Head of Information Security, Netherlands

What you will be doing:

• Governance & Strategy: Develop, maintain, and oversee the Information Security and ICT Risk Management Frameworks in line with DORA, ISO 27001, NIST, and other applicable standards. Establish, maintain, and enforce security policies, standards, and procedures. Provide independent second-line challenge to first-line controls and risk management activities. Report on security posture to the Board and leadership team.
• Regulatory Compliance & Engagement: Ensure full compliance with DORA (ICT risk management, incident reporting, resilience testing, third-party risk), PSD2-SCA, PCI-DSS, SWIFT CSP, GDPR (as it relates to ICT), and EBA guidelines. Act as the primary liaison for DNB, EBA, and other regulators; manage regulatory inquiries, audits, inspections, and reporting obligations.
• Incident & Access Management: Own and manage end-to-end response to security incidents and data breaches, including coordination, escalation, investigation, containment, and regulatory reporting in line with DORA and GDPR. Oversee access control governance, including user provisioning, privileged access, and periodic access reviews. Manage KMS and (CBD) security practices in accordance with internal policies and regulatory expectations.
• Third-Party & Outsourced Security Oversight: Maintain ownership of all outsourced security activities (e.g., SOC, penetration testing providers), ensuring service quality, SLA adherence, and alignment with security and compliance requirements. Manage the ICT third-party risk lifecycle, including due diligence, ongoing monitoring, and maintenance of the DORA register of critical ICT third-party providers.
• Risk, Resilience & Assurance: Identify, assess, prioritise, and report ICT and cyber risks; define key risk indicators and present risk posture to the Board and Risk Committees. Oversee digital operational resilience testing (including threat-led penetration testing) and disaster recovery from an ICT perspective. Monitor the governance and technical effectiveness of cybersecurity controls (SIEM, EDR, DLP, IAM, vulnerability management, and data security) and track remediation of audit and assessment findings.
• Culture, Collaboration & Stakeholder Engagement: Deliver security awareness programmes and foster a security-conscious culture. Advise the local entity Board, senior management, and technology teams on risk posture, outsourcing, and major technology changes. Collaborate with and provide subject-matter expertise to the EMEA Information Security team on regional projects and BAU activities.

What we are looking for:

• 8+ years' experience in ICT risk, cybersecurity governance, or audit within financial services.
• Proven experience implementing DORA and engaging with DNB or comparable EU regulators.
• Strong technical foundation in cloud security, IT infrastructure, application security, and cyber threats.
• Strong knowledge of cloud security controls, SIEM, EDR, DLP, IAM, and security architecture.
• Awareness of AI security risks and controls.
• Experience in incident response and third-party security management.
• Ability to influence stakeholders, present to Boards and regulators, and operate independently in a second-line role.
• Fluent in English and Dutch.
• Demonstrated ability to lead complex security compliance, incident response, and security initiatives in regulated environments.