Head of Information Security

Fintel plc is the leading provider of financial services intelligence and technology, helping businesses navigate regulatory complexity and drive growth. Our mission is to simplify and enhance financial services, enabling better client outcomes. We have two core business divisions: Software and Data and Services.

Role Overview

This is a pivotal, group-wide leadership role for a pragmatic and technically grounded security professional who wants genuine ownership, not just of policy documents, but of outcomes. You will own the information security and data protection strategy for the entire Fintel Group, operating at both the strategic and hands-on technical level. Reporting directly to the CTO of Defaqto, you will act as the group’s effective CISO and Data Protection Officer (DPO), working across both Defaqto and SimplyBiz to align security policies, manage risk, respond to incidents, and continuously improve our security posture.

You will be the person the board turns to for honest assessment, the engineer teams turn to for clear direction, and the clients turn to when they need confidence in how we handle their data. We are a technology company and we want a technology person in this role, someone who understands why controls exist, not just that they should exist.

Group Security Strategy

• Own and drive the group-wide information security strategy, aligned to business risk, regulatory obligations, and client expectations.
• Maintain and continuously improve security policies and standards across both Defaqto and SimplyBiz divisions.
• Define and manage the security roadmap, prioritising initiatives based on risk, technical impact, and business value.
• Champion security-by-design thinking across engineering, product, and operations teams.

Technical Security & Penetration Testing

• Lead the technical security posture of the group — not just from a governance perspective but with genuine understanding of the underlying infrastructure, applications, and data flows.
• Commission, manage, and act on the results of penetration testing and vulnerability assessments across group systems.
• Work closely with IT and engineering teams to remediate findings and embed security improvements into the development lifecycle.
• Maintain awareness of the threat landscape and translate it into relevant, actionable guidance for the organisation.

CISO & DPO Responsibilities

• Act as the group’s effective Chief Information Security Officer (CISO) and Data Protection Officer (DPO).
• Ensure ongoing compliance with GDPR, UK Data Protection Act, and relevant financial services security obligations.
• Liaise closely with the Legal department on data protection matters, contracts, and regulatory enquiries.
• Manage data subject rights requests, breach notifications, and regulatory correspondence as required.

Client & Commercial Security

• Lead responses to client security questionnaires and due diligence requests, representing the group’s security posture clearly and accurately.
• Support commercial and client relationship teams with security assurance materials and briefings.
• Build and maintain trust with enterprise clients through transparency, responsiveness, and credible security governance.

Incident Response

• Own the group’s incident response plan and ensure it is tested, maintained, and ready to activate.
• Lead or co-ordinate the response to security incidents, acting as the central point of communication to leadership and relevant stakeholders.
• Conduct post-incident reviews and drive learning back into policies and controls.

Risk & Governance Reporting

• Report regularly to the board Risk Committee on the current security posture, identified risks, and the programme of work to address them.
• Produce clear, executive-level communications that give the board a genuine understanding of risk — not just a status update.
• Maintain a risk register for information security and data protection across the group.

Essentials Requirements

• Demonstrable experience in an information security leadership role — either as a CISO, Head of Security, or senior security engineer who has operated at this level.
• Strong technical foundation: you understand how modern systems, cloud infrastructure, and web applications actually work, and why specific security controls are implemented.
• Experience commissioning and interpreting penetration test results and driving remediation programmes.
• Experience acting as or supporting a DPO function under GDPR / UK data protection law.
• Proven ability to respond to client security questionnaires and manage security due diligence processes.
• Comfortable owning the board relationship for security — able to communicate risk clearly to a non-technical audience without dumbing it down.
• Experience with incident response — not just the theory, but having been in the room when something went wrong.
• Knowledge of common security frameworks and standards (e.g. NCSC Cyber Essentials, ISO 27001, NIST, SOC 2).

Highly Desirable

• ISO 27001 Lead Implementer or Lead Auditor certification, or hands-on experience leading an ISO 27001 certification programme.
• Experience in a regulated sector — financial services experience or working with FCA-regulated businesses is a strong plus.
• Relevant certifications: CISSP, CISM, CEH, OSCP, or similar.
• Experience managing a security function within a technology product company rather than a traditional IT environment.

How you work

• Pragmatic over theoretical: you make risk-based decisions rather than applying controls mechanically.
• Technically curious: you keep up with the threat landscape because you find it interesting, not just because you have to.
• Clear communicator: able to adjust your register from board-level risk conversation to deep-dive with an engineer.
• Autonomous: you are comfortable setting your own direction and do not need to be told what to look at next.
• AI-literate: you actively use AI tools in your own work and have views on how they change both the security landscape and the way security practitioners should operate.

What You’ll Join

Fintel Group is at an inflection point, growing its technology capability, modernising its data infrastructure, and investing seriously in engineering culture. Security is not an afterthought here: we already have Cyber Essentials Plus and active MDR capabilities through Rapid7. This role exists because we want to go further, faster, with someone who has genuine ownership and the authority to drive it. You will work alongside a CTO who thinks in systems, values technical depth, and will support you in building the programme properly. You will have the ear of the board and the trust of the IT and engineering teams. The role is new in its current form, so you will have the opportunity to shape it.

Location

We have offices from north to south of UK, but our new London office near Farringdon would be the ideal hub to collaborate with the team. This role is open to be hybrid based in London office 3 days/week or fully remote for the right candidate.

Right to Work

Applicants must already hold a legal right to work in the UK without time restrictions and without the need for future sponsorship. We are unable to provide Skilled Worker visa sponsorship.

Equal Opportunity

Fintel plc and all the businesses within it adopt a zero-tolerance approach to discrimination on any of the protected grounds in the Equality Act 2010. We are committed to providing equal opportunities to all current and prospective employees regardless of age, disability, sex, sexual orientation, pregnancy and maternity, race or ethnicity, religion or belief, gender identity, or marriage and civil partnership. We aspire to have a diverse workforce because, in our view, diversity enables better business outcomes. We also believe that a more inclusive workplace, where people of different backgrounds work together, ensures better outcomes for all staff. From application to interview, we place inclusion at the heart of all we do.