Aliro builds software for entanglement-based quantum networks. Our products support quantum networks being developed by customers at aerospace companies, national labs, academic institutions, and telecommunications providers. We are hiring a Security Program Lead to own and operate the company's security program. This is a foundational hire and the first dedicated security role at Aliro. You will not be starting from zero. By the time you join, our fractional CISO will have deployed the GRC platform, drafted core security policies, initiated the asset inventory and security program baseline, established the compliance roadmap, and set the SOC 2 audit timeline. Your job is to take ownership of that foundation and run the program day-to-day: maintaining evidence, managing vendors, responding to customers, and driving the program forward. You will work alongside the fractional CISO, who provides strategic direction, certification architecture, and customer-facing security leadership. You will report to the CTO. This role is designed to grow. The initial focus is operationalizing the security program, achieving SOC 2, and supporting enterprise sales. As the company scales and certification workloads increase, this role expands with ownership of the full compliance and certification portfolio. What You'll Own: - Security governance and compliance. Own SOC 2 evidence collection, policy maintenance, risk register updates, and audit coordination. Manage relationships with external auditors, pen test firms, and assessment organizations. Maintain security documentation as living, versioned artifacts — not shelf-ware. - Customer security support. Respond to enterprise security questionnaires (SIG, CAIQ, custom formats). Draft and maintain customer-facing security artifacts: security overview, product architecture briefs, pre-filled questionnaire responses. Be the first responder when a prospect's security team has questions. - Secure development support. Coordinate with the engineering team on CI/CD security tooling (SAST, SCA, secrets detection), SBOM management, vulnerability tracking, and pen test remediation. You don't need to write the code, but you need to understand the pipeline and ensure security gates are operating. - Vendor and tool management. Manage and optimize the GRC platform (Vanta), security scanning tools, and questionnaire automation tooling. Own the operational relationship with third-party security vendors. - Certification preparation (growth area). As the program matures, take increasing ownership of certification tracks — potentially including CMMC, FedRAMP, or FIPS 140-3 — depending on customer and market requirements. What We're Looking For: - 2–5 years of hands-on experience in security, GRC, or compliance. Experience with SOC 2 audit preparation is strongly preferred. - Familiarity with secure development practices (CI/CD, dependency management, SBOM, vulnerability management). - Experience responding to customer security questionnaires (SIG, CAIQ, proprietary formats). - Strong written communication. - Comfort with ambiguity in a startup environment. Nice to Have: - Experience with federal frameworks: FedRAMP, CMMC, NIST 800-171, NIST 800-53. - Exposure to hardware security certifications (FIPS 140-3, Common Criteria). - Familiarity with GRC platforms (Vanta, Drata, Secureframe) and questionnaire automation tools (Conveyor, SafeBase). - Relevant certifications: CISSP, CISM, CISA, or Security+. - Interest in quantum networking, post-quantum cryptography, or QKD technologies. Why This Role: You would be building the security function at a company defining the future of quantum-safe networking. The products you help secure will protect communications for defense, finance, and critical infrastructure. The certifications you help achieve will unlock markets that no other quantum networking company has reached yet. This is not a maintenance role. There is nothing to maintain yet. You are building it. Details: Location: Remote-first, with occasional on-site collaboration in the Boston area. Reports to: CTO (with strategic direction from fractional CISO). Equity: Yes.