Head of Information Security (APAC)

Your Role:

Reporting to the Global CISO, the Head of Information Security (APAC) drives Alpaca's regional security, risk, and compliance, focusing on APAC regulations (APPI, FSA, MAS). 

You will be the regional security authority, collaborating with global teams (Security, Engineering, Legal, Compliance, Product) to align infrastructure, the trading platform, and internal systems with both global standards and local regulatory needs. 

This role merges security engineering, local compliance, risk management, and stakeholder engagement. You translate regional regulatory requirements into actionable security controls, ensuring a secure, scalable, and compliant platform. You will also be the main contact for regulators, auditors, and local stakeholders, enabling confident operations in highly regulated financial markets.

Things You Get To Do:

Regional Security & Compliance Leadership

• Manage Alpaca’s APAC information security program
• Interpret and implement local regulatory requirements into security controls
• Serve as the APAC security compliance and regulatory expert
• Ensure alignment with Global Security, Legal, and Compliance on financial services and data protection regulations

Security Risk Management

• Lead risk identification, assessment, and mitigation for cloud infrastructure, APIs, and trading systems
• Manage and evolve regional risk registers, reporting, and governance
• Ensure adherence to global frameworks (ISO 27001, SOC 2, CSA STAR)

Cloud & Platform Security Collaboration

• Partner with Engineering for secure-by-design, cloud-native infrastructure
• Provide guidance on IAM, Network security architecture, Secure SDLC, Infrastructure hardening/monitoring
• Review architecture to embed security and compliance early

Regulatory Audits & External Engagement

• Lead and support regulatory exams, audits, and assessments
• Act as the primary liaison for Regulators, external auditors, and local compliance partners
• Report findings to the global security team and assist with triage and mitigation

Policy, Governance & Controls

• Develop and maintain regional security policies, standards, and procedures as required
• Localize global policies for APAC regulatory environments
• Drive control implementation and testing across security and compliance frameworks

 

Who You Are (Must-Haves):

• 6+ years of experience in information security, cybersecurity, or GRC, preferably in fintech or financial services
• Fluent in Japanese and English (written and verbal)
• An excellent understanding of cloud security, application and infrastructure security, and risk management frameworks
• Experience with security and compliance frameworks (ISO 27001, SOC 2, etc.)
• Direct experience working with or supporting regulatory requirements in Japan (e.g. APPI / FSA) and/or APAC
• Proven experience handling audits, regulatory exams, or compliance programs
• Ability to work cross-functionally with engineering, product, and compliance teams
• Strong communication skills, with the ability to translate technical risks into business impact

Who You Might Be (Nice-to-Haves):

• Experience in brokerage, trading platforms, or financial infrastructure
• Experience with data privacy regulations (APPI, GDPR, etc.)
• Security certifications (e.g. CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor)
• Experience building or scaling regional security programs
• Exposure to DevSecOps practices and modern cloud-native architectures
• Familiarity with AI/ML risk considerations in financial systems