Job Description
The Role
The Head of Information Security, Europe reports directly to the Chief Information Security Officer, TMX Group and has a dotted line reporting relationship to the Chief Technology Officer, Trayport.
The Head of Information Security will be responsible for defining, implementing, and managing the organization's information security strategy and framework for Europe. This critical role involves overseeing all aspects of information security, including a strong focus on application security, ensuring compliance with ISO27001 standards, financial services regulations, and other relevant legal and contractual requirements.
As a senior leader of the Enterprise Information Security team, the role will also be accountable to provide information security oversight, through leadership and guidance across the TMX Group.
The successful candidate will be a strategic leader with a strong technical background, including deep application security knowledge, and the ability to effectively communicate security risks and requirements across all levels of the business.
Key Responsibilities
* Information Security Strategy and Governance: Develop, implement, and maintain a comprehensive information security strategy aligned with business objectives and risk tolerance. Establish and enforce information security policies, procedures, and standards in accordance with ISO27001, customer requirements, relevant legislation, and application security best practices.
* Communication: Develop and maintain an organization-wide security culture. Build and implement a company-wide communication strategy to promote information security, including application security, within the organization.
* Team Leadership and Development: Lead and develop the Information Security team. Recruit, retain, and develop talent and expertise, including application security specialists. Set and maintain the team’s culture and tone.
* Business Continuity and Disaster Recovery: Contribute to the development and testing of business continuity and disaster recovery plans from an information security perspective, including considerations for application security.
* Security Monitoring and Incident Response: Establish and maintain processes for continuous security monitoring and detection of security events, including application-specific security events. Lead the investigation and resolution of security incidents, including those related to application vulnerabilities, root cause analysis, and implementation of corrective actions.
* Reporting: Provide regular reports on the organization's security posture, including application security vulnerabilities and risks, risks, and compliance status to the Trayport Board, other internal sub-Boards, and relevant stakeholders.
* Compliance and Assurance: Ensure ongoing compliance with ISO27001 certification requirements, including managing audits, reviews, and continual improvement of the Information Security Management System (ISMS). Stay abreast of and ensure adherence to regulations (e.g., GDPR, NIS2, DORA) and other relevant legal and contractual obligations, as well as application security standards.
* Risk Management: Lead the information security risk management process, including identification, assessment, treatment, and monitoring of risks, with a particular emphasis on application security risks. Conduct regular risk assessments and vulnerability analyses of systems, applications, and infrastructure.
* Security Operations: Oversee the management of security technologies and controls, including but not limited to, firewalls, intrusion detection/prevention systems, security information and event management (SIEM), data loss prevention (DLP), vulnerability management tools, and application security testing tools.
* Secure Software Development Lifecycle (SSDLC): Integrate security best practices into the software development lifecycle. Work closely with development teams to ensure secure coding practices, conduct comprehensive security testing (e.g., penetration testing, vulnerability scanning, application security reviews), and promote a security-aware development culture with a strong application security focus.
* Third-Party Risk Management: Develop and implement a program for assessing and managing the information security risks, including application security risks, associated with third-party vendors and service providers.
* Security Awareness and Training: Develop and deliver information security awareness training programs for all employees to foster a security-conscious culture, including specific training on application security best practices.
General Responsibilities
* Act as the primary point of contact for all information security matters.
* Advise the business on information security best practices and the potential impact of emerging threats.
* Collaborate with IT, legal, compliance, and other departments to ensure a cohesive approach to risk management and security.
* Manage the information security budget and resources effectively.
* Participate in relevant industry forums and stay updated on the latest security trends and technologies.
Required Qualifications and Skills:
* Proven experience in a senior information security role, preferably within the financial services or a similarly regulated industry.
* Demonstrable experience in implementing and managing an ISMS aligned with ISO27001, including successful participation in certification audits.
* Strong understanding of financial services regulations and their impact on information security.
* In-depth knowledge of information security frameworks, standards, and best practices (e.g., NIST, CIS).
* Experience with secure software development practices and application security testing.
* Strong technical understanding of network security, system security, and security architecture.
* Experience with risk management methodologies and tools.
* Excellent communication, presentation, and interpersonal skills, with the ability to articulate technical concepts to non-technical audiences.
* Proven leadership and team management skills.
* Relevant professional certifications such as CISSP, CISM, ISO 27001 Lead Implementer or Lead Auditor are highly desirable.
Desirable Attributes:
* Experience with cloud security principles and practices.
* Familiarity with agile development methodologies.
* Experience in a software development environment.
* Strong analytical and problem-solving skills.
This is a challenging and rewarding opportunity for a seasoned information security professional to make a significant impact in a growing and security-conscious organisation within the financial services sector.