Security Lead

Health can’t wait.

Not for symptoms to get worse. Not for a six‑month appointment. Not for a system to catch up. But that’s exactly how healthcare works today. You wait, until you can’t.

Alan exists to end the wait.

Health is a universal right, and we believe this right can only become real when it’s coupled with prevention. We need to stop treating health as something we repair and start treating it as something we build, every day. It’s not solely a question of willpower. It’s the healthcare system itself that needs to work for everyone, in a sustainable way.

So we are building the new standard in prevention insurance. Alan is the first company that integrates insurance, prevention, and care into a single, acclaimed user experience.

We are on an incredible journey to build a global leading company, with a unique culture. We already partner with 40K+ companies of all sizes, serving more than 1M+ members, and have reached €800M+ in ARR.

Prevention as the new norm. That's what we're building with our team of 800+ people. If it speaks to you: we're hiring across France, Spain, Belgium, and Canada. And beyond.

Why we are looking for a Security Lead

Alan is no longer the company it was in 2020. We are now an insurance group celebrating its 10th birthday, operating across 4 countries and growing fast – handling sensitive health data for 1M+ members, operating under DORA and HDS certification requirements, and regulated by the ACPR.

To match that scale, we are opening an external search for a Security Lead for the team's next phase: someone who brings structure, vision, and people leadership to a team that already has serious technical firepower.

Pillars of the role

1. Lead the security team and the topic

2. Own security in the AI era

3. Scale across 10+ countries

4. Build and evolve Alan's security strategy

Your traits and achievements

Lead the security team and the topic

• People leadership at scale: You have led security (or security-adjacent) teams where people genuinely grow. You can coach, structure, and elevate a team that is already highly technical. You have concrete examples of talent you have developed.

• Gives clarity and direction: You can cut through ambiguity and set a clear agenda for a team through well-communicated priorities and structured ownership.

• Combines vision with execution: You are comfortable setting direction and rolling up your sleeves technically. You do not hide behind strategy when things need to get done. You understand how the product works and contribute value to product-led discussions.

• Knows when to escalate and when to absorb: You have the judgment to distinguish between noise and real signal, and to protect the team's focus accordingly.

• Pragmatic risk trade-offs: You make sensible risk decisions and keep the business moving rather than chasing perfect security. You understand that security is an enabler rather than a gatekeeper.

Own security in the AI era

• AI security vision: You have a clear point of view on how AI changes the threat landscape as an attack vector and as a defensive lever. You are thinking seriously about LLM security, agent risks, and AI governance.

• Enables AI adoption safely: You can design a framework that lets product and engineering teams ship AI-powered features confidently, without creating bottlenecks. You think in guardrails, not gates.

• Stays current: You track OWASP LLM Top 10, MITRE ATLAS, EU AI Act, and similar developments. You can translate them into actionable priorities for Alan's context.

• Uses AI for security: You actively use AI to accelerate threat detection, automate compliance evidence, and improve the team's throughput, you do not just talk about it.

Scale across 10+ countries

• ISO 27001 ISMS leadership: You have led at least one full certification or recertification cycle. You kKnow what breaks down in the months between audits and how to run the programme as a living system rather than a point-in-time exercise.

• Multi-regulatory fluency: You understand DORA, HDS, RGPD, NIS2, and PGSSI-S — not necessarily as a GRC expert, but well enough to translate regulatory requirements into technical controls and flag implementation gaps. You understand the frameworks’ long term dependencies and the possibilities they unlock for the business.

• Health sector context: You have worked in or closely with regulated industries. Bonus: You understand the ANS framework, CERT Santé requirements, and what it means to handle sensitive health data operationally.

• Risk as a living programme: You have run security risk cartography (ideally with EBIOS RM) and made it feed into real business and engineering decisions.

• Third-party risk with real teeth: You have run vendor security assessments and defined contractual security requirements. You are able to partner with Risk and Audit functions without duplicating work.

Build and evolve Alan's security strategy

• Security as a business asset: You see security as a long-term defensive asset and a trust-builder for members, regulators, and partners, not a cost centre.

• Influences without authority: You align Legal, DPO, Risk, Engineering, Product, and Operations on security requirements without creating blockers or adversarial dynamics. People come to you early because you make their lives easier, not harder.

• Communicates risk to non-technical audiences: You can brief a board or executive committee and make them feel informed, not overwhelmed. You know the difference between a board-level finding and a quarterly report item.

• Builds security culture, not compliance theatre: Your awareness programmes land because they are relevant and well-designed, not because they are mandatory. The goal is teams making better decisions, not teams checking boxes.

• Thrives in a distributed, written culture: You are comfortable with async communication, written-first thinking, and working across countries and time zones without needing constant synchronisation.

Expected outcomes in 1 year

1. Built the security team with clarity, structure, and direction (includes defining Alan’s security vision, how Security interfaces with the rest of the company, capacity planning, talent density, hiring plans, etc.)

2. Shaped how Alan uses AI for security: build an AI security posture that is both rigorous and an accelerator for the team

3. Maintained and evolved Alan's compliance backbone across ISO 27001, HDS, DORA, and defined a playbook to ensure consistency across 10+ countries

4. Built a living security risk programme that feeds into business and engineering decisions

5. Confirmed Alan as a trusted, security-first company in the eyes of regulators, partners, and members

This position targets level F+ on our level grid.