Information Security Lead

About MidjourneyMidjourney is a unique experiment. We are an independent, community-backed research lab, best-known for the aesthetic technologies that power image and video generation. We are building tools that help people dream bigger and become more capable than they knew possible.About the RoleWe need one person to run security and IT for Midjourney. The work spans policy, compliance, vendor risk, incident response, identity, endpoint management, asset lifecycle, office networking, and AV. It is a wide brief and we are aware of that. The reason it sits with one person right now is that the company is still small, and we've leveraged cloud solutions on our own for the past 4 years. We want to formalize and mature how we approach our internal Information Security.You will not be inheriting an existing rigid program. We have a number of solutions that have suited us well, but nothing is set in stone. Your first six months are about building the scaffolding so that the next year is about running it.We handle data subject to HIPAA-grade controls, operate in the EU and California, and have the long list of customer compliance asks that a company our age and size tends to accumulate. The work is real and unfinished.The cultural piece matters. The team is sceptical of process for its own sake, and they will quietly work around any control that is more friction than it is worth. The right hire designs controls that the rest of the team would choose to use anyway: automation, sensible defaults, identity that engineers do not have to fight.What You'll DoBuild and maintain the written security and privacy policy stack, including the compliance program (GDPR, HIPAA, CCPA, and the others that come up), with counsel review on a sensible cadence.Run the internal operational security loop: data leakage / loss prevention, access controls, backups, risk assesments, etc.Third-party vendor risk. SOC 2 review for critical vendors, contracts with the safeguards we need, and an honest view of where the gaps are.Identity and access: SSO, MFA, privileged access, joiner-leaver workflows that do not depend on a person remembering them.IT operations: hardware lifecycle, MDM, physical access controls, endpoint security, network basics, conferencing, AV.Business continuity and disaster recovery plans that we have actually tested, not just written.The fraud-and-funds-transfer controls, in partnership with whoever runs finance.What We're Looking ForYou have built or substantially rebuilt a security program at a small to medium business. You can write the policy and you can run the technical work; we are not splitting those.You have taken at least one company through real compliance work (SOC 2, ISO 27001, HIPAA, or equivalent), and have an opinion about which evidence is worth collecting and which is busywork.You are hands-on with the modern IT stack: Apple MDM, an IdP like Okta or Google Workspace, SSO and SAML and SCIM, SaaS management. You write the scripts that automate the boring parts.You can read a SOC 2 report and tell us what the auditor missed.You take care of the people around you, not just the systems. Caring about humanity starts with caring about your teammates – we hire people who actively help the people next to them succeed.We care more about what you have built than where you have built it.Nice to HaveExperience as the first security hire at a company that grew through audit and customer-compliance pressure.HIPAA program design where the data flows are non-trivial.Networking depth: firewalls, VPN, segmentation, office network design.Background working with engineering teams that have AI in production, where the threat model is not what most security textbooks assume.Why MidjourneyThe function does not exist yet. You decide what it looks like.You will not have to sell the value of security here. The team takes it seriously; they just want it formalized well.Speed of a startup, freedom of a research lab. No quarterly reporting, no committees, no investor calls.AI-assisted tooling is the default across the company, and the people running security and IT are expected to use it the same way the engineers do.San Francisco-based, with regular contact across our global team and the remote engineers.*The wage range for this role takes into account the wide range of factors that are considered in making compensation decisions including but not limited to skill setts, experience and training, certifications and licensure, location, and other business or organizational needs.Midjourney provides and promotes equal opportunity in employment, compensation, and other terms and conditions of employment without discrimination because of race, color, creed, religion, national origin, ancestry, citizenship status, sex or gender, gender identity or gender expression (including transgender status), sexual orientation, marital status, military service and veteran status, physical or mental disability, family medical history, genetic information or other protected medical condition, political affiliation, or any other characteristic protected by and in accordance with applicable laws.