Head of Information Security in Barbican

Duco is empowering financial services to transform the work undertaken in Operations by automating manual work and elevating humans from task workers to decision makers. We do this with a combination of proprietary technique, innovative cloud computing, artificial intelligence technology, and deep subject matter expertise. Our agentic Operations platform gives firms the ability to unlock full end-to-end reconciliation, data trust and automation of their data, regardless of source, format or structure. By partnering with the industry's leading firms, we are helping to rethink operating models, increase efficiency, strengthen governance and regulatory compliance, reduce risk, streamline processes and build the workforce of the future. More than 10,000 users across 30+ countries process billions of data records every week using the platform. Duco is headquartered in London, with offices in New York, Wroclaw, Antwerp and Singapore. Customers include global banks, investment managers, exchanges and insurance firms, such as CIBC Mellon, ING and Man Group.

The role involves owning our end-to-end security posture, governing our risk and compliance programme, and leading our IT Operations function. This is a VP Level role with company-wide scope. With approximately 200 employees across London, New York, Wroclaw, Antwerp, and Singapore, we move fast, build with purpose, and hold ourselves to a high bar. As we scale, information security, governance, and IT operations sit at the heart of that ambition.

What you will be doing:

• Security architecture and engineering: Define security architecture standards and lead threat modelling across the organisation; establish and maintain long-term security architecture aligned to business strategy and regulatory requirements; guide technology decisions at an enterprise level, including cloud strategy and zero trust adoption; oversee penetration testing, DLP, and advanced threat detection programmes; own the vulnerability management programme; implement enterprise frameworks including IAM, SIEM, and data classification; anticipate emerging threats, leverage AI/ML for predictive security, and set the technology vision; lead Security Incident Response Programme.
• Governance, risk, and compliance (GRC): Define and own the GRC programme, including the ISMS, policy framework, risk registers, and audit readiness; implement and maintain compliance with ISO 27001, SOC 1, SOC 2, NIST CSF, GDPR, and relevant financial services regulations; understand the GRC landscape, implement appropriate controls, and adapt as the threat and regulatory environment shifts; own execution of GRC strategy across the organisation; ensure frameworks are scalable and adaptable; own Third Party Risk Management (TRPM) programme, including vendor assessments and ongoing oversight.
• IT operations: Define and own the IT Operations programme, setting strategy and standards for the function; own execution of IT Operations strategy; ensure operational excellence across infrastructure, tooling, and end-user support.
• Leadership and stakeholder management: Lead, mentor, and develop a high-performing team across InfoSec, GRC, and IT Ops; build strategic relationships with clients, regulators, and internal stakeholders; engage effectively with large, complex, and multi-national enterprise clients that have mission-critical operations requirements; recognise, influence, and resolve critical issues that may affect company direction; create strategies that cross organisational boundaries to achieve broad business goals; work with industry peers and working groups to develop solutions that benefit the wider market; act as a key partner to Duco's Client Success and Pre-Sales teams.

Core Competencies:

• Technical leadership: Proven track record of strategic impact at company-wide and industry-wide level; recognised internally and externally as an InfoSec expert; establishes long-term security architecture aligned to business strategy and regulatory requirements; anticipates emerging threats and sets the technology vision.
• End-to-end ownership: Develops proven solutions and replicates them across teams; accountable and collaborative; owns execution of security, GRC, and IT Ops strategy.
• Market knowledge: Deep understanding of the security and risk landscape across fintech and beyond; evaluates and integrates advanced security technologies and GRC best practices.
• Scope and influence: Operates across all departments; leads all InfoSec, GRC, and IT Ops functions with cross-functional influence; recognised outside of Duco for technology excellence.

What We Are Looking For:

• 8+ years of progressive experience in information security, with at least 3 years in a senior or leadership role.
• Hands-on experience owning ISO 27001 and SOC 1 and SOC 2 programmes.
• Demonstrated experience managing security incidents end-to-end.
• Strong understanding of cloud security, particularly AWS.
• Experience operating in a B2B SaaS or fintech environment.
• Track record of building and managing TPRM programmes at scale.
• Excellent stakeholder management skills.
• Strong written communication skills.
• Experience leading and developing a small, high-performing team.
• Familiarity with AI governance and the security implications of agentic AI systems.

Beneficial Experience:

• Experience with DLP, SIEM, or SOC build-outs.
• Relevant certifications such as CISSP, CISM, or ISO 27001 Lead Implementer.
• Experience in capital markets, asset management, or securities services.