Security Lead

About Newton.co

Say hello to Newton! We're changing how Canadians trade crypto. Our goal? To make financial freedom something everyone can achieve. We give our customers the tools and knowledge they need to navigate the crypto world.

At Newton, you'll work with a remote team spread across Canada, but you'll never feel distant. Ready to be part of something meaningful? Join a team that’s all about pushing boundaries and getting things done.

Some of our values:

• Customer first mindset - Commitment to integrity and transparency to our users!
• A dynamic team fueled by collaboration uniting our strengths to overcome any obstacles. Together we build success.
• We persevere, adapt, and come back stronger, turning obstacles into opportunities
• We strive for continuous improvement and embrace creativity and encourage experimentation. We push the boundaries of what’s possible and continuously explore new ideas, technologies, and solutions

Role Overview: Security Lead

We’re hiring a Security Lead to own and drive our security function end-to-end, combining strategic direction with hands-on technical authority. You will review, challenge, and strengthen our systems, act as the security authority within engineering, define guardrails, and drive remediation when risks arise. Operating independently, you’ll build the structure and standards needed as we scale. Your mission is to own the company-wide security strategy and architecture, ensure CIRO and SOC 2 alignment, and embed strong security practices across infrastructure, applications, and internal systems, while enabling engineering velocity.

Responsibilities will include:

Security Strategy & Risk Ownership

• Define and maintain the company’s security roadmap
• Maintain and actively manage a living risk register
• Translate regulatory requirements into practical engineering controls
• Prioritize remediation based on business and regulatory risk
• Act as the internal security authority within engineering

Security Architecture & Infrastructure Review

• Review infrastructure designs from a security perspective
• Challenge architectural decisions that introduce risk
• Define security guardrails for cloud infrastructure
• Improve and harden existing IAM
• Strengthen centralized logging and monitoring
• Improve secrets management practices
• Review Pulumi-based infrastructure changes with a security lens
• Define security requirements for new services and infrastructure components

Application Security Ownership

• Own the company’s application security posture
• Define secure development standards
• Introduce lightweight threat modeling practices
• Oversee SAST/DAST and dependency scanning tooling
• Ensure security is embedded throughout the SDLC
• Partner with engineering teams to remediate vulnerabilities

Security Incident Response & Monitoring

• Define and maintain the incident response framework
• Establish clear escalation and communication processes
• Ensure appropriate logging and monitoring coverage
• Lead and coordinate security investigations when required
• Track remediation actions following incidents
• Continuously improve controls based on lessons learned

Penetration Testing & External Assessments

• Own and coordinate external penetration tests
• Scope engagements appropriately
• Ensure remediation plans are defined and executed
• Track findings to closure
• Strengthen internal controls based on test results

Regulatory Alignment (CIRO + SOC 2)

• Lead security readiness for CIRO requirements
• Drive SOC 2 preparation and evidence collection
• Maintain defensible documentation and policies
• Ensure implemented controls withstand audit scrutiny
• Partner with Engineering Directors to close compliance gaps

Third-Party & Vendor Risk Management

• Define and manage third-party risk assessment processes
• Evaluate the security posture of critical vendors
• Assess the security impact of new tools before adoption
• Define mitigation controls prior to integration
• Maintain vendor risk documentation aligned with regulatory expectations

Endpoint & Internal Controls

• Strengthen security controls on developer machines
• Define secure onboarding and offboarding processes
• Improve privileged access controls
• Ensure internal security practices align with regulatory expectations

Who you are:

• Understand IAM and least privilege principles
• Understand logging, monitoring, and alerting architecture
• Be comfortable reviewing infrastructure-as-code (Pulumi)
• Reason confidently about security architecture across infrastructure and application layers
• Be willing to deepen your technical capabilities where needed
• Have hands-on experience with SOC 2 or comparable audit processes
• Have experience in a regulated environment (fintech, financial services, or similar), ideally CIRO-regulated
• Have a strong understanding of risk management frameworks
• Influence and challenge cloud architecture decisions when needed
• Experience with AI tooling governance or AI-related security considerations is a strong plus

Key skills/competency

• Security Strategy
• Risk Management
• CIRO Compliance
• SOC 2 Compliance
• Application Security
• Cloud Security
• IAM
• Incident Response
• Penetration Testing
• Pulumi