Director, Information Security

Your mission

As a Director, Information Security your mission will be to ensure the protection, integrity, and confidentiality of our organisation's information assets. You will manage and grow our GRC function in a regulated fintech environment. You’ll lead a small team (e.g., Associates to Senior Specialists), own the GRC operating rhythm (risk, controls, audits, third-party oversight), and ensure we stay continuously audit-ready while scaling responsibly.

This is a hands-on leadership role: you will set direction, coach and develop the team, and partner with senior stakeholders across Technical Operations, Engineering, IT, Compliance, Risk, Legal, and Procurement to drive effective, proportionate security governance.

What you’ll do

Strategy, governance & risk accountability: Define and maintain the multi-year information security strategy and roadmap aligned with business objectives, risk appetite, and regulatory requirements. Establish security governance: decision forums, risk acceptance thresholds, exception processes, and clear accountability across the organization. Ensure effective enterprise security risk management, including identification of material risks, treatment plans, and board-level reporting.
Security program leadership (end-to-end): Lead, scale and oversee security capabilities across domains (GRC/ISMS, Security Operations, AppSec, Cloud/Infrastructure Security, IAM, Security Architecture). Ensure security is embedded into product and engineering delivery (secure SDLC, threat modeling, security-by-design guardrails). Define security standards, controls and minimum baselines; drive consistent implementation across entities, regions, and critical systems.
Compliance, audits & regulatory engagement: Oversee external and internal assurance programs (e.g., ISO 27001, SOC 2, PCI DSS, partner assurance) and ensure continuous audit readiness. Lead/coordinate security-facing regulatory engagement: examinations, requests for information, remediation commitments, and follow-ups. Ensure security requirements are integrated with broader compliance obligations and operational resilience expectations.
Third-party & supply chain security: Set third-party security strategy for critical suppliers (due diligence, ongoing monitoring, contractual security requirements, and exit/continuity considerations). Ensure oversight of outsourcing/critical ICT providers consistent with regulatory expectations and business criticality.
Stakeholder management & security culture: Act as an advisor at all levels: communicate security risk in business terms and drive alignment on tradeoffs. Partner with Engineering, Product, IT, Compliance, Risk, Legal, Procurement, and Internal Audit to deliver outcomes. Champion security awareness and accountability across the company.

Who you are

Typically 10–15+ years in information security, including leadership of multiple security domains and senior stakeholder management.
Demonstrated success building and scaling security programs in regulated environments (fintech/financial services preferred).
Experience in implementing ICT related regulatory frameworks (e.g. DORA, BaFin)
Strong grasp of security governance and risk management, plus practical understanding of modern cloud/security architecture and engineering practices.
Proven experience with incident leadership and crisis management.
Extensive experience with assurance and frameworks (e.g., ISO 27001, SOC 2, NIST), including translating requirements into operating programs.
Excellent executive and technical communication: able to brief board/executive audiences and represent the company externally, as well as being able to discuss technical requirements and implementations with the First Line of Defence (1LoD).

Leadership profile

You balance pragmatism and rigor: protect the company while enabling growth and product velocity.
You are decisive and transparent about risks, and you drive accountability to closure.
You can operate at board level while still understanding technical realities and delivery constraints.
You build high-trust partnerships across the business and influence without relying on “security says no.”
You lead calmly under pressure and set a culture of ownership, learning, and continuous improvement.

Details

Your mission

What you’ll do

Strategy, governance & risk accountability: Define and maintain the multi-year information security strategy and roadmap aligned with business objectives, risk appetite, and regulatory requirements. Establish security governance: decision forums, risk acceptance thresholds, exception processes, and clear accountability across the organization. Ensure effective enterprise security risk management, including identification of material risks, treatment plans, and board-level reporting.
Security program leadership (end-to-end): Lead, scale and oversee security capabilities across domains (GRC/ISMS, Security Operations, AppSec, Cloud/Infrastructure Security, IAM, Security Architecture). Ensure security is embedded into product and engineering delivery (secure SDLC, threat modeling, security-by-design guardrails). Define security standards, controls and minimum baselines; drive consistent implementation across entities, regions, and critical systems.
Compliance, audits & regulatory engagement: Oversee external and internal assurance programs (e.g., ISO 27001, SOC 2, PCI DSS, partner assurance) and ensure continuous audit readiness. Lead/coordinate security-facing regulatory engagement: examinations, requests for information, remediation commitments, and follow-ups. Ensure security requirements are integrated with broader compliance obligations and operational resilience expectations.
Third-party & supply chain security: Set third-party security strategy for critical suppliers (due diligence, ongoing monitoring, contractual security requirements, and exit/continuity considerations). Ensure oversight of outsourcing/critical ICT providers consistent with regulatory expectations and business criticality.
Stakeholder management & security culture: Act as an advisor at all levels: communicate security risk in business terms and drive alignment on tradeoffs. Partner with Engineering, Product, IT, Compliance, Risk, Legal, Procurement, and Internal Audit to deliver outcomes. Champion security awareness and accountability across the company.

Who you are

Typically 10–15+ years in information security, including leadership of multiple security domains and senior stakeholder management.
Demonstrated success building and scaling security programs in regulated environments (fintech/financial services preferred).
Experience in implementing ICT related regulatory frameworks (e.g. DORA, BaFin)
Strong grasp of security governance and risk management, plus practical understanding of modern cloud/security architecture and engineering practices.
Proven experience with incident leadership and crisis management.
Extensive experience with assurance and frameworks (e.g., ISO 27001, SOC 2, NIST), including translating requirements into operating programs.
Excellent executive and technical communication: able to brief board/executive audiences and represent the company externally, as well as being able to discuss technical requirements and implementations with the First Line of Defence (1LoD).

Leadership profile

You balance pragmatism and rigor: protect the company while enabling growth and product velocity.
You are decisive and transparent about risks, and you drive accountability to closure.
You can operate at board level while still understanding technical realities and delivery constraints.
You build high-trust partnerships across the business and influence without relying on “security says no.”
You lead calmly under pressure and set a culture of ownership, learning, and continuous improvement.