Head of Information Security (APAC)

Your Role

Reporting to the Global CISO, the Head of Information Security (APAC) drives Alpaca's regional security, risk, and compliance, focusing on APAC regulations (APPI, FSA, MAS).

You will be the regional security authority, collaborating with global teams (Security, Engineering, Legal, Compliance, Product) to align infrastructure, the trading platform, and internal systems with both global standards and local regulatory needs.

This role merges security engineering, local compliance, risk management, and stakeholder engagement. You translate regional regulatory requirements into actionable security controls, ensuring a secure, scalable, and compliant platform. You will also be the main contact for regulators, auditors, and local stakeholders, enabling confident operations in highly regulated financial markets.

Things You Get To Do

Regional Security & Compliance Leadership

Manage Alpaca’s APAC information security program

Interpret and implement local regulatory requirements into security controls

Serve as the APAC security compliance and regulatory expert

Ensure alignment with Global Security, Legal, and Compliance on financial services and data protection regulations

Security Risk Management

Lead risk identification, assessment, and mitigation for cloud infrastructure, APIs, and trading systems

Manage and evolve regional risk registers, reporting, and governance

Ensure adherence to global frameworks (ISO 27001, SOC 2, CSA STAR)

Cloud & Platform Security Collaboration

Partner with Engineering for secure-by-design, cloud-native infrastructure

Provide guidance on IAM, Network security architecture, Secure SDLC, Infrastructure hardening/monitoring

Review architecture to embed security and compliance early

Regulatory Audits & External Engagement

Lead and support regulatory exams, audits, and assessments

Act as the primary liaison for Regulators, external auditors, and local compliance partners

Report findings to the global security team and assist with triage and mitigation

Policy, Governance & Controls

Develop and maintain regional security policies, standards, and procedures as required

Localize global policies for APAC regulatory environments

Drive control implementation and testing across security and compliance frameworks

Who You Are (Must-Haves)

6+ years of experience in information security, cybersecurity, or GRC, preferably in fintech or financial services

Fluent in Japanese and English (written and verbal)

An excellent understanding of cloud security, application and infrastructure security, and risk management frameworks

Experience with security and compliance frameworks (ISO 27001, SOC 2, etc.)

Direct experience working with or supporting regulatory requirements in Japan (e.g. APPI / FSA) and/or APAC

Proven experience handling audits, regulatory exams, or compliance programs

Ability to work cross-functionally with engineering, product, and compliance teams

Strong communication skills, with the ability to translate technical risks into business impact

Who You Might Be (Nice-to-Haves)

Experience in brokerage, trading platforms, or financial infrastructure

Experience with data privacy regulations (APPI, GDPR, etc.)

Security certifications (e.g. CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor)

Experience building or scaling regional security programs

Exposure to DevSecOps practices and modern cloud-native architectures

Familiarity with AI/ML risk considerations in financial systems

How We Take Care of You

Competitive Salary & Stock Options