Lead Information Security

About The Position

Requirements

• Extensive senior experience as an information security leader or senior information security professional in complex, regulated environments.
• Deep practical experience with ISO/IEC 27001 (ISMS design, implementation, and assurance).
• Strong experience with ISO 22301 and operational resilience frameworks.
• Demonstrable experience delivering or governing compliance with DORA.
• Strong understanding of FCA and PRA supervisory expectations related to cyber security, technology risk, and operational resilience.
• Experience with NYDFS Cybersecurity Regulation (23 NYCRR 500) or equivalent international frameworks.
• Proven ability to engage confidently with regulators and auditors.
• Strong ability to translate complex technical and regulatory issues into clear business risk decisions.
• High integrity with strong ethical judgement.
• Calm, authoritative presence in high-pressure or regulatory situations.
• Excellent written and verbal communication skills.
• Confident, pragmatic leader with the ability to challenge constructively.
• Team player and business goals oriented.

Nice To Haves

• Background in financial services, banking, insurance, payments, or other highly regulated sectors.
• Experience leading regulatory remediation, control uplift, or transformation programs.
• Exposure to cloud security governance and complex third-party ecosystems.
• Degree in Information Security, Computer Science, Risk Management, or equivalent experience.
• CISSP certification is strongly preferred.
• Equivalent certifications such as CISM, CRISC, or ISO 27001 Lead Implementer/Lead Auditor are also highly desirable.

Responsibilities

• Lead and maintain the organization’s information security governance framework, aligned to ISO/IEC 27001, including policies, standards, and control frameworks.
• Provide alignment between cyber security program and ISO 22301.
• Drive compliance with DORA (Digital Operational Resilience Act), including ICT risk management, incident reporting, resilience testing, and third-party oversight.
• Ensure ongoing alignment with Lloyd's of London, FCA and PRA regulatory expectations, including operational resilience, outsourcing, and technology risk management.
• Oversee compliance with NYDFS Cybersecurity Regulation (23 NYCRR 500) where applicable.
• Monitor emerging regulatory requirements and translate them into actionable security and resilience initiatives.
• Act as a senior point of contact for regulators, auditors, and external assessors, supporting regulatory reviews, audits, and formal submissions.
• Provide leadership for enterprise information and cyber security risk management.
• Support the definition and maintenance of security risk appetite, tolerances, and risk acceptance processes.
• Review and challenge security risk assessments for critical systems, cloud platforms, major change programs, and third-party arrangements.
• Oversee security control assurance, testing, and remediation tracking.
• Produce clear, risk-focused reporting for executive management, risk committees, and the Board.
• Provide oversight of cyber incident management, ensuring compliance with regulatory notification and reporting requirements (e.g. DORA, FCA, NYDFS).
• Act as a decision-maker during major incidents, crisis situations, and cyber events.
• Ensure regular testing of incident response, crisis management, and business continuity plans, with lessons learned embedded into practice.
• Oversee third-party and supply-chain security risk management, including due diligence, contractual controls, and ongoing monitoring.
• Ensure compliance with regulatory expectations for outsourcing, material third parties, and ICT service providers, particularly under DORA and FCA/PRA rules.
• Work closely with Legal, Vendor Management/Procurement, and Risk functions to embed security and resilience requirements into contracts and operating models.
• Provide leadership across the information security function.
• Build strong relationships within Information Technology, Risk, Compliance, Legal, Internal Audit, and Business leadership.
• Promote a strong security, resilience, and risk-aware culture across the organization.

Benefits

• Hybrid working
• Matching 401K plan
• Medical, dental, vision, life, disability
• Generous time off (including parental leave)
• Continued support for professional development
• Gym subsidy
• My day (additional days leave for personal interests/wellness/charity work)