Hybrid role to be based in our Edinburgh or London office.
About Us
Seccl is the Octopus-owned embedded investment platform that's on a mission to helping more people to invest – and invest well.
We're B-Corp certified with an amazing product-market fit, impressive early traction and the potential to transform an outdated industry, for the better. We've been growing fast and will scale even faster over the next few years.
We're also proud to be part of Octopus, the £multi billion group that's on a mission to breathe new life into broken industries, through companies like Octopus Energy, Octopus Investments and Octopus Money.
Check out the Seccl website for the latest on our products and our mission to shape the future of investments.
The role
Reporting into the Chief risk officer (CRO), the head of information security risk role is responsible for the day to day management and continual improvement of the information security management system (ISMS). You will be responsible for designing, implementing, and monitoring Seccl's Information Security Management System (ISMS). You will also provide second line oversight of all security activities at Seccl.
On a typical day you will be…
Shaping and driving our information security strategy alongside the CRO and executive team, ensuring security enables - not slows - our growth.
Partnering with Risk to define and embed our security risk appetite, making smart, commercially aware decisions in a fast-moving environment.
Evolving and strengthening our ISMS, continuously improving policies, controls and processes as we scale.
Owning oversight of third-party security reviews and customer due diligence, helping us move quickly while maintaining high standards.
Turning security metrics and risk insights into clear, actionable reporting for senior leadership and governance forums.
Leading internal audits and control effectiveness reviews, including ISO 27001/27002 controls, with a focus on pragmatism and continuous improvement.
Driving resilience across the business — from business continuity and disaster recovery testing to hands-on incident oversight and lessons learned.
Acting as our Data Protection Officer, championing GDPR compliance, advising on DPIAs and confidently engaging with regulators and data subjects when needed.
This role's for you if...
You hold current CISSP certification.
You bring significant experience leading Information/Cyber Security in a regulated environment.
You've operated within ICO-regulated environments and understand the practical realities of GDPR compliance.
You have strong working knowledge of risk methodologies, security frameworks and industry standards.
You're comfortable with modern cloud technologies and understand the security considerations that come with them.
You're a certified ISO 27001 Lead Auditor and/or Implementer, with hands-on experience applying the standard in practice.
You have a solid technical foundation in IT or security, allowing you to engage credibly across engineering and leadership teams.
This role isn't for you if...
You rely on a lot of top-down direction. Here, you'll have a lot of freedom and ownership of your role, and you'll be expected to shape your own progression
You're not comfortable working in a fast-paced environment. Our speed and scalability are what set us apart; you need to be able to act quickly and think on your feet
You struggle to follow through on ideas. We value people who do what they say they will. If you care about something, you have the freedom here to make it happen
You don't like change. You'll get on great here if you relish the ambiguity of rapid growth and are willing to embrace uncertainty
What's In It For You…
We offer a generous mix of benefits for the things that really matter to our people, including:
A salary between £110,000 and £130,000 – dependant on experience + reviewed annually
27 days holiday + bank holidays (some can be flexible) + day off on your birthday + three days (full time) per year for Dependant leave
Two volunteering days per year
Option to work abroad for up to six weeks a year
Secclbrate - our recognition programme that offers a mix of flexible rewards including extra pay, additional holiday and increased learning budget
Length of service award – one month paid sabbatical at eight years
6% employer pension contribution, and life assurance
Private medical insurance with AXA Health
Enhanced Parental leave
MacBook and up to £500 home office set up budget
£750 per person learning budget
Health and wellbeing initiatives including free therapy via Wellness Cloud, mental health support via Headspace
Strong financial wellbeing focus including access to Octopus Money, Octopus Share Incentive Plan and will writing offering via Octopus Legacy
Perkbox – Flexi-points giving you a range of discounts and perks including free weekly coffee, gym and retail discounts
Access to initiatives like Cycle to Work and Octopus Electric Vehicle Leasing
Our culture
We're proud to put people first, creating a culture where we truly listen to what matters most to them. Our transparent and inclusive environment encourages diversity of thought, challenge and experimentation.
Check out our Glassdoor page for the latest reviews or our LinkedIn for company updates and insights from the team.
Interview process
Interviewing Is a Two-way Thing, And We Want You To Have The Time And Opportunity To Get To Know Us, As Much As We Are Getting To Know You. Our Interviews Are Conversational, So Come With Questions And Be Curious. In General, You Can Expect The Interview Process To Look a Bit Like This, (following An Initial Chat With One Of Our Talent Team)
First stage – 45 mins competencies-based interview with the hiring manager and Head of operational resilience
Second stage – one-hour technical interview or assessment with the hiring manager and current Head of information security risk
Final stage – 45 mins bar-raiser culture-based interview with the CTO and Operations director
We'll only close this role once we have enough applications for the next stage. Please submit your application as soon as possible to make sure you don't miss out and you should expect to hear back from us within one to two weeks of applying.
Our aim is to build a diverse and inclusive company of awesome people, with unique skills, passions and experiences. All applicants will be considered for employment without attention to age, ethnicity, religion, sex, sexual orientation, gender identity, family or parental status, national origin, or veteran, neurodiversity or disability status.
If this sounds like your kind of thing, we encourage you to apply even if you don't tick every box. We'd love to hear from you