Nexl is a fast-growing LegalTech company on a mission to elevate the business of law. The company builds an AI-driven CRM and growth intelligence platform that brings a firm's internal and external data together so lawyers, marketing teams, and business development teams can collaborate, spot opportunities, and grow revenue.
Nexl has been recognised by the Financial Times, Deloitte, and the Australian Financial Review as one of the fastest‐growing companies in the region, is trusted by 150+ law firms globally, and recently closed a $23M USD Series B led by Tidemark Capital.
The Opportunity
Nexl is looking for its first dedicated Security & Compliance Lead to build and own the security and compliance program from the ground up. Our clients are law firms, and they trust us with sensitive client relationship data. Security is core to our product promise and our commercial licence to operate.
This is a dual‐track role. You'll run operational security (identity and access controls, endpoint and email protection, SIEM‐based detection and incident response) while simultaneously owning our compliance certifications: SOC 2 Type 2 (ongoing) and the ISO 27001 roadmap. On the application security side, you'll govern the program in partnership with Engineering rather than doing hands‐on code review yourself.
You'll report to the Head of Engineering and work closely with the CPTO and VP of Strategy & Operations, interface directly with enterprise law firm clients on security matters, and produce board‐level reporting. You'll be Nexl's first dedicated security hire, which means genuine ownership and visibility. This is a greenfield role with executive sponsorship from the CPTO. You'll have input into tooling decisions and budget conversations from day one.
What You'll Own & Do
Policy & Security Awareness
* Build and maintain Nexl's security policy framework: acceptable use, data classification, access control, BCDR, and incident response policies
* Own the security awareness training program, including curriculum, delivery cadence, and phishing simulation campaigns across the organisation
* Drive a security‐first culture that is practical and embedded, not compliance theatre
Identity & Access
* Own Microsoft 365 and Entra ID security posture: conditional access policies, phishing‐resistant MFA (passkeys), OAuth application governance, and legacy protocol deprecation
* Manage privileged access controls and the joiners / movers / leavers process
* Serve as Nexl's internal subject‐matter expert for the Microsoft security stack
Security Operations
* Select, deploy, and govern the SIEM and EDR stack, defining detection rules, alert thresholds, and escalation paths
* Own alert triage and incident detection, working with external SOC or MSSP partners where appropriate
* Own the incident response lifecycle end‐to‐end: detection, containment, communication, post‐incident review, and registry updates
* Maintain the security risk register and report material risks to leadership and the board on a regular cadence
* Own Nexl's SOC 2 Type 2, ISO27001 and ISO42001 programs: control monitoring, evidence collection, auditor liaison, and annual renewal
* Respond to customer security questionnaires and enterprise due diligence requests — a high‐frequency, revenue‐relevant activity at Nexl's customer tier
* Maintain alignment with Privacy Act (Australia), GDPR, and applicable US data protection requirements
Application Security
* Own the annual penetration testing program: scope, vendor management, findings review, and remediation SLA tracking
* Define and maintain the vulnerability disclosure policy and responsible disclosure process
* Set SAST/DAST tooling standards and adoption requirements for the engineering pipeline in partnership with the Head of Engineering
Customer & Regulatory Trust
* Act as the primary point of contact for enterprise and law firm clients on all security and compliance matters
* Produce board‐level security reporting: incident summaries, risk posture updates, certification status
* Manage third‐party vendor security assessments and the vendor review process
* Provide practical guidance across Privacy Act, GDPR, and cyber insurance obligations
What We're Looking For
Must haves:
* 5–8 years across security operations and GRC, ideally in a SaaS or cloud‐native environment
* Hands‐on experience with Microsoft 365 and Entra ID security configuration, not just familiarity with configuration
* Demonstrated ownership of a SOC 2 Type 2 program, ISO 27001 experience and willing to help us navigate a roadmap to ISO42001
* Practical SIEM experience and EDR tooling in a real‐world environment
* Experience managing or commissioning penetration testing programs and translating findings into engineering‐facing remediation plans
* Able to write a policy, triage a SIEM alert, and brief a C‐Suite in the same week
* Comfortable operating as Nexl's sole security function — you build programs that run without you personally touching everything
* Working knowledge of Privacy Act (Australia) and GDPR; US data protection familiarity a plus
Nice to haves:
* CISM, CISSP, ISO 27001 Lead Auditor / Lead Implementer, or Microsoft security certifications (SC‐200, SC‐300, AZ‐500)
* Experience with GRC platforms such as Vanta, Drata, or Secureframe
* Exposure to legal technology, professional services software, or other high‐trust B2B SaaS environments
* Familiarity with NIST CSF or Essential Eight frameworks
What Success Looks Like
* Within 30 days: M365 and Entra ID environment mapped, hardening backlog prioritised, and security tech stack gap assessment completed
* Within 90 days: EDR deployed across all endpoints, SIEM live with baseline detection rules, and security awareness training launched, ownership of SOC2 and ISO program
* Within 6 months: Annual pen test cycle running; customer security questionnaire response time under 3 business days
* Within 12 months: Board security reporting cadence established with CPTO; Nexl's security posture is a commercial differentiator in enterprise deals
* You are a trusted voice across Engineering, Product, and the executive team. Security decisions are grounded in evidence and risk, not assumption
Life at Nexl
* High growth. A scaling environment with autonomy, ownership, and visible impact.
* ESOP. Employee stock options so you share in the upside.
* Tools & tech. Modern, AI‐first ways of working to help you move faster and smarter, plus a work laptop.
* Birthday leave. Take a paid "Nexl Day" during the week of your birthday.
* Transparent by default. Fortnightly all‐hands with strategy, metrics, wins, and learnings.
* Purposeful connection. Team offsites and meet‐ups.
* Values‐led culture. Guided by The Nexler Way, our values and operating principles that define who we are, how we work, and how we win together.
Our Values
* Committed to Care – We genuinely care about the work we do and the industry we do it for
* Human at the Core – Relationships and empathy guide everything we do
* Different with Purpose – We're not afraid to stand out. We innovate boldly and deliberately
Even if you don't tick every box, Nexl would still love to hear from people who are excited by the mission and believe they would thrive in a high‐growth, high‐accountability environment.
#J-18808-Ljbffr