Requirements
- Proven track record of strategic impact at company-wide and industry-wide
- Recognised internally and externally as an InfoSec expert, with evidence of
- Exceptional technical and people leadership
- Establishes long-term security architecture aligned to business strategy and regulatory requirements; guides enterprise technology decisions including cloud strategy and zero trust
- Anticipates emerging threats, leverages AI/ML for predictive security, and sets the technology vision
- Deep understanding of the GRC landscape; implements appropriate controls and adapts as the environment shifts
- Develops proven solutions and replicates them across teams; designs systems and frameworks built to last
- Accountable and collaborative: works with clients and colleagues to resolve complex issues and views challenges as opportunities to improve
- Owns execution of security, GRC, and IT Ops strategy; ensures frameworks are scalable, adaptable, and aligned to business strategy and executive-level risk expectations
- Market knowledge
- Deep understanding of the security and risk landscape across fintech and beyond; adapts market knowledge to continuously improve Duco’s posture
- Evaluates and integrates advanced security technologies and GRC best practices; knows when to buy, adapt, or build internally
- Acts as a recognised industry leader: participates in regulatory advisory groups, defines Duco’s position on InfoSec maturity, and anticipates regulatory shifts before they arrive
- Scope and influence
- Operates across all departments; builds sponsorship for strategic initiatives and drives them through
- Leads all InfoSec, GRC, and IT Ops functions with cross-functional influence across product, engineering, and compliance
- Recognised outside of Duco for technology excellence; participates in industry events and shapes the wider conversation on risk and threat
- Influences executive peers, board decisions, and global regulatory compliance strategy
- 8+ years of progressive experience in information security, with at least 3 years in a senior or leadership role
- Hands‑on experience owning ISO 27001 and SOC 1 and SOC 2 programmes, not just supporting them
- Demonstrated experience managing security incidents end-to-end, including client and regulatory communications
- Strong understanding of cloud security, particularly AWS, including IAM, logging, and observability infrastructure
- Experience operating in a B2B SaaS or fintech environment, with exposure to enterprise client security requirements
- Track record of building and managing TPRM programmes at scale
- Excellent stakeholder management skills; comfortable presenting to the board and to client security teams in equal measure
- Ability to make pragmatic decisions based on company culture and risk appetite
- Strong written communication skills: able to translate complex security topics into clear, plain-language communications for non-technical audiences
- Experience leading and developing a small, high-performing team
- Familiarity with AI governance and the security implications of agentic AI systems
What the job involves
- We are looking for a Head of Information Security to own our end-to-end security posture, govern our risk and compliance programme, and lead our IT Operations function. This is a VP Level role with company-wide scope
- With approximately 200 employees across London, New York, Wroclaw, Antwerp, and Singapore, we move fast, build with purpose, and hold ourselves to a high bar. As we scale, information security, governance, and IT operations sit at the heart of that ambition
- Define security architecture standards and lead threat modelling across the organisation
- Establish and maintain long-term security architecture aligned to business strategy and regulatory requirements
- Guide technology decisions at an enterprise level, including cloud strategy and zero trust adoption
- Oversee penetration testing, DLP, and advanced threat detection programmes
- Own the vulnerability management programme
- Implement enterprise frameworks including IAM, SIEM, and data classification
- Anticipate emerging threats, leverage AI/ML for predictive security, and set the technology vision
- Lead Security Incident Response Programme
- Define and own the GRC programme, including the ISMS, policy framework, risk registers, and audit readiness
- Implement and maintain compliance with ISO 27001, SOC 1, SOC 2, NIST CSF, GDPR, and relevant financial services regulations
- Understand the GRC landscape, implement appropriate controls, and adapt as the threat and regulatory environment shifts
- Own execution of GRC strategy across the organisation; ensure frameworks are scalable and adaptable
- Own Third Party Risk Management (TRPM) programme, including vendor assessments and ongoing oversight
- IT operations
- Define and own the IT Operations programme, setting strategy and standards for the function
- Own execution of IT Operations strategy; ensure frameworks are scalable and adaptable as Duco grows
- Ensure operational excellence across infrastructure, tooling, and end-user support
- Leadership and stakeholder management
- Lead, mentor, and develop a high-performing team across InfoSec, GRC, and IT Ops
- Build strategic relationships with clients, regulators, and internal stakeholders
- Engage effectively with large, complex, and multi-national enterprise clients
- That have mission-critical operations requirements, building trust and credibility at the most senior levels
- Recognise, influence, and resolve critical issues that may affect company direction
- Create strategies that cross organisational boundaries to achieve broad business goals
- Work with industry peers and working groups to develop solutions that benefit the wider market
- Enterprise Client Assurance: Act as a key partner to Duco’s Client Success and Pre-Sales teams. This involves speaking directly with the CISOs and security teams of global financial institutions to assure them of Duco’s risk management and data privacy practices
#J-18808-Ljbffr…
