Responsibilities include:
- Maintain and update the enterprise risk register and Information Security Management System (ISMS) in alignment with DORA and ISO 27001.
- Oversee the Business Impact Analysis (BIA) and Business Continuity/Disaster Recovery Plan (BCM/DRP), including testing, gap analysis, and reporting.
- Manage the relationship with the managed SIEM/SOC provider; validate detection rules, incident playbooks, and SLAs; organise purple-team exercises.
- Conduct pre-deployment security reviews of cloud architecture and CI/CD pipelines, ensuring embedded and tested controls.
- Define and track key risk and performance indicators (KRIs/KPIs) for areas including identity management, data protection, infrastructure resilience, and incident response.
- Lead the full third-party and outsourcing risk lifecycle, including due diligence, contract negotiation, and ongoing monitoring.
- Interpret and monitor regulatory updates (e.g., DORA, MiCAR, GDPR) and translate them into actionable control requirements and compliance evidence.
- Promote a security-conscious culture through training sessions, phishing simulations, and awareness programmes across business and engineering teams.
- Minimum of 7 years in information security, IT risk, or technology audit roles, ideally within a regulated fintech, bank, or SaaS environment.
- At least 3 years performing structured risk oversight, control testing, or governance responsibilities.
- Strong working knowledge of DORA, ISO 27001, GDPR, and at least one supervisory framework (e.g., EBA ICT/Security Guidelines, BaFin, FINMA, CSSF).
- Broad technical understanding across key domains such as access management, data protection, incident governance, vulnerability management, and third-party risk.
- Comfortable handling crypto-key management and security modules without requiring cryptography expertise.
- Excellent communication skills with the ability to distill complex technical issues into business-relevant terms; fluent English required, German an advantage.
- Holds a recognised certification such as CISSP, CISM, CISA, CRISC, CCSP, or ISO 27001 Lead Implementer/Auditor.