Chief Information Security Officer (CISO) - London

We are seeking an experienced Chief Information Security Officer to lead our information security programme. Reporting directly to the CTO, you will be accountable for protecting Sokin's systems, data, and reputation across our global operations. This is a hands-on leadership role requiring someone who can operate strategically whilst remaining technically engaged. You will build and lead the security function, establish security governance, and ensure compliance with regulatory requirements across FCA, PCI-DSS, and international data protection frameworks.

Sokin is a next-generation B2B financial services provider, enabling businesses to make and receive global payments with greater speed, lower cost, and total transparency. Our mission is simple: we’re simplifying global business - so businesses thrive wherever they choose to grow.

Key Responsibilities:

• Security Strategy & Governance: Define and execute the enterprise information security strategy aligned with business objectives. Establish and maintain the Information Security Management System (ISMS) to support constant certification readiness with PCI DSS, ISO 27001 and SOC2. Own security policies, standards, and procedures across the organisation. Report to the Board and senior leadership on security posture, risk exposure and programme maturity. Manage security budget and resource allocation.
• Risk & Compliance: Lead enterprise security risk assessments and maintain the infosec item on the risk register. Ensure compliance with FCA operational resilience requirements and SYSC guidelines. Maintain PCI-DSS Level 1 compliance across payment processing infrastructure. Oversee GDPR, UK Data Protection Act, and international privacy compliance. Manage relationships with external auditors, penetration testers, and regulatory bodies. Lead third-party vendor security assessments and due diligence.
• Security Operations: Build and lead the Security Operations Centre (SOC) function. Establish incident response capabilities and lead major security incident management. Implement and manage SIEM, EDR, vulnerability management, and threat intelligence platforms. Oversee identity and access management (IAM) strategy and privileged access management (PAM). Drive security monitoring and alerting across cloud and on-premise infrastructure.
• Application & Cloud Security: Embed security into the SDLC through secure development practices and DevSecOps. Lead application security programme including SAST, DAST, SCA, and code review processes. Secure AWS cloud infrastructure using native and third-party security tooling. Ensure secure API design and implementation for payment integrations. Manage secrets management, encryption standards, and key management practices.
• Business Continuity & Resilience: Own business continuity and disaster recovery planning from a security perspective. Lead security aspects of operational resilience testing and scenario planning. Ensure adequate backup, recovery, and failover capabilities for critical systems.
• Culture & Awareness: Build security awareness programme including phishing simulations and training. Foster a security-conscious culture across engineering, product, and business teams. Recruit, develop, and retain security talent.

Requirements:

• Experience: 10+ years in information security with 5+ years in senior security leadership roles. Experience in regulated financial services (payments, banking, or fintech). Track record of building and leading security teams in scale-up environments. Experience with FCA regulation, PCI-DSS compliance, and financial services audits. Hands-on experience with security incident response and crisis management.
• Technical Expertise: Deep knowledge of AWS security services (GuardDuty, Security Hub, WAF, KMS, CloudTrail, Config). Experience with containerised environments (EKS/Kubernetes) and serverless security. Strong understanding of network security, zero trust architecture, and micro-segmentation. Proficiency with SIEM platforms (Splunk, Datadog Security, or equivalent). Knowledge of application security tools: Wiz, SonarQube, Burp Suite, OWASP ZAP. Experience with IAM solutions (Auth0, Azure AD) and PAM tools (CyberArk, ConductorOne, Hashicorp). Understanding of cryptographic standards, HSMs, and payment security (tokenisation, encryption). Familiarity with infrastructure-as-code security (Terraform, CloudFormation).
• Leadership & Communication: Ability to translate technical risk into business terms for Board and executive audiences. Experience presenting to regulators and managing regulatory relationships. Strong written communication for policies, procedures, and risk reporting. Ability to influence without authority across engineering and business functions.
• Nice to Have: CISSP, CISM, or CISA certification. Experience with cross-border payments, FX, or correspondent banking security. Knowledge of SWIFT security controls and messaging standards. Familiarity with Open Banking and PSD2 security requirements. Experience with fraud detection and prevention systems. Bug bounty programme management experience. Blockchain or digital asset security knowledge. Experience managing security across distributed teams (London, Belgrade).

Technology Environment:

You will be securing an environment that includes: AWS (K8S, Lambda, RDS, S3, API Gateway), PostgreSQL, Redis, monolith-to-microservices architecture, CI/CD pipelines (GitHub Actions), Terraform, Grafana, and integrations with banking partners, card networks, and payment rails.

What We Offer:

• Competitive salary and equity participation
• Hybrid working with flexibility
• Private healthcare
• Pension contribution
• Professional development budget
• Opportunity to shape security strategy at a high-growth fintech

How to Apply:

Submit your CV and a brief covering letter explaining your relevant experience in regulated financial services security. We are particularly interested in hearing about security programmes you have built or transformed.

Please note, candidates will need to have the right to work in the jurisdiction that they are looking to work in. The main responsibilities of this role are outlined above; however, this description is not exhaustive, and the job holder may be required to undertake additional duties from time to time to ensure the smooth running of the department. The role may require some working outside our normal working hours.

Department: Technology

Locations: London

Remote status: Hybrid