Key skills
AWSAzureCloudGoogle Cloud PlatformAIAgenticGCPGoogle CloudSaaSLeadershipRisk ManagementPenetration TestingCloud Security
About this role
Role Overview
- Establishing security maturity
- Zinc is scaling fast, and we need our InfoSec function to keep pace. Your first 90 days are about understanding what good looks like at our stage and mapping the path to get there.
- AI security governance
- Zinc is AI-native, which is an opportunity and a responsibility. You'll be in the room with our COO and AI lead regarding adoption decisions from day one.
- Incident management ownership
- you're the lead on any material incident. Not managing every P3/P4, but the name at the top of the escalation when it matters. Set up the playbooks, own the response.
- Building the function
- you'll have one direct report, our InfoSec Manager. Your job is to define what this function needs to look like in 2-3 years, and start executing.
- Information security strategy
- defining and owning the multi-year roadmap
- Security architecture
- reviewing and advising on technical design decisions, embedding security by design across products and platforms
- Risk management
- maintaining the risk register, identifying, prioritising, and tracking the things that actually matter
- Compliance programmes
- ISO 27001, SOC 2, and relevant sector standards; in close partnership with our Compliance team
- Incident management
- owning major incident response; first port of call in a crisis
- AI security governance
- partnering with our AI & Automation lead on safe AI adoption at Zinc
- Customer and supplier security
- security questionnaires, diligence requests, contractual requirements
- Third-party risk
- vendor security assessment and ongoing monitoring
- Security awareness
- training, culture, getting the business to care
- Budget
- managing the InfoSec budget and investment cases, aligned to Zinc's risk profile
Requirements
- 5+ years in information security, with at least 2 years in a leadership or senior practitioner role
- SOC management, security architecture, penetration testing, or engineering. You've built things and broken things, not just written about them.
- Ready to step up
- you've been a senior practitioner and you're ready to own the function.
- AI literate
- you understand the security implications of LLMs, AI tooling, agentic workflows, shadow AI, and third-party SaaS risk. This is not optional at Zinc.
- High EQ
- you'll inherit an existing team member who is professional, capable, and ambitious. How you lead that relationship matters more than your CV.
- Strong communicator
- you'll be speaking to auditors, customers, and a non-technical leadership team. You need to translate risk into language that drives decisions.
- Compliance-aware, not compliance-driven
- you understand the standards but you lead with risk, not box-ticking.
- Comfortable with ambiguity
- the playbook is incomplete. You'll write it.
Desirable:
- Experience in a fast-growing global SaaS business
- Familiarity with DevSecOps and secure development lifecycle practices
- Relevant certifications (CISSP, CISM, or similar)
- Experience with cloud security (AWS, Azure, or GCP)
Tech Stack
- AWS
- Azure
- Cloud
- Google Cloud Platform
Benefits
- 24 days holiday + Bank Holidays + your birthday off 🎉
- £1200 annual benefits allowance (ThanksBen, from month 2)
- Early finish Fridays (16:00)
- Yearly company retreat abroad ✈️
- 30 days to Work from anywhere 🌍
- Enhanced Maternity, Paternity, and Adoption Leave (2 months full pay, then statutory)
- Statutory pension with NEST (3% employer, 5% employee)
- Zinc shares, issued through the EMI Scheme
- Unlimited access to MoreHappi coaching
- Company socials, quarterly team socials Free Monday lunches
- Nursery workplace benefit scheme (Yellownest)
- Option to lease an electric car through Electric Car Scheme
- Celebrated Zinc anniversaries 🥳