• Owning and driving the research roadmap, focusing on the highest-impact problems in leaked credentials, secrets exposure, and non-human identity security. • Leading a team of experienced researchers, setting direction, assigning ownership of critical initiatives aligned to the roadmap, and ensuring research output consistently translates into product and company impact. • Identifying and validating novel leak surfaces across code, SaaS tools, logs, datasets, and emerging ecosystems (including AI/LLMs). • Designing and running large-scale scans and experiments to uncover real-world exposures, validate impact, and understand attacker behavior. • Developing verification systems at scale to distinguish real, exploitable secrets from noise—improving precision without sacrificing coverage. • Publishing high-quality technical research (blogs, reports, disclosures) and representing Truffle externally through talks, conferences, and community engagement. • Acting as a bridge between research and product, ensuring insights turn into shipped capabilities and roadmap decisions. • Collaborating cross-functionally with marketing, sales, and developer relations to turn research into clear, compelling narratives for customers and the broader security community.

• You'll own Hightouch's application security posture end-to-end. • Shape what security looks like here as we scale from 70 to 140+ engineers. • Solve hard problems at the intersection of security and distributed systems. • Improve our rate limiting, abuse detection, and granularity of access control. • Support our multi-region and multi-cloud backend, including launching Hightouch in new regions to support data residency requirements.

• Vulnerability management and offensive testing: Own the vuln lifecycle end-to-end — intake, triage, prioritization, risk acceptance, ticketing to dev teams, and remediation within SLA — and manage external pen tests and targeted assessments. Report regularly on status, SLA performance, and trends. • Security operations and incident response: Manage our MSSP partner for 24/7 SIEM and SOC monitoring; ensure telemetry, detections, and playbooks match our threat model. Serve as incident commander for real events, and run regular tabletops and post-incident reviews. • Policy, controls, and risk: Define and maintain Reach’s security policies and control framework. Design, implement, and measure the effectiveness of controls; maintain a risk register; and surface material risk decisions to leadership. • Compliance and audits: Own SOC 2 Type II and PCI DSS end-to-end with continuous control monitoring and evidence collection between audits. Serve as the primary contact for external auditors. • Application and cloud security: Partner with engineering on secure SDLC, threat modeling for new products and features, SAST/DAST/SCA coverage, and cloud security posture (IAM, configuration, workload protection). • Identity and access management: Own IAM policy, periodic access reviews, privileged access, and joiner/mover/leaver processes, in partnership with IT and People. • Third-party and customer security: Run Reach’s vendor risk program (due diligence, questionnaires, DPAs, ongoing monitoring) and own responses to customer and prospect security reviews. • Security awareness and training: Run phishing simulations, ongoing and role-targeted training, and regular company-wide sessions on new threats and best practices. • Executive reporting: Provide regular security posture updates with meaningful metrics (MTTD/MTTR, patch latency, control coverage, phishing outcomes, audit readiness). • People, budget, and tooling: Act as a mentor for your report; own the security budget and tool stack — evaluating, procuring, rationalizing, and retiring tools as the program matures.

• Team Leadership & Development: Mentoring, and growing security engineers. This includes running 1:1s, career development planning, performance reviews, and building a culture of continuous learning around evolving threats and technologies. • Security Execution: Partnering with engineers on your team and the Sr. Director of Security and Integrity you’ll define and prioritize the team's quarterly and annual security initiatives, aligning them with business objectives and frameworks like NIST CSF, CIS Controls, or SOC 2. Translating risk assessments into actionable engineering work. • Cross-Functional Collaboration: Partnering with Platform, SRE, Legal, IT, Compliance, and Product teams to embed security into the SDLC, incident response processes, and vendor management workflows. • Incident Response & Preparedness: You’ll help the team to maintain the Security incident response program: runbooks, running tabletop exercises, on call schedules, and ensuring timely response to alerts and events. • Product and Cloud Security: Drive product security practices and cloud security posture across our AWS infrastructure, ensuring secure architecture, configuration, and continuous monitoring of our production environments. • Vulnerability & Risk Management: Overseeing application security testing (SAST, DAST, SCA), penetration testing programs (including bug bounty), and ensuring vulnerabilities are triaged, prioritized, and remediated within SLA. • Corporate Security: Partnering with IT, you and the team will help ensure strong protections in corporate security including spam, EDR, and device security is mature and well executed. • Vendor & Third-Party Risk: Helping the team evaluating security vendors, and overseeing third-party risk assessments. • Budget & Resource Planning: In coordination with the other department managers; manage the security budget, justifying tooling spend, headcount requests.