Manager Security jobs in Canada

Say hello to Newton! We're changing how Canadians trade crypto. Our goal? To make financial freedom something everyone can achieve. We give our customers the tools and knowledge they need to navigate the crypto world.

At Newton, you'll work with a remote team spread across Canada, but you'll never feel distant. Ready to be part of something meaningful? Join a team that’s all about pushing boundaries and getting things done.

• Customer first mindset - Commitment to integrity and transparency to our users!
• A dynamic team fueled by collaboration uniting our strengths to overcome any obstacles. Together we build success. We persevere, adapt, and come back stronger, turning obstacles into opportunities.
• We strive for continuous improvement and embrace creativity and encourage experimentation. We push the boundaries of what’s possible and continuously explore new ideas, technologies, and solutions.

We’re hiring a Security Lead to own and drive our security function end-to-end, combining strategic direction with hands‑on technical authority. You will review, challenge, and strengthen our systems, act as the security authority within engineering, define guardrails, and drive remediation when risks arise. Operating independently, you’ll build the structure and standards needed as we scale. Your mission is to own the company wide security strategy and architecture, ensure CIRO and SOC 2 alignment, and embed strong security practices across infrastructure, applications, and internal systems, while enabling engineering velocity.

1. Security Strategy & Risk Ownership

• Define and maintain the company’s security roadmap
• Maintain and actively manage a living risk register
• Translate regulatory requirements into practical engineering controls
• Prioritize remediation based on business and regulatory risk
• Act as the internal security authority within engineering

2. Security Architecture & Infrastructure Review

• Review infrastructure designs from a security perspective
• Challenge architectural decisions that introduce risk
• Define security guardrails for cloud infrastructure
• Improve and harden existing IAM
• Strengthen centralized logging and monitoring
• Improve secrets management practices
• Review Pulumi‑based infrastructure changes with a security lens
• Define security requirements for new services and infrastructure components

3. Application Security Ownership

• Own the company’s application security posture
• Define secure development standards
• Introduce lightweight threat modeling practices
• Oversee SAST/DAST and dependency scanning tooling
• Ensure security is embedded throughout the SDLC
• Partner with engineering teams to remediate vulnerabilities

4. Security Incident Response & Monitoring

• Define and maintain the incident response framework
• Establish clear escalation and communication processes
• Ensure appropriate logging and monitoring coverage
• Lead and coordinate security investigations when required
• Track remediation actions following incidents
• Continuously improve controls based on lessons learned

5. Penetration Testing & External Assessments

• Own and coordinate external penetration tests
• Scope engagements appropriately
• Ensure remediation plans are defined and executed
• Track findings to closure
• Strengthen internal controls based on test results

6. Regulatory Alignment (CIRO + SOC 2)

• Lead security readiness for CIRO requirements
• Drive SOC 2 preparation and evidence collection
• Maintain defensible documentation and policies
• Ensure implemented controls withstand audit scrutiny
• Partner with Engineering Directors to close compliance gaps

7. Third‑Party & Vendor Risk Management

• Define and manage third‑party risk assessment processes
• Evaluate the security posture of critical vendors
• Assess the security impact of new tools before adoption
• Define mitigation controls prior to integration
• Maintain vendor risk documentation aligned with regulatory expectations

8. Endpoint & Internal Controls

• Strengthen security controls on developer machines
• Define secure onboarding and off‑boarding processes
• Improve privileged access controls
• Ensure internal security practices align with regulatory expectations

• Understand IAM and least privilege principles
• Understand logging, monitoring, and alerting architecture
• Be comfortable reviewing infrastructure‑as‑code (Pulumi)
• Reason confidently about security architecture across infrastructure and application layers
• Be willing to deepen your technical capabilities where needed
• Have hands‑on experience with SOC 2 or comparable audit processes
• Have experience in a regulated environment (fintech, financial services, or similar), ideally CIRO‑regulated
• Have a strong understanding of risk management frameworks
• Influence and challenge cloud architecture decisions when needed
• Experience with AI tooling governance or AI‑related security considerations is a strong plus

At Newton, we celebrate our inclusive work environment and welcome members of all backgrounds and perspectives to apply. We are committed to providing reasonable accommodations and will work with you to meet your needs. If you are a person with a disability and require assistance during the application process, please don’t hesitate to reach out!