* Salário: R$ 2.000 a R$ 5.000 por mês (estimado)

* O valor exibido é uma estimativa calculada com base em dados públicos e referências do mercado. Não garantimos que este seja o salário oferecido para esta vaga específica.

Área: Outros

Nível: Junior

Summary

Confidencial (Apenas para Cadastrados) is Brazil's first intelligent copilot for fleet management. Our mission is to connect data from telematics, video, and logistics systems to deliver insights that reduce accidents, optimize costs, and increase our clients' sustainability.

As we grow at least 100% year over year and expand into Enterprise accounts, information security shifts from a support function to a strategic business lever. We are looking for a Head of Cybersecurity who will own Confidencial (Apenas para Cadastrados)'s security program end to end: leading our ISO/IEC 27001:2022 certification, building a Trust Center that becomes a reference for Enterprise customers, and shaping a security culture that accelerates growth instead of slowing it down.

At Confidencial (Apenas para Cadastrados), leaders are technical operators first. We believe in "operate on all levels". Our leaders set strategy, write policies, and at the same time aren't afraid to dive into audit logs, configure a GRC platform, or review a pull request through a security lens.

Philosophy

Intensity to win. We believe extraordinary results are born from relentless focus, resilience, and a deep-seated passion for overcoming challenges. This intensity fuels our commitment to excellence and ensures we never settle for "good enough".

Partnership that creates value. We understand that sustaina ble success is never built in isolation. We thrive by creating win-win relationships, aligning our goals with our clients and colleagues to build mutual, lasting growth. Our success is measured by the success we create for others.

Autonomy that learns. We believe that innovation and agility come from empowerment. We trust our teams to take initiative and make decisions, knowing that every outcome, whether a success or a challenge, is a crucial opportunity to learn, adapt, and grow smarter.

Mission

As Head of Cybersecurity, your mission is to design and run Confidencial (Apenas para Cadastrados)'s information security program, taking us through ISO/IEC 27001:2022 certification and setting the foundation for a security organization that scales with the business.

You will own security as a discipline across the company: defining strategy, controls, and KPIs; coordinating implementation with Engineering, DevOps, Product, Legal, HR, and Operations; and translating security into business outcomes for the executive team and the board. You will build the Trust Center that unblocks Enterprise deals, define how Confidencial (Apenas para Cadastrados) uses AI responsibly across engineering and operations, and over time shape the team that will operate this program at scale.

You will be both an architect and an operator: setting direction while staying close to the controls, the evidence, and the conversations with auditors, customers, and partners.

Operating model

This is a high-leverage, individual leadership role. You will not manage a direct team initially. Your impact will come from influencing and enabling the DevOps team, the broader Engineering organization, and every other function in the company, with direct executive sponsorship from the CTO.

We are deliberate about this design. It means you must be comfortable driving outcomes through partnership and clarity rather than hierarchy, and you will have visible top-down support to make this model work. As the program matures and certifications consolidate, we will discuss building a dedicated security team together.

In your first 12 months, expect roughly 70-80% of your time to focus on ISO 27001 certification, Trust Center, and Enterprise security questionnaires. Other workstreams (AI Security, vendor risk, awareness, tabletop exercises) will start lean and mature progressively.

Hiring model

Fully remote, with 4 on-site gatherings per year in São Paulo

What you'll do day-to-day

Own the security program end to end: Define and execute Confidencial (Apenas para Cadastrados)'s information security strategy, roadmap, and budget, with direct accountability to the executive team for the maturity and effectiveness of the program.
Lead ISO 27001 certification: Drive Confidencial (Apenas para Cadastrados) through ISO/IEC 27001:2022 certification, owning the 93 Annex A controls, managing the timeline with the certification body, and serving as the focal point between Confidencial (Apenas para Cadastrados) and external auditors.
Operate and evolve the GRC platform: Configure, maintain, and scale Drata as our control center, integrating evidence sources (cloud, identity, endpoint, HR), automating collection, and keeping the compliance posture visible to leadership in real time.
Cross-functional coordination: Align with DevOps/Security, Engineering, Product, HR, Legal, Finance, and Operations to ensure every control has a clear owner, evidence pipeline, and review cadence. Your success depends on enabling these teams, not commanding them.
Build the Trust Center: Design and operate a public-facing Trust Center showcasing certifications, policies, subprocessors, incident SLAs, and a reusable answer library for security questionnaires (SIG, CAIQ, custom Enterprise RFPs).
Secure SDLC and AI Security: Embed security into the development lifecycle (SAST/DAST/SCA, threat modeling, security-focused code review) and define the guardrails for responsible use of generative AI tools (Cortex, Copilot, Cursor) addressing risks of data leakage, prompt injection, model supply chain, and quality of AI-generated code.
Risk and incident management: Maintain a living risk register, run risk assessments for new initiatives (hardware, fintech, integrations), define incident response playbooks, and run tabletop exercises with the executive team.
Vendor risk and DPAs: Stand up and operate the vendor risk assessment process, covering critical partners including BaaS providers (Swap), cloud (AWS), Chinese ODMs, and productivity SaaS.
LGPD and privacy: Partner with Legal on privacy practices, data mapping, lawful basis for processing, and data subject rights management.
Security culture: Design and run the awareness program, phishing simulations, security onboarding, and maturity metrics across teams.
Future team design: Define what the security organization should look like as Confidencial (Apenas para Cadastrados) scales, propose hiring at the right inflection points, and be ready to lead a team when that moment arrives.
Hands-on contribution: Be ready to go deep when needed, whether that means reviewing an AWS IAM policy, configuring a Drata integration, writing an incident runbook, or personally answering a 300-line Enterprise security questionnaire.

What we need from you

Prerequisites

Security Program Leadership: Proven experience leading information security programs, with a strong track record of managing ISO 27001 and/or SOC 2 certification cycles as the primary technical owner or program lead.
Mastery of automated GRC platforms: Hands-on experience with Drata, Vanta, Sprinto, Secureframe, or similar, including control design, evidence integrations, and continuous operation post-certification.
Depth in at least one area: Strong expertise in at least one of the following, with working knowledge of the others: (a) GRC and compliance (ISO 27001, SOC 2, LGPD), (b) Cloud Security and DevSecOps (AWS, IAM, container security, IaC scanning), or (c) AppSec and Secure SDLC (threat modeling, SAST/DAST, code review).
Influence without authority: Track record of driving security outcomes by partnering with engineering, product, and operations teams, not by gatekeeping. Comfort operating as a sole technical leader with strong executive sponsorship.
Business mindset: Demonstrated ability to balance security rigor with business velocity in high-growth environments. We are looking for someone who sees security as a revenue enabler, not a bureaucratic blocker.
AI fluency: Active daily use of AI tools (Claude, ChatGPT, Cursor, Copilot, or similar) and clear understanding of the risks and opportunities that generative AI brings to security, software development, and operations.
Cloud and modern infrastructure: Strong familiarity with AWS, Kubernetes, CI/CD, IaC (Terraform), and observability practices.
Enterprise customer interface: Experience responding to SIG, CAIQ, VSAQ, or custom Enterprise security questionnaires, and building reusable answer libraries that scale with sales.
Executive communication: Strong ability to translate technical security concepts to executive, commercial, and product audiences, and to coordinate people across functions without direct hierarchical authority.
Operate on all levels: Balance strategic thinking with willingness to execute hands-on tasks.

Nice to have

Certifications such as CISSP, CISM, ISO 27001 Lead Implementer / Lead Auditor, AWS Security Specialty, OSCP.
Prior experience in startups or scale-ups growing 100%+ year over year.
Experience with SOC 2 Type II, PCI-DSS (relevant for our fintech initiative, Confidencial (Apenas para Cadastrados) Pay), or sector-specific frameworks (Brazilian Central Bank resolutions, payments regulation).
Working knowledge of AI security frameworks (OWASP Top 10 for LLMs, NIST AI RMF, MITRE ATLAS) and AI governance practices.
Experience building and operating a public Trust Center that has been a reference in Enterprise deals.
Familiarity with video telematics, IoT, or environments with embedded hardware, especially around device security in the field, secure OTA, and protection of sensitive data (video, location).
Experience with Bug Bounty programs, red team exercises, and managing external pentests.
Background in Security Engineering with hands-on technical contributions (Python automations, SIEM integrations, custom detections), not only governance.
Contributions to security communities (CTFs, talks, blog posts, open-source).