# Head of Security

> Salla · Makkah, Saudi Arabia (Hybrid) · — · Posted 2026-06-29

**Workplace:** hybrid

**Department:** Technology

## Description

### **Role Purpose**

As Head of Security at Salla, you are the most senior security authority at Salla. You set the strategy, build the team, and own the controls that keep our platform, our people, and our merchants safe. You translate risk into business language for the executive team and the Board, and you make security a competitive advantage rather than a constraint. You will lead end to end across every security domain and represent Salla's security posture to auditors, regulators, partners, and customers.

**Please not that we are looking for Saudi Nationals only for this role.**

### **Key Responsibilities**

**Security Strategy & Leadership**

-   Own and evolve the enterprise security strategy, roadmap, and operating model across cloud, network, endpoint, physical, and GRC, aligned to Salla's growth and public-listing readiness.
-   Act as the organization's principal security advisor; brief the executive team and the Board on cyber risk posture, investment priorities, and regulatory exposure.
-   Define and steward the security budget, headcount plan, and tooling portfolio; drive measurable return on security investment.
-   Establish security KPIs, OKRs, and a metrics-driven reporting cadence for leadership and audit committees.

**Cloud Security**

-   Lead cloud security across the platform, including landing-zone hardening, network segmentation, secrets management, and workload protection (AWS strongly preferred).
-   Govern Infrastructure-as-Code security, container and Kubernetes security (image scanning, admission control, runtime protection), and CI/CD pipeline integrity.
-   Drive Cloud Security Posture Management, workload protection, and continuous compliance against recognized cloud control frameworks and CIS benchmarks.
-   Partner with SRE and Platform Engineering to embed secure-by-default guardrails that protect velocity rather than slow it.

**Network Security**

-   Own network security architecture, including edge protection, DDoS mitigation, web application firewall, segmentation, and zero-trust network access.
-   Govern the CDN and edge security stack, bot management, rate limiting, and origin lockdown for high-traffic, merchant-facing services.
-   Oversee secure connectivity, private connectivity, VPN, and DNS security.

**Endpoint Security**

-   Lead endpoint protection across corporate and engineering fleets, including EDR/XDR, device hardening, mobile device management, and disk encryption.
-   Run a continuous vulnerability and patch management program with clear remediation SLAs.
-   Define and enforce endpoint baselines and data loss prevention controls.

**Physical & Facility Security**

-   Own physical security for Salla's offices and facilities in Makkah and other sites, including access control, CCTV, visitor management, and environmental controls.
-   Align physical and logical access policies; govern physical access to sensitive areas and equipment.
-   Coordinate with Facilities, HR, and local authorities on safety, badging, and on-site incident response.

**Identity & Access Management (Zero Trust)**

-   Lead IAM strategy across cloud and corporate systems, including single sign-on, multi-factor authentication, privileged access management, and least-privilege enforcement.
-   Automate joiner, mover, and leaver workflows and run periodic access recertification.
-   Advance the organization toward a mature zero-trust architecture.

**Security Operations & Incident Response**

-   Build and run the security operations capability, including SIEM, detection engineering, threat intelligence, and continuous monitoring.
-   Own the incident response lifecycle from preparation through detection, containment, eradication, recovery, and blameless post-incident review.
-   Lead tabletop exercises, red and purple teaming, and breach-readiness drills; maintain crisis-communication and breach-notification playbooks.

**Governance, Risk & Compliance (GRC)**

-   Own the GRC function and the enterprise risk register; run the risk assessment and treatment lifecycle.
-   Lead certification and audit programs spanning ISO/IEC 27001, SOC 2, and PCI DSS, with alignment to the NCA Essential Cybersecurity Controls and Cloud Cybersecurity Controls, and to the SAMA Cyber Security Framework where applicable.
-   Own data protection and privacy compliance under the Saudi Personal Data Protection Law and SDAIA requirements, including data inventories, processing agreements, and cross-border transfer controls.
-   Prepare Salla's security and IT-governance posture for Tadawul listing, including controls maturity, evidence collection, and auditor readiness.
-   Author, ratify, and maintain the full lifecycle of security policies, standards, and procedures.

**Third-Party & Vendor Risk**

-   Establish and run the third-party risk program, including security due diligence, contractual security terms, and continuous monitoring of critical suppliers.
-   Embed security requirements into procurement and vendor onboarding.

**Security Awareness & Culture**

-   Build a company-wide security awareness, training, and phishing-simulation program.
-   Champion a positive, blameless security culture in which security is a shared responsibility.

**Team Leadership & Organization Building**

-   Lead, mentor, and grow a multidisciplinary security organization spanning cloud security, SecOps, GRC, and physical security.
-   Set objectives, develop talent, and build the hiring plan to scale the function with the business.
-   Forge cross-functional partnerships with Engineering, SRE, IT, Legal, HR, and Finance.

## Requirements

-   12+ years in information and cyber security, including 5+ years in senior security leadership (Head of Security, Director, or CISO-track) at a SaaS, fintech, or e-commerce organization.
-   Demonstrated ownership of security across multiple domains: cloud, network, endpoint, physical, and GRC.
-   Deep hands-on and architectural knowledge of cloud security (AWS strongly preferred), including Kubernetes and modern CI/CD.
-   Proven track record building and operating security operations and incident response at scale.
-   Strong GRC experience across ISO 27001, PCI DSS, GDPR and Saudi regulatory frameworks (NCA ECC and CCC, PDPL and SDAIA; SAMA CSF a plus).
-   Experience leading audits and certifications, ideally including IPO or regulatory-readiness programs.
-   Excellent executive communication; able to translate technical risk into business and regulatory language for the Board.
-   Bachelor's degree in Computer Science, Engineering, Information Security, or a related field.
-   Willingness and eligibility to work on-site in Makkah, Saudi Arabia.

## Apply

[Apply at Salla](https://apply.workable.com/salla/j/2B5B9145B7/apply)

---
Powered by [Workable](https://www.workable.com)