Our client is a globally leading FinTech business looking for a senior Information Security/GRC professional based in Luxembourg to:

• 50% support the EMEA regional team with security strategy, risk management, and security compliance initiatives
• 50% support the local Luxembourg entity with CSSF regulatory compliance, DORA implementation, and local security operations

Reporting to the EMEA CISO, this critical role will be responsible for developing and maintaining their comprehensive information security governance, risk, and compliance framework in alignment with CSSF regulations, DORA requirements, and international standards. The successful candidate will play a pivotal role in ensuring their digital operational resilience and protecting their financial services infrastructure.

Key responsibilities:

1. Information Security Strategy & Governance

• Develop and maintain the information security strategy, ensuring alignment with business objectives and regulatory requirements
• Establish and oversee the information security governance framework, including policies, standards, and procedures
• Lead the Information Security Committee and provide regular reporting to senior management

2. Regulatory Compliance Management

• DORA Compliance: Ensure full compliance with the Digital Operational Resilience Act (DORA) requirements, including ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management
• CSSF Regulations: Maintain compliance relevant Luxembourg financial regulations
• Industry Standards: Ensure adherence to applicable financial industry standards
• EBA (European Banking Authority) guidelines and technical standards

3. Risk Management Framework

• Identify, assess, and prioritize security risks across the organization
• Develop and implement comprehensive risk mitigation strategies and action plans
• Conduct regular ICT risk assessments and oversee the annual report preparation
• Implement and maintain a robust third-party vendor security risk management program

4. Digital Operational Resilience

• Design and implement the DORA-compliant ICT risk management framework
• Plan and execute digital operational resilience testing programs, including threat-led penetration testing
• Establish and maintain incident response capabilities aligned with DORA incident reporting requirements
• Implement continuous security monitoring and threat detection capabilities

5. Security Architecture & Technology

• Good understanding of Technology and Security architectural designs
• Good understanding of SIEM, DLP, Endpoint Security

6. Security Awareness & Culture

• Oversee and deliver Security awareness and training programs
• Foster a security-conscious culture throughout the organization
• Provide security guidance and support to business units and technical teams

7. Audit & Regulatory Engagement

• Act as the primary contact point for IT security audits, inspections, and regulatory examinations
• Coordinate responses to regulatory inquiries and implement corrective actions
• Maintain relationships with CSSF and other regulatory authorities

Job requirements and expectations:

• Experience: 5+ years in information security management roles as Security GRC Lead, or equivalent position in the financial services industry (ideally FinTech). A background in both consulting and industry is advantageous.
• Technical Background: Strong technical foundation in cloud security, IT infrastructure, and application security
• Regulatory Expertise:

DORA (Digital Operational Resilience Act) and its implementation requirements

CSSF regulations, including Circular 25/880 on ICT security and risk management

PSD2-SCA, PCI-DSS, SWIFT CSP, and other financial industry standards

ISO27001 and NIST cybersecurity frameworks

Technical Skills

• Cloud Security: Good background of Cloud Security controls and best practices
• Security Technologies: Good Knowledge of SIEM, EDR, vulnerability management, and identity management solutions
• Architecture: Understanding Security architectures
• Emerging Technologies: Knowledge of AI security.

Professional Competencies

• Leadership: Proven ability to lead security initiatives and influence stakeholders at all levels
• Communication: Excellent presentation and communication skills, with experience presenting to Risk Management Committees, Board of Directors, and regulatory bodies
• Problem-Solving: Strong analytical and decision-making abilities in complex regulatory environments
• Project Management: Experience managing security projects and compliance initiatives