Head of Information Security

Requirements

• Proven track record of strategic impact at company-wide and industry-wide.
• Recognised internally and externally as an InfoSec expert, with evidence of exceptional technical and people leadership.
• Establishes long-term security architecture aligned to business strategy and regulatory requirements; guides enterprise technology decisions including cloud strategy and zero trust.
• Anticipates emerging threats, leverages AI/ML for predictive security, and sets the technology vision.
• Deep understanding of the GRC landscape; implements appropriate controls and adapts as the environment shifts.
• Develops proven solutions and replicates them across teams; designs systems and frameworks built to last.
• Accountable and collaborative: works with clients and colleagues to resolve complex issues and views challenges as opportunities to improve.
• Owns execution of security, GRC, and IT Ops strategy; ensures frameworks are scalable, adaptable, and aligned to business strategy and executive-level risk expectations.

Market knowledge

• Deep understanding of the security and risk landscape across fintech and beyond; adapts market knowledge to continuously improve Duco's posture.
• Evaluates and integrates advanced security technologies and GRC best practices; knows when to buy, adapt, or build internally.
• Acts as a recognised industry leader: participates in regulatory advisory groups, defines Duco's position on InfoSec maturity, and anticipates regulatory shifts before they arrive.

Scope and influence

• Operates across all departments; builds sponsorship for strategic initiatives and drives them through.
• Leads all InfoSec, GRC, and IT Ops functions with cross-functional influence across product, engineering, and compliance.
• Recognised outside of Duco for technology excellence; participates in industry events and shapes the wider conversation on risk and threat.
• Influences executive peers, board decisions, and global regulatory compliance strategy.

Experience

• 8+ years of progressive experience in information security, with at least 3 years in a senior or leadership role.
• Hands-on experience owning ISO 27001 and SOC 1 and SOC 2 programmes, not just supporting them.
• Demonstrated experience managing security incidents end-to-end, including client and regulatory communications.
• Strong understanding of cloud security, particularly AWS, including IAM, logging, and observability infrastructure.
• Experience operating in a B2B SaaS or fintech environment, with exposure to enterprise client security requirements.
• Track record of building and managing TPRM programmes at scale.
• Excellent stakeholder management skills; comfortable presenting to the board and to client security teams in equal measure.
• Ability to make pragmatic decisions based on company culture and risk appetite.
• Strong written communication skills: able to translate complex security topics into clear, plain-language communications for non-technical audiences.
• Experience leading and developing a small, high-performing team.
• Familiarity with AI governance and the security implications of agentic AI systems.

What the job involves

We are looking for a Head of Information Security to own our end-to-end security posture, govern our risk and compliance programme, and lead our IT Operations function. This is a VP Level role with company-wide scope. With approximately 200 employees across London, New York, Wroclaw, Antwerp, and Singapore, we move fast, build with purpose, and hold ourselves to a high bar. As we scale, information security, governance, and IT operations sit at the heart of that ambition.

• Define security architecture standards and lead threat modelling across the organisation.
• Establish and maintain long-term security architecture aligned to business strategy and regulatory requirements.
• Guide technology decisions at an enterprise level, including cloud strategy and zero trust adoption.
• Oversee penetration testing, DLP, and advanced threat detection programmes.
• Own the vulnerability management programme.
• Implement enterprise frameworks including IAM, SIEM, and data classification.
• Anticipate emerging threats, leverage AI/ML for predictive security, and set the technology vision.
• Lead Security Incident Response Programme.
• Define and own the GRC programme, including the ISMS, policy framework, risk registers, and audit readiness.
• Implement and maintain compliance with ISO 27001, SOC 1, SOC 2, NIST CSF, GDPR, and relevant financial services regulations.
• Understand the GRC landscape, implement appropriate controls, and adapt as the threat and regulatory environment shifts.
• Own execution of GRC strategy across the organisation; ensure frameworks are scalable and adaptable.
• Own Third Party Risk Management (TRPM) programme, including vendor assessments and ongoing oversight.

IT operations

• Define and own the IT Operations programme, setting strategy and standards for the function.
• Own execution of IT Operations strategy; ensure frameworks are scalable and adaptable as Duco grows.
• Ensure operational excellence across infrastructure, tooling, and end-user support.

Leadership and stakeholder management

• Lead, mentor, and develop a high-performing team across InfoSec, GRC, and IT Ops.
• Build strategic relationships with clients, regulators, and internal stakeholders.
• Engage effectively with large, complex, and multi-national enterprise clients that have mission-critical operations requirements, building trust and credibility at the most senior levels.
• Recognise, influence, and resolve critical issues that may affect company direction.
• Create strategies that cross organisational boundaries to achieve broad business goals.
• Work with industry peers and working groups to develop solutions that benefit the wider market.

Enterprise Client Assurance: Act as a key partner to Duco's Client Success and Pre-Sales teams. This involves speaking directly with the CISOs and security teams of global financial institutions to assure them of Duco’s risk management and data privacy practices.