Information Security Officer

Anyfin is a fintech on a mission to challenge the status quo, lowering interest rates, removing unnecessary fees, and helping people take control of their finances. With more than a million app downloads across Sweden, Norway, Finland, and Germany, we've helped hundreds of thousands of people save money.

We recently obtained our banking license, which means new opportunities and new responsibilities. We're looking for someone to own security and help us meet regulatory requirements (including DORA) without drowning in bureaucracy.

This is a hands-on generalist role where you’ll own Anyfin’s security posture across governance, technical security, and operations. But you won’t do it in isolation, you’ll have support from legal, compliance, and engineering. Your job is to coordinate, drive, and make sure things actually happen.

Some areas require your depth (security governance, technical security practices). Other areas require you to coordinate and oversee (incident response, vendor security, training). We’re looking for someone who’s comfortable with that mix and pragmatic about where to focus.

This is not a “build a security empire” role. It’s roll-up-your-sleeves work: drafting policies that make sense, running access reviews, helping out in GCP, and making sure we’re genuinely secure and not just compliant on paper.

Security is a top priority for Anyfin right now, not “someday”. With a banking license in place and new regulatory requirements (including DORA), this role will be central to making sure we scale in a secure, resilient, and pragmatic way.

You’ll own and drive the full security agenda across three core areas:

You’ll make sure we have the right foundations in place such as policies, routines, documentation, and reporting without creating unnecessary overhead. This includes:

• Drafting and maintaining security policies, instructions, and routines that meet both operational and regulatory requirements

• Internal and external reporting

• Staying on top of DORA and relevant frameworks (with support from legal/compliance)

• Maintaining the Registry of Information and supporting risk assessments, including NPAP

• Preparing for and following up on audits

You’ll work closely with engineering to ensure our security practices are real, working, and continuously improving, not something that just looks good in a document. This includes:

• Making sure we’re actually secure, not just compliant

• Defining and enforcing technical security practices together with engineering

• Helping implement changes where needed (hands-on when it matters)

• Supporting or owning IAM and access administration

You’ll coordinate the operational side of security and make sure we stay on top of risks, incidents, and third parties as we grow. This includes:

• Running access reviews and ensuring follow-up and remediation

• Commissioning penetration tests, reviewing results, and making sure findings are addressed

• Operational support on ICT risks, including risk assessments

• Leading incident response when things go wrong — and making sure we’re prepared before they do

• Driving security awareness and building a security-conscious culture

• Overseeing vendor and supply chain security assessments

• Supporting business continuity and disaster recovery planning

• Providing training

We’re looking for someone with 5–8 years of experience in security roles and a strong technical foundation (security engineering, DevSecOps, infrastructure security, or similar). You have hands-on cloud security experience (GCP preferred) and are familiar with security frameworks such as ISO 27001, SOC 2, or similar.

You’re able to translate regulatory requirements into pragmatic processes that work in the real world, and you communicate clearly and confidently across the organisation. You’re also comfortable being a generalist and the only dedicated ICT security person, while still believing that security is everyone’s responsibility here.

Nice to have: experience in financial services or with DORA/EBA guidelines, experience with Google Cloud Security Command Center, and the ability to read and review code.

• A real challenge: help a newly licensed bank get security right during a critical growth phase

• Autonomy and ownership — no security theatre, just meaningful work

• A collaborative culture where security is seen as an enabler, not a blocker

• Competitive compensation, a central Stockholm office, and the usual perks

• We work from the office in Stockholm four days a week