Depop is the fashion marketplace where the next generation buy, sell and get inspired. We are headquartered in London, UK with locations in New York and LA. We have more than 18 million registered users in 147 countries. In the UK, 1 in 3 Gen Z/Millennials are registered and in the US we have grown 300% over two years. We are also the only European player to have recently entered the top 25 shopping apps by daily active users.

Our mission is to empower the next generation to transform fashion, and our team of over 200 people are dedicated to serving the needs of our global community.

We operate on three pillars:

  1. Community: Our buyers, sellers and employees are inclusive, diverse and accessible. We are committed to empowering diversity within the fashion community.
  2. Entrepreneurship: We support our community and help them build their business with Depop. We thrive on supporting innovation by shaping an environment where creators, makers or hustlers can thrive.
  3. Sustainability: Depop helps extend the life of garments and reduce waste, we care about the world and want to make a positive change within the fashion industry.

Read a little more about us Here

The Role

As Head of Security you will be responsible for defining, driving and delivering our security posture, aided by a small but effective security engineering team that you will help to build and ultimately, to succeed.

We believe that usability is a major factor in how effective a given security feature will be, and that the best security is invisible to the user.

We assert that "DevOps" as originally envisioned, is about a culture of end-to-end ownership and collaboration, and not about job titles or the industry that has sprung up around this term. In this vein, all of our Software Engineers are responsible for deploying and operating their software, and any directly supporting infrastructure.

We appreciate economies of scale, automation and homogeneity, which is why we have a Platform Engineering team responsible for maintaining the core infrastructure and providing a platform (built upon Kubernetes, Terraform, AWS, Vault and Concourse CI, among other things) complete with tooling, re-usable components and solutions, to our cross-functional production engineering teams. We want to take a similar approach with our security engineering team, baking security into the platform.

Want to find out more about Depop & our engineering team? Take a look at our blog.

We write about technology, people and smart engineering -


  • Develop and execute upon a comprehensive business-wide security strategy, encompassing all domains and interpretations of security
  • Be the visible face of Security at Depop, as well as a voice of authority, building strong, healthy relationships not just within engineering, but across the entire business
  • Assume ownership of an existing backlog of technical security improvements, and manage, mentor and empower the Lead Security Engineer and their team to constantly deliver real value from this
  • Assume ownership of company security policy definition and enforcement
  • Work with the business to maintain a risk register, help business stakeholders to understand and prioritise risks, and to plan for any resources required for mitigation
  • Integrate a security incident response process and play an active role in it
  • Define and direct our vulnerability disclosure policy
  • Embrace agile methodologies and engage in a culture of continuous improvement by attending (and perhaps even running) events such as book club, functional meet up, blameless post-mortems, architecture review, war games, hack days
  • Assist the Lead Security Engineer and their team to build out a roadmap for staff training, penetration testing and other education and discovery initiatives. We're not adverse to engaging with reputable third parties, but we want you to own it



  • A background in hands-on software engineering and/or software security, with at least 5 years experience within an Information or Cyber Security leadership role
  • Knowledge or experience with security compliance and Data Protection standards
  • Experience with the security models of one of those technologies: Web, iOS or Android
  • Knowledge of Kubernetes, Docker and related security landscape
  • Knowledge of AWS and related security landscape
  • Knowledge of Operating Systems; specifically Linux
  • A high-level understanding of modern cryptography, including cryptographic primitives


  • Exemplary written and verbal communication skills, able to effectively convey complex subjects to stakeholder audiences of all ages, backgrounds, seniority and technical literacy levels
  • Excellent documentation and policy writing skills, with a preference for concise, human-readable and ultimately useful prose
  • A strong advocate for real Security, rather than Security Theatre
  • Able to take a risk-based approach and effectively prioritise many competing demands
  • Self-directed and highly organised. We are a C-series c2c social marketplace startup, not a heavily-regulated investment bank. The right candidate will thrive in this atmosphere.
  • Great people management and mentoring experience; we want you to help shape and develop our people


  • Experience with any of our core languages: Scala (Services), Python (Older Services, ML, Scripting), Golang (Internal Tooling & Services), JavaScript/NodeJs (Web)
  • Experience with static analysis, detection and remediation tooling
  • A desire to evangelise some of the great work that you will be doing within the wider engineering community
  • BS in Computer Science, Information Systems Management, Information Security, a related technical field, or equivalent practical experience

Equality and Diversity Monitoring

Depop is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.

Depop recognises the benefits of a diverse workforce which reflects the wider population and welcomes applications from all sections of the community. Under the Equality Act (2010), Depop must demonstrate that their recruitment processes are fair and that we are not discriminating against or disadvantaging anyone because of their age, disability, gender reassignment status, marriage or civil partnership status, pregnancy or maternity, race, religion or belief, sex or sexual orientation. We need to ask applicants some questions to make sure that no one is being unfairly discriminated against or disadvantaged.

We collect this information only for anonymised monitoring purposes to help the organisation look at the profile of individuals who apply, are shortlisted for and appointed to each vacancy. In this way, we can check that we are complying with the Equality Act (2010).

Under the Equality Act 2010 the definition of disability is if you have a physical or mental impairment that has a 'substantial' and 'long-term' adverse effect on your ability to carry out normal day to day activities. Further information regarding the definition of disability can be found at: Reasonable adjustments will be made available should you be invited to interview.

GDPR Statement

When you apply to a job on this site, the personal data contained in your application will be collected by Depop Ltd, 08316342 ("Controller"), 9th Floor 107 Cheapside, London, United Kingdom, EC2V 6DN (“We”, “Us”) and can be contacted by emailing Your personal data will be processed for the purposes of managing Controller’s recruitment related activities, which include setting up and conducting interviews and tests for applicants, evaluating and assessing the results thereto, and as is otherwise needed in the recruitment and hiring processes. Such processing is legally permissible under Art. 6(1)(f) of Regulation (EU) 2016/679 (General Data Protection Regulation) as necessary for the purposes of the legitimate interests pursued by the Controller, which are the solicitation, evaluation, and selection of applicants for employment.

Your personal data will be shared with Greenhouse Software, Inc., a cloud services provider located in the United States of America and engaged by Controller to help manage its recruitment and hiring process on Controller’s behalf. Accordingly, if you are located outside of the United States, your personal data will be transferred to the United States once you submit it through this site. Because the European Union Commission has determined that United States data privacy laws do not ensure an adequate level of protection for personal data collected from EU data subjects, the transfer will be subject to appropriate additional safeguards under [either the standard contractual clauses or the Privacy Shield]. You can obtain a copy of the standard contractual clauses by contacting us at

Your personal data will be retained by Controller as long as Controller determines it is necessary to evaluate your application for employment.  

Under the GDPR, you have the right to request access to your personal data, to request that your personal data be rectified or erased, and to request that processing of your personal data be restricted. You also have to right to data portability. In addition, you may lodge a complaint with an EU supervisory authority.

Apply for this Job

* Required