
How your CV stacks up
Upload your CV to see how well it fits this job role
?%
Head of Security
Security Engineer / Director (Security) – Global AI-Powered Fitness & Healthcare Platform
The Company
Fresha is the AI-powered operating system for beauty, wellness, and self-care, connecting over 140,000 businesses, 450,000+ professionals (stylists, therapists, etc.), and facilitating over 1 billion appointments globally. Established in London with 15 global offices, Fresha combines a consumer marketplace (for booking/payments) with ** edoctor-in-one business software**—monaging appointments, POS, CRM, marketing automation, loyalty, and inventory.
The platform integrates with Instagram, Facebook, Google, and powers a regulated infrastructure handling payments (PCI DSS), health-related data (HIPAA), and privacy-sensitive customer interactions (GDPR, SOC 2 Type II). Compliance frameworks include ISO 27001, and industry certifications are actively pursued.
About Fresha’s AI Initiative
Fresha combines structural operational tools with AI-powered personalisation to:
- Enhance appointment scheduling via AI-driven optimisation
- Offer virtual consultations with next-gen telehealth kerknowsledge
- Customise marketing strategies through predictive analytics
- Simplify vendor interactions with smart integrention systems
We demand responsible engineering to ensure security in these technologies—especially as AI integrates with sensitive processes (payment flows, health diagnostics, and ML-powered tooling).
The Opportunity
Seniority & Breadth
We’re looking for an experienced Security Executive to own cybersecurity end-to-entirely across Fresha’s operation. You will:
- Prove trust with customers, auditors, and regulators while driving quarterly risk reduction.
- Build structured process with Compliance to amplify control effectiveness.
- Be the canonical source on security strategy, incident response, and future-vision—collaborating directly with engineers, execs, and vendors.
Key Responsibilities
1. Security Strategy & Execution
- Define and own the security roadmap alongside the VP, balancing strategic direction with operational feasibility using real-time asis.
- Prioritise investments in tooling, headcount, and external partners without micro-managing budgets.
- Clarify decisions for executives by translating high-level targets into actual credentials on the roadmap.
- Advocate for automation and AI efficiency gains in recurring security tasks (e.g., alerts, vulnerability prioritisation).
2. Control Design & Validation
- Deploy a holistic security program, spanning:
- Endpoint protection (workstations, servers)
- Network integrity (firewall, edge, cloud boundaries)
- Cloud security (IaaS, SaaS traffic governance)
- Identity & access (zero trust, privileged access)
- Applications (secure code, API defence, logging)
- Enforce cost-effective excellence—security must be evaluated continually, not done as an annual checklist.
- Partner with engineering early in the lifecycle—shift-left security should be the default.
3. Vulnerability & Threat Response
- Cornerstone of resilience:
- Run external pentests (app & infrastructure) with timely closure of high-impact issues.
- Establish a continuous vulnerability management program (scanning, prioritisation, SLAs).
- Work with Compliance on auditor-ready artifacts, ensuring clear remediation timelines.
- Support the Head of Compliance in preparing real-time evidence for third-party audits (ISO 27001, SOC 2, PCI qualitative).
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
4. Incident Response & Lifecycles
- Unified incident management—direct behaviour from:
- Detection & triage: Working with automation and manual oversight.
- Containment & eradication: Stopping bleeding sources, monitoring for follow-on effects.
- Recovery & hardening: Restoring services with reinforced sans safeguarde.
- Post-incident reviews: Writing honest, acute-learn lessons based on clear blame assignment.
- Designing and managing the on-call process, tabletop exercises, and escalation pathways.
5. Threat Intelligence & Forward Stratometry
- Build an active threat intel program capturing:
- Near-miss incidents (with root causes documented)
- Emerging attack tools (detours US asset, LLM, custom Exploit Kit)
- Industry advice (blogs, vendor reports)
- Integrate findings into a data-driven roadmap that supports:
- Threat modality (building resilience where gaps others)
- Control design (prioritising headlines-based defences)
- Threat modelling across designs, code, and infrastructure
- Leverage AI for threat analysis beyond benign scenario—monitor guard trial tours for behavioural outliers.
6. ATO-Simplified Security
- Assess every repetitive task, asking: "Is this still a real machine?"
- Require automations for triage, alert enriching, vulnerability triage.
- Expand tooling capabilities with custom workflows, scripts, and AI-modderated judgement.
- Build a organisation as a "product"—further manual rituals, stonger snedcols, faster response times.
7. Advisory and Culture
- Be the security authority across Fresha, serving:
- Architectural reviews before code/function teams move to production
- Vendor and acquisi Kupa assessments for fourth-speed risks
- Product and Innovation (reducing security debt by design)
- Train and educate key players:
- Application engineers on secure programming, threat modelling best practice.
- Compliance on running the create from-a-perspective—where defence-in-depth strategies apply.
- Staff (Phishing simulations and role-based tests, securing credit card, PHI).
- Shout down poor policies or shortcuts—reverse to engineers' granular needs with clarity.
Your Infrastructure
You will:
- Report directly to VP of Security, IT, and Compliance.
- Collaborate with Head of Compliance to ensure theory aligns with practice.
- Be the primary point of contact for:
- Security issues across departments.
- External auditors and regulators requests.
- Drive tenants responsible for challenges: abstracting concerns, prioritising improvements, and delivering an A-grade global security operation.
You should expect: ✔ Working 5 days/week in London, with a dog-friendly office located in The Bower, Old Street. ✔ Wading elbows-deep into issues: tooling, incident investigation, software sniffs. ✔ Engineering alliance—partner with intelligence and product on risk mitigations. ✔ Speaking on behalf of security to customers, exec teams, and partners.
Requirements
You Must Have
- Proven licentide to lead in businesses under regulatory pressure (e.g. highens/financial/serves).
- Real incident response: Executed full life cycles and authored post-mortems (not only set up or violated defense exercises).
- Extensive "horizontal expertise": Secured cloud, identity, applications, supply chain, and mobile interfaces.
- Minimalistic frameworks—before your own threat intelligence or modelling capability, unlike keyboard adhdbcates ("buy everyone’s threat feed").
- AI & automation mentality—attached to scripting, ML, and other processes (alto-downdeloy) yet resitant to running-light AI hype.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
You’ll Own
- Automations and AI—automating the tiresome, remodelling duties (Phishing, SLA reports, IR alerts filtering).
- Thought-lead content on emerging threats (e.g. cybersecurity risks in LLM systems, AI-augmentation attacks, supply into side push over AI as an attacker fstreet).
- Closing the gap between strategy and discipline, comprising real business and tactical diligence.
Profits
| Areas To Shine | Bonus Requirements (Not essential) |
|---|---|
| Payments security expertise | Hands-on PCI audits or certitpattions (we’re expanding scope). |
| Offensive/attacker perspective | Vulnerability testing in cyberctical environment. |
| Pathway from automations | Reduced manual triage errors or security defects. |
How You’ll Work
Across:
- Security: Formulate safety policies, test architectures, run heal reports.
- Compliance: Ensure documentation fits technical capabilities.
- Engineering: Workboards—the "how," when prioritized together—as "normal."
- Finance (via the VP): Get permissions, convey value, secure future square rolling hills.
You will co-lead a team of security specialists by example: mentoring, historically aligning roles—all while mentally engaging in security, audit, feature POs.
Team Culture
Inclusivity • Collaboration • Impact
At Fresha, we build a foundation of trust in both technology and the people who use it. Security isn’t an afterthought—it’s integrated into what we do.
We celebrate your awareness of:
- Unique challenges of regulation-heavy sectors.
- Managing investages with minimal employee friction.
We challenge rigid approaches that slow us down or impose incremental friction—dernailed innovation.
We accept direct feedback—not just within commalournment, but also offering colleagues demanding . A rhetorical stance sets us apart.**
Feedback Loop
We review applications for includ DFBiveness, transparppard opportunities, and a culture of growth—but else see that resumes don’t total everyone’s skills. Reach out to tell us your story.
Diversity & Inclusion
We are committed to creating a welcoming work environment where talent wins independent of background: race, colour (including disability), religion, sex, sexual orientation, age, relationship status, gender ID (enacted as legal y), or national origin.
Protecting Innovators
Accessibility in Hiring: If you require flexibility due to a disability, chronic illness, or conditions during the hiring process, let us know.
Ky Applications
Email info@fresha.me with:
- Your brush-acended introduction (e.g. current role, preferred org-type based on headcount).
- Share a concise portfolio () Security Open-Source Contributions (if any) of your previous work.
- Ongoing CV*: No need to resubmit unless details change.
Breathline process
60-min initial call with talent dept. First Stage: 60 commos with the VP of Security/ Compliance. Final Stage: interviews with CTO, Head of Talent.
We aim to complete an end-to-end pipeline review within 4 weeks.
Welcome role? Get in.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location