comfort or familiarity when it comes to both risks and methods.

Secondly, I am looking for someone who builds high-quality, scalable processes. You should be able to zoom out from hands-on work to realize when you need to shift to building a process or playbook. You should also be technically proficient enough to identify opportunities for automation, rather than always relying on people to solve problems, and either build these automations yourself or with our IT and Engineering teams.

Finally, I’m looking for someone who is an excellent communicator both externally and internally. Customers need to feel confident that their data is secure with Ashby. You achieve this not just by keeping Ashby secure, but also by addressing common concerns and questions through empathetic and thorough documentation, and, for our larger customers, one-on-one meetings with their Security team. Internally, the policies, processes, and influence you have within the organization affect over 250 people today and more than 500 people by the end of the year. Your words matter, and you use them effectively to navigate opinions and situations, communicate Security priorities, and build a strong security awareness within the team.

The types of background we’re looking for include candidates who have been the Head of Security at a startup, built a security program from the ground up, and overseen a security program at scale. An exceptional candidate would be someone with a background in Engineering, but it’s not required for the role.

Why You Shouldn’t Apply

• You’ve never managed information security personnel. You will build a team of 1-3 over the next year, and unfortunately, we don’t have the bandwidth to coach someone new to management.
• You’ve always been a line manager or middle manager. You will set the strategy and roadmap for our Security program and posture, and we are looking for someone who has had that responsibility before.
• You’ve never managed a security program near our scale of business (e.g., thousands of customers and hundreds of employees). As we add more employees, Enterprise customers, and expand into additional products, we expect you to have the expertise to navigate the security concerns and risks that come with it.
• You don’t enjoy interacting with other departments, customers, or the broader industry. You are the face of Ashby Security, and we need you to project your expertise and competence to everyone we engage in Security conversations with.
• You don’t see security as a customer-service function. As with our own product, we believe that customer service through education, challenge, and delight is essential to a Security function that is seen as an enabler, not a roadblock. We need you to embody this as the Head of Security.

What We’re Building

Benji (CEO and Co-Founder) and I are engineers, and we are used to tooling that makes us better at what we do. When we started Ashby, we saw the opposite with Talent Acquisition software. Recruiting teams were leveling up how they did their work, but instead of software meeting this new standard, it held them back.

Scheduling a final round is an excellent example. Recruiting teams wanted to schedule candidates faster, track interviewer preparation and quality, and do it with half the headcount. A recruiter needed to manually collect availability from the candidate, identify qualified interviewers, perform “Calendar Tetris” to find who is available to interview the candidate, schedule on the earliest date possible, and make any last-minute adjustments as availability changed. They must do this while considering the interview load on each individual and whether interviewers need to be trained and shadowing others. 🥵 TA software didn’t help.

As hiring managers, we know TA is a critical function, and as engineers, we know software can do better. So, we built and continue to build Ashby to give TA teams the highest standard of tooling. Software that’s intelligent and powerful. Software that provides insights into where they’re failing and automates or simplifies many of the tasks they’re underwater with. We want other functions and departments to be jealous of what TA teams can do with Ashby, and today they often are!

Interview Process

Role

This is a crucial role that will lead Security today and scale it into the future. The interview process reflects that both in challenge and length (~5.5h):

• Introduction call with our technical recruiter, Nadia (45m, live)
• Introduction call with me (30m, live)
• An interview with me to explore your past experience running a security program and hiring security personnel (90m, live)
• An interview with myself and our Head of IT to delve into your technical knowledge and experience. Topics include AppSec, GRC, and Data Security (1h, live)
• Interview with Benji, our CEO (30m, live)
• Final round where you meet leaders from Engineering, Sales, and Customer Success (90m)

Near the end of the process, we’ll do reference checks and ask for a writing sample (as a global remote team, a lot of how we communicate is in writing). We treat them as an important signal in our final decision.

In each interview, you’ll have 5-15m to ask questions of the interviewer.

This is also an important decision for you, so I’m always happy to have coffee chats in person or over Zoom to get to know each other.

Benefits

• Competitive salary and equity.
• 10-year exercise window for stock options. You shouldn’t feel pressure to purchase stock options if you leave Ashby —do it when you feel financially comfortable.
• Unlimited PTO.
• A minimum of 12 weeks of fully paid parental leave, covered by Ashby. For folks outside the US, it may be longer to be in line with regional requirements.
• Generous equipment, software, and office furniture budget. Get what you need to be happy and productive!
• $100/month education budget with more expensive items (like conferences) covered with manager approval.
• If you’re in the US, we offer top-tier health insurance for you and your dependents, with 100% of premiums covered by Ashby. In other countries, we provide high-quality supplemental health insurance for you and your dependents, also fully covered by us.

Ashby’s success hinges on hiring great people and creating an environment where we can be happy, feel challenged, and do our best work. We’re being deliberate about building that environment from the ground up. I hope that excites you enough to apply.

Ashby provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, genetics, sexual orientation, gender identity, or gender expression. We are committed to a diverse and inclusive workforce and welcome people from all backgrounds, experiences, perspectives, and abilities.