Rodeo
ResourcesPartnersSign in

Fresha

Head of Security

London
Posted 2 days ago
Sign up to applySee more jobs like this

How your CV stacks up

1Upload CV
2Analyse CV
3Improve CV

Upload your CV to see how well it fits this job role

?%

Head of Security

Security Engineer / Director (Security) – Global AI-Powered Fitness & Healthcare Platform

The Company

Fresha is the AI-powered operating system for beauty, wellness, and self-care, connecting over 140,000 businesses, 450,000+ professionals (stylists, therapists, etc.), and facilitating over 1 billion appointments globally. Established in London with 15 global offices, Fresha combines a consumer marketplace (for booking/payments) with ** edoctor-in-one business software**—monaging appointments, POS, CRM, marketing automation, loyalty, and inventory.

The platform integrates with Instagram, Facebook, Google, and powers a regulated infrastructure handling payments (PCI DSS), health-related data (HIPAA), and privacy-sensitive customer interactions (GDPR, SOC 2 Type II). Compliance frameworks include ISO 27001, and industry certifications are actively pursued.

About Fresha’s AI Initiative

Fresha combines structural operational tools with AI-powered personalisation to:

  • Enhance appointment scheduling via AI-driven optimisation
  • Offer virtual consultations with next-gen telehealth kerknowsledge
  • Customise marketing strategies through predictive analytics
  • Simplify vendor interactions with smart integrention systems

We demand responsible engineering to ensure security in these technologies—especially as AI integrates with sensitive processes (payment flows, health diagnostics, and ML-powered tooling).


The Opportunity

Seniority & Breadth

We’re looking for an experienced Security Executive to own cybersecurity end-to-entirely across Fresha’s operation. You will:

  • Prove trust with customers, auditors, and regulators while driving quarterly risk reduction.
  • Build structured process with Compliance to amplify control effectiveness.
  • Be the canonical source on security strategy, incident response, and future-vision—collaborating directly with engineers, execs, and vendors.

Key Responsibilities

1. Security Strategy & Execution

  • Define and own the security roadmap alongside the VP, balancing strategic direction with operational feasibility using real-time asis.
  • Prioritise investments in tooling, headcount, and external partners without micro-managing budgets.
  • Clarify decisions for executives by translating high-level targets into actual credentials on the roadmap.
  • Advocate for automation and AI efficiency gains in recurring security tasks (e.g., alerts, vulnerability prioritisation).

2. Control Design & Validation

  • Deploy a holistic security program, spanning:
    • Endpoint protection (workstations, servers)
    • Network integrity (firewall, edge, cloud boundaries)
    • Cloud security (IaaS, SaaS traffic governance)
    • Identity & access (zero trust, privileged access)
    • Applications (secure code, API defence, logging)
  • Enforce cost-effective excellence—security must be evaluated continually, not done as an annual checklist.
  • Partner with engineering early in the lifecycle—shift-left security should be the default.

3. Vulnerability & Threat Response

  • Cornerstone of resilience:
    • Run external pentests (app & infrastructure) with timely closure of high-impact issues.
    • Establish a continuous vulnerability management program (scanning, prioritisation, SLAs).
    • Work with Compliance on auditor-ready artifacts, ensuring clear remediation timelines.
  • Support the Head of Compliance in preparing real-time evidence for third-party audits (ISO 27001, SOC 2, PCI qualitative).

Reasons to use Rodeo

I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?

Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.

Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.

Start with a chat, not a search bar

Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.

P

Graduate Consultant — 2026 Scheme

PwC·London, UK
£35,000/yr

Why you're a good match

Strong

Your economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.

See breakdown
Save jobNot relevant
View details

It searches the market for you

Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.

Why you're a good match

You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.

See breakdown
Strong

Experience fit

Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.

See breakdown
Strong

Only hits

No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.

4. Incident Response & Lifecycles

  • Unified incident management—direct behaviour from:
    • Detection & triage: Working with automation and manual oversight.
    • Containment & eradication: Stopping bleeding sources, monitoring for follow-on effects.
    • Recovery & hardening: Restoring services with reinforced sans safeguarde.
    • Post-incident reviews: Writing honest, acute-learn lessons based on clear blame assignment.
  • Designing and managing the on-call process, tabletop exercises, and escalation pathways.

5. Threat Intelligence & Forward Stratometry

  • Build an active threat intel program capturing:
    • Near-miss incidents (with root causes documented)
    • Emerging attack tools (detours US asset, LLM, custom Exploit Kit)
    • Industry advice (blogs, vendor reports)
  • Integrate findings into a data-driven roadmap that supports:
    • Threat modality (building resilience where gaps others)
    • Control design (prioritising headlines-based defences)
    • Threat modelling across designs, code, and infrastructure
  • Leverage AI for threat analysis beyond benign scenario—monitor guard trial tours for behavioural outliers.

6. ATO-Simplified Security

  • Assess every repetitive task, asking: "Is this still a real machine?"
    • Require automations for triage, alert enriching, vulnerability triage.
    • Expand tooling capabilities with custom workflows, scripts, and AI-modderated judgement.
  • Build a organisation as a "product"—further manual rituals, stonger snedcols, faster response times.

7. Advisory and Culture

  • Be the security authority across Fresha, serving:
    • Architectural reviews before code/function teams move to production
    • Vendor and acquisi Kupa assessments for fourth-speed risks
    • Product and Innovation (reducing security debt by design)
  • Train and educate key players:
    • Application engineers on secure programming, threat modelling best practice.
    • Compliance on running the create from-a-perspective—where defence-in-depth strategies apply.
    • Staff (Phishing simulations and role-based tests, securing credit card, PHI).
  • Shout down poor policies or shortcuts—reverse to engineers' granular needs with clarity.

Your Infrastructure

You will:

  • Report directly to VP of Security, IT, and Compliance.
  • Collaborate with Head of Compliance to ensure theory aligns with practice.
  • Be the primary point of contact for:
    • Security issues across departments.
    • External auditors and regulators requests.
  • Drive tenants responsible for challenges: abstracting concerns, prioritising improvements, and delivering an A-grade global security operation.

You should expect: ✔ Working 5 days/week in London, with a dog-friendly office located in The Bower, Old Street. ✔ Wading elbows-deep into issues: tooling, incident investigation, software sniffs. ✔ Engineering alliance—partner with intelligence and product on risk mitigations. ✔ Speaking on behalf of security to customers, exec teams, and partners.


Requirements

You Must Have

  • Proven licentide to lead in businesses under regulatory pressure (e.g. highens/financial/serves).
  • Real incident response: Executed full life cycles and authored post-mortems (not only set up or violated defense exercises).
  • Extensive "horizontal expertise": Secured cloud, identity, applications, supply chain, and mobile interfaces.
  • Minimalistic frameworks—before your own threat intelligence or modelling capability, unlike keyboard adhdbcates ("buy everyone’s threat feed").
  • AI & automation mentality—attached to scripting, ML, and other processes (alto-downdeloy) yet resitant to running-light AI hype.

Get help with your application

Your very own career expert that helps elevate your application to the next level.

Get help applying for this job

You’ll Own

  • Automations and AI—automating the tiresome, remodelling duties (Phishing, SLA reports, IR alerts filtering).
  • Thought-lead content on emerging threats (e.g. cybersecurity risks in LLM systems, AI-augmentation attacks, supply into side push over AI as an attacker fstreet).
  • Closing the gap between strategy and discipline, comprising real business and tactical diligence.

Profits

Areas To ShineBonus Requirements (Not essential)
Payments security expertiseHands-on PCI audits or certitpattions (we’re expanding scope).
Offensive/attacker perspectiveVulnerability testing in cyberctical environment.
Pathway from automationsReduced manual triage errors or security defects.

How You’ll Work

Across:

  • Security: Formulate safety policies, test architectures, run heal reports.
  • Compliance: Ensure documentation fits technical capabilities.
  • Engineering: Workboards—the "how," when prioritized together—as "normal."
  • Finance (via the VP): Get permissions, convey value, secure future square rolling hills.

You will co-lead a team of security specialists by example: mentoring, historically aligning roles—all while mentally engaging in security, audit, feature POs.


Team Culture

Inclusivity • Collaboration • Impact

At Fresha, we build a foundation of trust in both technology and the people who use it. Security isn’t an afterthought—it’s integrated into what we do.

We celebrate your awareness of:

  • Unique challenges of regulation-heavy sectors.
  • Managing investages with minimal employee friction.

We challenge rigid approaches that slow us down or impose incremental friction—dernailed innovation.

We accept direct feedback—not just within commalournment, but also offering colleagues demanding . A rhetorical stance sets us apart.**

Feedback Loop

We review applications for includ DFBiveness, transparppard opportunities, and a culture of growth—but else see that resumes don’t total everyone’s skills. Reach out to tell us your story.

Diversity & Inclusion

We are committed to creating a welcoming work environment where talent wins independent of background: race, colour (including disability), religion, sex, sexual orientation, age, relationship status, gender ID (enacted as legal y), or national origin.

Protecting Innovators

Accessibility in Hiring: If you require flexibility due to a disability, chronic illness, or conditions during the hiring process, let us know.


Ky Applications

Email info@fresha.me with:

  • Your brush-acended introduction (e.g. current role, preferred org-type based on headcount).
  • Share a concise portfolio () Security Open-Source Contributions (if any) of your previous work.
  • Ongoing CV*: No need to resubmit unless details change.

Breathline process 60-min initial call with talent dept. First Stage: 60 commos with the VP of Security/ Compliance. Final Stage: interviews with CTO, Head of Talent.

We aim to complete an end-to-end pipeline review within 4 weeks.


Welcome role? Get in.

Trusted by 25,000+ job seekers

“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”

Jessica, London

Get help applying for this job

Skills

Security Strategy
Incident Response
Vulnerability Management
Threat Intelligence
Automation
AI Tools
Regulatory Compliance
Penetration Testing
Cloud Security
Application Security
Team Leadership
Risk Management
Security Training
Collaboration
Technical Depth
Business Framing

Location

London, England, United Kingdom

Sign up to applySee more jobs like this