Security & IT Lead

About the Role

We're hiring a Security & IT Lead to own information security and compliance programs across Mill. This is a senior individual contributor role.

You'll be the security authority for the company — setting the standard for how Mill protects data, manages risk, and earns the trust of employees, customers, and enterprise partners. You'll also serve as Mill's internal technical authority over our managed IT provider — ensuring the quality, reliability, and scalability of IT services, not just their security posture. You'll own our compliance frameworks, lead our SOC 2 program, and ensure Mill's internal and external systems are secured to a high standard. This role requires someone who is self-directed, cross-functional, and equally comfortable in technical and policy-oriented work.

What You'll Own

Information Security. Own Mill's information security posture end-to-end — across internal systems (identity and access management, endpoint protection, SaaS tools) and external/customer-facing platforms. Define and enforce security policies, access controls, and data classification standards. Serve as the primary escalation point for security incidents. Manage security tooling across the stack including phishing simulation, endpoint management, and access governance platforms. Conduct regular access reviews, risk assessments, and vulnerability reviews.

Compliance Programs. Lead Mill's SOC 2 program from roadmap through audit readiness and ongoing maintenance — coordinating cross-functional tasks, owning policy documentation, and managing relationships with external auditors. Maintain and evolve Mill's Policy & Procedure Library with regular reviews. Field security questionnaires from enterprise customers and prospective partners. Evaluate and scope additional compliance frameworks as the business grows (ISO 27001, CCPA, etc.).

IT Operations & Oversight. Act as the internal technical owner of Mill's relationship with our managed IT provider. Define SLAs, review architecture decisions, approve changes, and hold the provider accountable for service quality, reliability, and cost-effectiveness. Own the IT roadmap — including network infrastructure, endpoint fleet, collaboration tooling, and onboarding/offboarding workflows. Evaluate new tools and vendors for both operational fit and security risk. Ensure IT standards (network design, device management, VPN, etc.) meet Mill's needs as we scale.

AI & Emerging Technology. Contribute a security perspective to Mill's AI adoption efforts — reviewing AI tools for data handling risk, contributing to acceptable use policies, and ensuring Mill's AI governance posture keeps pace with adoption.

What We're Looking For

• 5–8 years spanning IT operations and information security, ideally in a role that combined both
• Demonstrated experience owning or significantly contributing to a SOC 2 audit (Type 1 or Type 2)
• Hands-on familiarity with identity and access management (Okta, OneLogin, or similar), MDM/endpoint security, and cloud SaaS security
• Experience building and maintaining security policies, risk registers, and compliance documentation
• Strong cross-functional communicator — able to work with Engineering, Finance, and People Operations to drive policy approvals and remediation
• Familiarity with GRC frameworks and risk standards (NIST CSF, ISO 27001, SOC 2 Trust Services Criteria)
• Experience managing or technically overseeing an outsourced/managed IT provider (MSP) — setting standards, reviewing deliverables, and driving accou