Head of information security risk in Edinburgh

Hybrid role to be based in our Edinburgh or London office.

About us

Seccl is the Octopus-owned embedded investment platform that is on a mission to help more people to invest - and invest well. We are B-Corp certified with an amazing product-market fit, impressive early traction and the potential to transform an outdated industry for the better. We have been growing fast and will scale even faster over the next few years. We are also proud to be part of Octopus, the £multi billion group that is on a mission to breathe new life into broken industries.

The role

Reporting into the Chief Risk Officer (CRO), the Head of Information Security Risk role is responsible for the day-to-day management and continual improvement of the Information Security Management System (ISMS). You will be responsible for designing, implementing, and monitoring Seccl's ISMS. You will also provide second line oversight of all security activities at Seccl.

On a typical day you will be:

• Shaping and driving our information security strategy alongside the CRO and executive team, ensuring security enables - not slows - our growth.
• Partnering with Risk to define and embed our security risk appetite, making smart, commercially aware decisions in a fast-moving environment.
• Evolving and strengthening our ISMS, continuously improving policies, controls and processes as we scale.
• Owning oversight of third party security reviews and customer due diligence, helping us move quickly while maintaining high standards.
• Turning security metrics and risk insights into clear, actionable reporting for senior leadership and governance forums.
• Leading internal audits and control effectiveness reviews, including ISO 27001/27002 controls, with a focus on pragmatism and continuous improvement.
• Driving resilience across the business - from business continuity and disaster recovery testing to hands-on incident oversight and lessons learned.
• Acting as our Data Protection Officer, championing GDPR compliance, advising on DPIAs and confidently engaging with regulators and data subjects when needed.

This role's for you if:

• You hold current CISSP certification.
• You bring significant experience leading Information/Cyber Security in a regulated environment.
• You have operated within ICO regulated environments and understand the practical realities of GDPR compliance.
• You have strong working knowledge of risk methodologies, security frameworks and industry standards.
• You are comfortable with modern cloud technologies and understand the security considerations that come with them.
• You are a certified ISO 27001 Lead Auditor and/or Implementer, with hands-on experience applying the standard in practice.
• You have a solid technical foundation in IT or security, allowing you to engage credibly across engineering and leadership teams.

This role isn’t for you if:

• You rely on a lot of top-down direction.
• You are not comfortable working in a fast-paced environment.
• You struggle to follow through on ideas.
• You don’t like change.

What’s in it for you

We offer a generous mix of benefits for the things that really matter to our people, including:

• A salary between £110,000 and £130,000 - dependant on experience + reviewed annually.
• 27 days holiday + bank holidays (some can be flexible) + day off on your birthday + three days (full time) per year for Dependant leave.
• Two volunteering days per year.
• Option to work abroad for up to six weeks a year.
• Secclbrate - our recognition programme that offers a mix of flexible rewards including extra pay, additional holiday and increased learning budget.
• Length of service award - one month paid sabbatical at eight years.
• 6% employer pension contribution, and life assurance.
• Private medical insurance with AXA Health.
• Enhanced Parental leave.
• MacBook and up to £500 home office set up budget.
• £750 per person learning budget.
• Health and wellbeing initiatives including free therapy via Wellness Cloud, mental health support via Headspace.
• Strong financial wellbeing focus including access to Octopus Money, Octopus Share Incentive Plan and will writing offering via Octopus Legacy.
• Perkbox - Flexi points giving you a range of discounts and perks including free weekly coffee, gym and retail discounts.
• Access to initiatives like Cycle to Work and Octopus Electric Vehicle Leasing.

Our culture

We are proud to put people first, creating a culture where we truly listen to what matters most to them. Our transparent and inclusive environment encourages diversity of thought, challenge and experimentation.

Interview process

Interviewing is a two-way thing, and we want you to have the time and opportunity to get to know us, as much as we are getting to know you. Our interviews are conversational, so come with questions and be curious. In general, you can expect the interview process to look a bit like this:

• First stage - 45 mins competencies based interview with the hiring manager and Head of operational resilience.
• Second stage - one hour technical interview or assessment with the hiring manager and current Head of information security risk.
• Final stage - 45 mins bar raiser culture based interview with the CTO and Operations director.

We will only close this role once we have enough applications for the next stage. Please submit your application as soon as possible to make sure you don’t miss out and you should expect to hear back from us within one to two weeks of applying.

Our aim is to build a diverse and inclusive company of awesome people, with unique skills, passions and experiences. All applicants will be considered for employment without attention to age, ethnicity, religion, sex, sexual orientation, gender identity, family or parental status, national origin, or veteran, neurodiversity or disability status. If this sounds like your kind of thing, we encourage you to apply even if you don’t tick every box.

We would love to hear from you!