Description Nexl is looking for its first dedicated Security & Compliance Lead to build and own the security and compliance program from the ground up. Our clients are law firms, and they trust us with sensitive client relationship data. Security is core to our product promise and our commercial licence to operate. This is a dual-track role. You'll run operational security (identity and access controls, endpoint and email protection, SIEM-based detection and incident response) while simultaneously owning our compliance certifications: SOC 2 Type 2 (ongoing) and the ISO 27001 roadmap. On the application security side, you'll govern the program in partnership with Engineering rather than doing hands-on code review yourself. You'll report to the Head of Engineering and work closely with the CPTO and VP of Strategy & Operations, interface directly with enterprise law firm clients on security matters, and produce board-level reporting. You'll be Nexl's first dedicated security hire, which means genuine ownership and visibility. This is a greenfield role with executive sponsorship from the CPTO. You'll have input into tooling decisions and budget conversations from day one. Requirements Policy & Security Awareness: Build and maintain Nexl’s security policy framework: acceptable use, data classification, access control, BCDR, and incident response policies Own the security awareness training program, including curriculum, delivery cadence, and phishing simulation campaigns across the organisation Drive a security-first culture that is practical and embedded, not compliance theatre Identity & Access: Own Microsoft 365 and Entra ID security posture: conditional access policies, phishing-resistant MFA (passkeys), OAuth application governance, and legacy protocol deprecation Manage privileged access controls and the joiners / movers / leavers process Serve as Nexl’s internal subject matter expert for the Microsoft security stack Security Operations: Select, deploy, and govern the SIEM and EDR stack, defining detection rules, alert thresholds, and escalation paths Own alert triage and incident detection, working with external SOC or MSSP partners where appropriate Own the incident response lifecycle end-to-end: detection, containment, communication, post-incident review, and registry updates Maintain the security risk register and report material risks to leadership and the board on a regular cadence Governance, Risk & Compliance: Own Nexl’s SOC 2 Type 2, ISO27001 and ISO42001 programs: control monitoring, evidence collection, auditor liaison, and annual renewal Respond to customer security questionnaires and enterprise due diligence requests — a high-frequency, revenue-relevant activity at Nexl’s customer tier Maintain alignment with Privacy Act (Australia), GDPR, and applicable US data protection requirements Application Security: Own the annual penetration testing program: scope, vendor management, findings review, and remediation SLA tracking Define and maintain the vulnerability disclosure policy and responsible disclosure process Set SAST/DAST tooling standards and adoption requirements for the engineering pipeline in partnership with the Head of Engineering Customer & Regulatory Trust: Act as the primary point of contact for enterprise and law firm clients on all security and compliance matters Produce board-level security reporting: incident summaries, risk posture updates, certification status Manage third-party vendor security assessments and the vendor review process Provide practical guidance across Privacy Act, GDPR, and cyber insurance obligations
