Proven track record of strategic impact at company-wide and industry-wide
Recognised internally and externally as an InfoSec expert, with evidence of
Exceptional technical and people leadership
Establishes long-term security architecture aligned to business strategy and regulatory requirements; guides enterprise technology decisions including cloud strategy and zero trust
Anticipates emerging threats, leverages AI/ML for predictive security, and sets the technology vision
Deep understanding of the GRC landscape; implements appropriate controls and adapts as the environment shifts
Develops proven solutions and replicates them across teams; designs systems and frameworks built to last
Accountable and collaborative: works with clients and colleagues to resolve complex issues and views challenges as opportunities to improve
Owns execution of security, GRC, and IT Ops strategy; ensures frameworks are scalable, adaptable, and aligned to business strategy and executive-level risk expectations
Market knowledge
Deep understanding of the security and risk landscape across fintech and beyond; adapts market knowledge to continuously improve Duco's posture
Evaluates and integrates advanced security technologies and GRC best practices; knows when to buy, adapt, or build internally
Acts as a recognised industry leader: participates in regulatory advisory groups, defines Duco's position on InfoSec maturity, and anticipates regulatory shifts before they arrive
Scope and influence
Operates across all departments; builds sponsorship for strategic initiatives and drives them through
Leads all InfoSec, GRC, and IT Ops functions with cross-functional influence across product, engineering, and compliance
Recognised outside of Duco for technology excellence; participates in industry events and shapes the wider conversation on risk and threat
Influences executive peers, board decisions, and global regulatory compliance strategy
8+ years of progressive experience in information security, with at least 3 years in a senior or leadership role
Hands‑on experience owning ISO 27001 and SOC 1 and SOC 2 programmes, not just supporting them
Demonstrated experience managing security incidents end-to-end, including client and regulatory communications
Strong understanding of cloud security, particularly AWS, including IAM, logging, and observability infrastructure
Experience operating in a B2B SaaS or fintech environment, with exposure to enterprise client security requirements
Track record of building and managing TPRM programmes at scale
Excellent stakeholder management skills; comfortable presenting to the board and to client security teams in equal measure
Ability to make pragmatic decisions based on company culture and risk appetite
Strong written communication skills: able to translate complex security topics into clear, plain-language communications for non-technical audiences
Experience leading and developing a small, high-performing team
Familiarity with AI governance and the security implications of agentic AI systems
What the job involves
We are looking for a Head of Information Security to own our end-to-end security posture, govern our risk and compliance programme, and lead our IT Operations function. This is a VP Level role with company-wide scope
With approximately 200 employees across London, New York, Wroclaw, Antwerp, and Singapore, we move fast, build with purpose, and hold ourselves to a high bar. As we scale, information security, governance, and IT operations sit at the heart of that ambition
Define security architecture standards and lead threat modelling across the organisation
Establish and maintain long-term security architecture aligned to business strategy and regulatory requirements
Guide technology decisions at an enterprise level, including cloud strategy and zero trust adoption
Oversee penetration testing, DLP, and advanced threat detection programmes
Own the vulnerability management programme
Implement enterprise frameworks including IAM, SIEM, and data classification
Anticipate emerging threats, leverage AI/ML for predictive security, and set the technology vision
Lead Security Incident Response Programme
Define and own the GRC programme, including the ISMS, policy framework, risk registers, and audit readiness
Implement and maintain compliance with ISO 27001, SOC 1, SOC 2, NIST CSF, GDPR, and relevant financial services regulations
Understand the GRC landscape, implement appropriate controls, and adapt as the threat and regulatory environment shifts
Own execution of GRC strategy across the organisation; ensure frameworks are scalable and adaptable
Own Third Party Risk Management (TRPM) programme, including vendor assessments and ongoing oversight
IT operations
Define and own the IT Operations programme, setting strategy and standards for the function
Own execution of IT Operations strategy; ensure frameworks are scalable and adaptable as Duco grows
Ensure operational excellence across infrastructure, tooling, and end-user support
Leadership and stakeholder management
Lead, mentor, and develop a high-performing team across InfoSec, GRC, and IT Ops
Build strategic relationships with clients, regulators, and internal stakeholders
Engage effectively with large, complex, and multi-national enterprise clients
That have mission-critical operations requirements, building trust and credibility at the most senior levels
Recognise, influence, and resolve critical issues that may affect company direction
Create strategies that cross organisational boundaries to achieve broad business goals
Work with industry peers and working groups to develop solutions that benefit the wider market
Enterprise Client Assurance: Act as a key partner to Duco's Client Success and Pre-Sales teams. This involves speaking directly with the CISOs and security teams of global financial institutions to assure them of Duco’s risk management and data privacy practices
