Head of Security

Fresha
London

The AI-powered OS for beauty, wellness and self-care


About Fresha

Fresha is the AI-powered operating system for the global beauty, wellness and self-care industry, connecting and powering everything from salons and barbers to spas, medspas, fitness studios and health practices.

Trusted by millions of consumers and businesses worldwide. Fresha is used by 140,000+ businesses and 450,000+ stylists and professionals worldwide, processing over 1 billion appointments to date.

The company is headquartered in London, United Kingdom, with 15 global offices located across North America, EMEA and APAC.

Fresha allows consumers to discover, book and pay for beauty and wellness appointments with local businesses via its marketplace, while beauty and wellness businesses and professionals use an all-in-one platform to manage their entire operations with an intuitive business software and financial technology solutions.

Fresha’s ecosystem gives merchants everything they need to run their business seamlessly by facilitating appointment bookings, point-of-sale, customer records management, marketing automation, loyalty, beauty products inventory and team management.

The consumer marketplace unlocks revenue potential for partner businesses by leveraging the power of online bookings and automated marketing through mobile apps and advanced integrations with major tech brands including Instagram, Facebook and Google.

About the role

Reports to: VP of Security, IT and Compliance

We're looking for someone to own security end-to-end at Fresha. You'll shape the security strategy alongside the VP, build and run the controls that protect the business, and be the person everyone — engineers, execs, auditors, customers — looks to regarding security questions.


You'll work alongside the Head of Compliance (who sits under the same VP) as a peer. They own the frameworks, the audits, and the evidence. You own the actual security posture, the tooling, and the response. The two roles need each other to succeed, and we expect you to work closely together rather than carve out territory.

We're a payments business operating in a regulated space, with HIPAA and ISO 27001 behind us and PCI DSS, GDPR, and SOC 2 Type II ahead of us this year. The security bar is not theoretical.

To foster a collaborative environment that thrives on face-to-face interactions and teamwork, this role will be based in our dog-friendly office 5 days per week in London: The Bower, 207-122, Old Street, London EC1V 9NR.

What you'll own:

Security strategy and roadmap

  • Shape the security strategy together with the VP — the VP sets direction at the exec level, you bring the ground truth, the technical depth, and the detailed plan that turns that direction into something real

  • Own the security roadmap that falls out of it: what we're building, what we're retiring, what we're deferring, and why

  • Make the call on where to invest day-to-day: tooling, headcount, external services, automation — within the strategic envelope agreed with the VP

  • Translate that roadmap into something the exec team can actually read and fund

Controls and protections

  • Deploy and run the security controls across the estate — endpoint, network, cloud, identity, application

  • Make sure controls are actually working, not just deployed — continuous validation, not annual tick-boxing

  • Partner with Engineering and IT to get controls in early, rather than bolted on after the fact

Penetration testing and vulnerability management

  • Run the regular external pentest cadence — application, infrastructure — and make sure findings are triaged and closed

  • Own the vulnerability management programme: scanning, prioritisation, SLAs, and closure

  • Work with the Head of Compliance on the evidence side — they need clean data for audits, you need clean closure on the underlying issues. Same data, different purposes

Incident response

  • Own the IR process end-to-end: detection, triage, containment, eradication, recovery, and post-incident review

  • Run the on-call model, the playbooks, the tabletop exercises, and the tooling behind them

  • Be the person in the room when something real happens, and the person writing the honest post-mortem afterwards

Threat intelligence and threat modelling

  • Stand up a threat intelligence capability — somewhere past incidents, near-misses, industry reports, and internal telemetry get captured, tagged, and made useful

  • Build this into a threat intel data warehouse that actually informs decisions: future threat modelling, control design, roadmap prioritisation, and tabletop scenarios. Not a dashboard nobody reads

  • Run threat modelling as a routine practice, not a one-off — including automated threat modelling using AI against designs, code, and infrastructure changes

Emerging threats

  • Keep a forward view on where the threat landscape is heading, especially around LLMs: prompt injection, model abuse, AI-augmented vulnerability scanning by attackers, and exposure of sensitive data through AI tooling

  • Don't just react to what's hitting us today — make sure we're not blindsided by what's hitting everyone in 12 months

  • Feed that view into the strategy conversation with the VP, and turn it into concrete roadmap items rather than slide decks

Security training and awareness

  • Own the security-specific training content: phishing simulations, secure coding for engineers, threat modelling training, IR tabletop participation, and role-based training for anyone handling cardholder data, PHI, or other sensitive material

  • Partner with the Head of Compliance — they run the overall training programme, cadence, and evidence; you bring the security substance and keep it current with the threat landscape

  • Make the training actually useful. Engineers should walk away knowing something they didn't before, not clicking through slides to get a completion tick

Automation and AI

  • Look at every recurring task in this function and ask "why is a human still doing this?" — triage, alert enrichment, vulnerability prioritisation, evidence gathering, threat modelling, IR runbooks

  • Push existing tooling as far as it'll go, and fill the gaps with scripts, workflows, or AI where it makes sense

  • Use LLMs sensibly for drafting, review, analysis, and automation — while being clear-eyed about where they introduce new risks we have to manage ourselves

  • Treat the function's operating model as a product: fewer manual rituals each quarter, better coverage, faster response

Security advisory

  • Be the go-to person for security questions across the business — architecture reviews, vendor assessments, new products, acquisitions, anything risky

  • Give engineers a straight answer and a path forward, not a ticket queue and a policy link

What we're looking for

  • You've led security at a company operating under real regulatory pressure — payments, healthcare, financial services, or similar

  • You've run incident response for real incidents, not just exercises, and you've written the post-mortems

  • You understand modern attack surfaces: cloud, SaaS, identity, supply chain, application — and you don't reduce security to any one of them

  • You've built or meaningfully improved a threat intel or threat modelling capability, not just consumed vendor feeds
    You're fluent with AI tools and comfortable building automation. "I'll wait for someone to build it for me" isn't the right mindset — but neither is "let's put an LLM on everything."You know the difference

  • You're comfortable co-owning strategy with a VP — bringing strong opinions, challenging when it matters, and aligning once a direction is set

  • You can hold your own with engineers on technical depth and with execs on business framing

  • Bonus: experience with payments/PCI environments, offensive security background, or a track record of measurably reducing manual security work through automation

How you'll work

You'll have a team to lead from day one, with scope to grow it as the roadmap demands. You'll work closely with the VP on strategy, and with the Head of Compliance, IT, Engineering, Infrastructure, and Product on execution. You'll be in front of customers and auditors often enough that polish matters. Expect to spend real time hands-on — in tooling, in incidents, in design reviews — not just managing.

Interview Process

  • Screen Stage - Video-call with a member from the Talent Team (45-60min)

  • 1st Stage - Interview with the VP of Security, IT & Compliance (60min)

  • Final Stage - Video interview with CTO (60min) and Head of Talent (30min)

We aim to finalise the entire interview process and deliver feedback within 4 weeks.

Every job application received is reviewed manually by our talent team. While we strive to assess applications within 7 days, the sheer volume of talented individuals expressing interest may occasionally extend this timeframe

Inclusive workforce

At Fresha, we are creating a culture where individuals of all backgrounds feel comfortable.

We want all Fresha people to feel included and truly empowered to contribute fully to our vision and goals. Everyone who applies will receive fair consideration for employment.

We do not discriminate based on race, colour, religion, sex, sexual orientation, age, marital status, gender identity, national origin, disability, or any other applicable legally protected characteristics in the location in which the candidate is applying.

If you have any accessibility requirements that would make you more comfortable during the interview process and/or once you join, please let us know so that we can support you.

Posted 2026-07-01

Recommended Jobs

MFL (Spanish) Teacher - Islington Independent School

Marchant Recruitment
London

School Status & Location Sector: Prestigious Independent School (Cultural Immersion Centre). Borough: Islington. Start Date: Permanent, full-time role commencing January 2026. The Oppor…

View Details
Posted 2025-11-25

QC Analytical Scientist

meiragtx
London

Your mission The QC Analytical Scientist is responsible for the testing of gene therapy products and associated materials used for manufacturing to EU and FDA GMP requirements. Job Description …

View Details
Posted 2026-06-24

Vehicle Technician

Romford, Greater London

Are you an experienced  Vehicle  Technician ? Are you trained to City and Guilds Motor Repair/BTEC/NVQ or equivalent qualification?  We are currently working with a franchised dealership who are …

View Details
Posted 2025-10-30

History ECT Role - Harrow (Outstanding Ofsted)

Marchant Recruitment
Harrow, Greater London

School Status & Location Sector: Outstanding Ofsted-rated High School, Outer London. Borough: Harrow. Start Date: Permanent, full-time role commencing January 2026. The Opportunity & Sc…

View Details
Posted 2025-11-19

Chemistry Teacher - Hammersmith

Marchant Recruitment
London

Chemistry Teacher | ASAP Start | Hammersmith, Inner London Are you an inspiring Chemistry specialist ready to make an immediate impact in a high-achieving Central London school? We are seeking a…

View Details
Posted 2026-01-13

Senior Revenue Engineer

Arrive
London

We’ve signed up to an ambitious journey. Join us! As Arrive, we guide customers and communities towards brighter futures and more livable cities, it isn’t a challenge just anyone could take on. Luc…

View Details
Posted 2026-04-15

Platform Engineer

LinuxRecruit
London

Attention all DevOps professionals! Our client, a top-tier consulting firm specialising in cloud platform deployment, is seeking a Lead Platform Engineer to join their team. This is a rare opportuni…

View Details
Posted 2025-07-09

IT Technician | Lambeth

Marchant Recruitment
London

A well-resourced school in Lambeth is recruiting a technically confident IT Technician to join the team from January 2026. The IT Technician will deliver first-line support to staff and pupils, maint…

View Details
Posted 2025-11-29

Year 3 Teacher | Harrow | January 2026

Marchant Recruitment
Harrow, Greater London

Are you an ambitious and dedicated Year 3 Teacher looking for a fresh challenge from January 2026? Would you like to work in a popular and forward-thinking primary school in Harrow that is committed …

View Details
Posted 2025-12-10