CISO - Chief Information Security Officer

Shift is the leading AI platform for insurance. Shift combines generative, agentic, and predictive AI to transform underwriting, claims, and fraud and risk - driving operational efficiency, exceptional customer experiences and measurable business impact. Trusted by the world's leading insurers, Shift delivers AI when and where it matters most, at scale and with proven results.

Our culture is built on innovation, trust, and a drive to transform the insurance industry through our SaaS platform. We come from more than 50 different countries and cultures and together we are creating the future of insurance.

We're looking for a Chief Information Security Officer (CISO) to join our Technology Leadership Team - someone ready to develop and scale our global security strategy, bring enterprise best practices, and directly influence how we build and protect technology that powers our business and insurance customers worldwide. This role reports to the CTO and works closely with our Executives and Leaders to help shape the next chapter of Shift's growth.

What You'll Do

• Lead from the front. Roll up your sleeves to design, build, and continuously improve Shift's global information security program - from strategy to implementation. You'll define the security roadmap and directly drive its execution, ensuring alignment with our business growth, customer commitments, and risk appetite.
• Be in the trenches with the business. Partner daily with our teams to embed security into how we sell, build, and deliver. You'll join customer meetings, shape RFP responses, and give enterprise clients the confidence that their data is protected end-to-end.
• Build, mentor, and operationalize. Stand up and scale a high-performing security team. Establish clear processes, run tabletop exercises, monitor controls, and drive a security-first culture across engineering, operations, and customer success.
• Protect without slowing progress. Engineer pragmatic, scalable controls into Shift's SaaS platform - enabling rapid product development while maintaining enterprise-grade protection and compliance.
• Stay ahead of threats and regulations. Actively monitor emerging attack vectors, regulatory updates, and technology shifts. Advise the executive team and Board with actionable insights and clear risk assessments that tie directly to business outcomes.

What You Bring
Holistic Security Leadership and Business Alignment: You bridge risk governance and business strategy.

• Proven ability to design and lead an enterprise-wide security strategy that balances risk, compliance, and innovation.
• Proven ability to own, build, and manage a global GRC program, translating the complex intersection of AI (EU AI Act, ISO 42001), Privacy (GDPR, ISO 27701), Health (HITRUST, HDS), and Financial Services (DORA, NYDFS) regulations and standards into practical engineering controls and company-wide processes, while maintaining compliance with core standards like SOC 2 and ISO 27001.
• Skill in communicating security posture and trade-offs to executives, board members, and customer executives.

Deep Technical Expertise in Application and Cloud Security: You understand how software is built and deployed - not just how to secure it after the fact.

• Hands-on experience of designing, implementing and managing secure SDLC practices, API and microservice security, and cloud-native architectures.
• Demonstrated expertise in implementing, managing, and tuning modern AppSec tooling (SAST, DAST, SCA, container scanning) and CI/CD pipeline integration.
• Ability to guide, educate, and influence engineering teams on threat modeling, code-level risks, and secure design principles.

DevSecOps Mindset and Automation Experience: You know Security has to be part of development workflows.

• Demonstrated experience embedding security controls into DevOps pipelines and culture.
• Direct experience of securing infrastructure-as-code (e.g., Terraform, Kubernetes, AWS CloudFormation).
• Comfort driving automation and "shift left" initiatives that make secure development faster, not slower.

Strong GRC, Risk Management, and Compliance Expertise: Even in a highly technical role, governance and assurance remain foundational.

• Expertise in risk assessment methodologies, control frameworks, and audit processes.
• Ability to build compliance programs that scale - translating regulatory obligations into practical, developer-friendly controls.
• Experience managing third-party risk, vendor security, and customer assurance activities (e.g., security questionnaires, RFPs).

About you

• 15+ years of Info Sec leadership experience, including at least 7 years in senior security roles within SaaS or cloud-first organizations.
• Strong expertise in cloud security (AWS, Azure, GCP), DevSecOps, identity and access management, and data protection.
• Proven success leading security in high-growth, multi-national environments.
• In-depth knowledge of regulatory frameworks and compliance programs (SOC 2, ISO 27001, GDPR, CCPA, etc.).
• Relevant certifications such as CISSP, CISM, CISA, or CCSP preferred.
• Fluency in English required, French strongly preferred.

Interview Process:

• Recruiter Interview
• CTO - Hiring Manager Interview
• Technical Round (2 interviews)
• Business Partner/Stakeholder Interview
• CEO Interview

To support our permanent, full time employees at every stage of their careers and lives, we provide a competitive total rewards and benefits package. Here are the global benefits we'd like to highlight:

• Flexible remote and hybrid working options
• Competitive Salary and a variable component tied to personal and company performance
• Company equity
• Multiple Learning and Development opportunities, including Focus Fridays, a half-day each month to focus on learning and personal growth
• Generous PTO and paid holidays
• Mental health benefits
• 2 MAD Days per year (Make A Difference Days for paid volunteering)

Additional benefits may be offered by country - ask your recruiter for more information. Intern and Apprentice position are eligible for some of these benefits - ask your recruiter for more details.

At Shift we strive to be a diverse and inclusive workforce. We welcome applications from and hire people who will contribute to the diversity of our company, without regard to race, color, religion, marital status, age, national or ethnic origin, physical or mental disability, medical condition, pregnancy, genetic information, gender identity or expression, sexual orientation, or other non-merit criteria.

Shift Technology is committed to providing reasonable accommodations for qualified individuals with disabilities in our application and employment process. Should you require accommodation, please email [email protected] and we will work with you to meet your accessibility needs.

Please be aware of scammers and only trust correspondence that comes from emails ending in "shift-technology.com". We will never do initial outreach to you via Whatsapp/Text/SMS, never ask for banking information or personal identification numbers (ex. Social Security Number) as part of our recruitment process.

Shift Technology does not accept unsolicited CVs from recruiters or employment agencies in response to the Shift Technology Careers page or a Shift Technology social media post. Any unsolicited CVs, including those submitted directly to hiring managers, are deemed to be the property of Shift Technology.