Chief Information Security Officer

TodaPay is an international fintech company operating in the digital payments and financial infrastructure space across multiple jurisdictions. We support high-growth payment operations with multi-currency transactions, crypto payments, and complex corporate structures.
We are looking for a detail-oriented and proactive Accountant to join our Finance team and support core accounting operations, financial reporting, payroll processing, and coordination with external accountants and auditors across jurisdictions.

The Chief Information Security Officer (CISO) is the C-suite executive accountable for
information security, cyber resilience, and corporate IT operations across the group. Operating
in a regulated, multi-jurisdictional PSP and fintech environment spanning card acquiring &
gateway, card issuing / BaaS, and crypto / Web3 payment rails, the CISO defines and executes
the enterprise security strategy, safeguards cardholder data, customer funds, private keys, and
proprietary platforms, and ensures continuous compliance with PCI DSS, PSD2/SCA, GDPR,
DORA, NIS2, MiCA, SOC 2, ISO 27001, FCA/EBA expectations, and equivalent requirements in
other operating jurisdictions. In addition to leading security, the CISO owns corporate IT
— internal infrastructure, endpoints, identity, productivity tooling, and IT service delivery -and
drives its modernization in lockstep with business growth.

Key Responsibilities:
Security Strategy & Governance
• Define, own, and execute the multi-year information security and cyber resilience
strategy aligned with business growth, product roadmap, and regulatory obligations.
• Establish and maintain the Information Security Management System (ISMS) based on
ISO 27001, NIST CSF, and PCI DSS control frameworks.
• Report security posture, risks, incidents, and investment needs to the CEO, Executive
Committee, and Board on a regular cadence.
• Set and enforce enterprise security policies, standards, and acceptable use across all
business units.

Regulatory Compliance & Risk Management
• Maintain continuous compliance with PCI DSS Level 1, PSD2/SCA, GDPR, DORA,
NIS2, MiCA (for crypto activity), SOC 1/SOC 2 Type II, ISO 27001/27017/27018, and
EBA/FCA guidelines, plus equivalent obligations in other operating jurisdictions.
• Own the security risk register, third-party / vendor risk program, and risk treatment plans;
ensure alignment with enterprise risk management and the CRO.
• Lead external and internal audits, QSA assessments, penetration tests, and regulatory
examinations; remediate findings within agreed timelines.
• Oversee data protection program in coordination with the DPO, including DPIAs, data
residency, cross-border transfers, and breach notification procedures.

Cybersecurity Operations & Engineering
• Operate a 24/7 Security Operations Center (SOC) covering threat detection, monitoring, incident response, digital forensics, and threat intelligence across acquiring, issuing, and crypto rails.
• Lead the response to security incidents, payment fraud events, account-takeover, and data breaches; act as the primary executive interface with regulators (FCA, EBA,national CAs), card schemes, acquirers, and law enforcement during incidents.
• Mature vulnerability management, red/purple teaming, and threat hunting across multicloud (AWS/GCP/Azure), Kubernetes, on-prem, PCI cardholder data environments(CDE), and crypto custody/HSM enclaves.
• Drive Zero Trust architecture, network segmentation, cryptography/HSM/key management, tokenization, secrets management, and secure key ceremonies for cryptocustody. Cloud, DevSecOps & Product Security
• Embed Security-by-Design and Privacy-by-Design across the SDLC for payment gateways, issuing platforms, APIs, mobile/web apps, merchant/partner portals, and crypto wallets.
• Own a modern DevSecOps toolchain: SAST, DAST, SCA, secrets scanning, IaC scanning, container & K8s posture (CSPM/KSPM), and policy-as-code in CI/CD.
• Operate a cloud security program across AWS/GCP/Azure: landing zones, guardrails, workload identity, CNAPP, runtime protection, and continuous compliance.
• Partner with Engineering and Product to secure new payment products, BaaS/issuing APIs, open banking integrations, crypto on/off-ramp and custody, and AI/ML use cases.
• Champion fraud and financial-crime prevention with Risk, Fraud, and AML −3DS2, device fingerprinting, behavioral biometrics, transaction monitoring, sanctions screening, and Travel Rule for crypto flows.

Identity, Access & Insider Risk
• Own enterprise identity (SSO, MFA, PAM, IGA), least-privilege enforcement, joiner/mover/leaver processes, and privileged access to production and payment systems.
• Run an insider risk and data loss prevention (DLP) program covering cardholder data, PII, and sensitive financial information.
Business Continuity & Cyber Resilience
• Own cyber-resilience, DR, and business continuity planning for critical payment processing services, ensuring RTO/RPO meet regulatory and scheme requirements.
• Run regular tabletop exercises, ransomware simulations, and crisis-management drills with executive participation. Corporate IT Management & Modernization (Additional Responsibility)
• Own end-to-end Corporate IT: infrastructure, networking, end-user computing, collaboration suites ( Google Workspace), SaaS administration, telephony, and meeting rooms across all offices and a globally distributed remote workforce.
• Drive the Corporate IT modernization roadmap: cloud-first, SaaS-first, MDM/UEM, passwordless identity and convergence of corporate networking.
• Own IT asset and SaaS lifecycle management, software licensing, spend optimization (FinOps for SaaS), and IT vendor / contract management.
• Ensure secure, automated onboarding/offboarding for employees and contractors, including device provisioning, access entitlements (joiner/mover/leaver), and data recovery.
• Manage the Corporate IT budget, capacity planning, and operational efficiency; align corporate IT controls with security, privacy, and regulatory requirements (incl. DORA ICT scope).
• Support M&A integration of acquired entities’ IT estates -consolidating identity, endpoints, SaaS, and networking into the group standard.

People, Culture & Awareness
• Build, mentor, and retain a high-performing security and IT organization; define career paths, hiring plans, and succession.
• Run enterprise-wide security awareness, phishing simulations, and role-based training for engineers, operations, and customer-facing teams.
• Foster a strong security and service culture that treats security as a business enabler, not a blocker.

Budget & Vendor Management
• Own consolidated Security + Corporate IT budget (capex and opex); optimize spend across tooling, services, and headcount.
• Manage strategic relationships with security vendors, MSSPs, cloud providers, QSAs, auditors, and IT service partners.

Requirements:
• 7+ years in information security, with 5+ years in a CISO, Deputy CISO, or equivalent C-
suite role inside a PSP, acquirer, issuer/BaaS provider, card network, EMI, bank, or regulated fintech operating in EU or US.
• Demonstrated hands-on accountability for PCI DSS Level 1 (RoC), PSD2/SCA, GDPR, SOC 2 Type II, ISO 27001 programs; working knowledge of DORA, NIS2, and MiCA.
• Proven experience leading security across acquiring/gateway and card issuing or BaaS stacks; familiarity with crypto / Web3 payment rails and custody is required.
• Deep technical fluency in cloud security (AWS/GCP/Azure), Kubernetes, API security, DevSecOps toolchains, cryptography, HSM/KMS, tokenization, and Zero Trust.
• Track record of leading 24/7 SOC and incident response for material cyber, fraud, and payment incidents -including regulator, card-scheme, and partner-bank communications.
• Direct accountability for corporate IT operations at scale (service desk, endpoint, M365 /Google Workspace, identity, networking) and for leading an IT modernization program.
• Strong partnership track record with Fraud, AML, and Financial Crime teams -including transaction monitoring, sanctions, and Travel Rule implementation.
• Experience reporting to Boards, Risk & Audit Committees, regulators, and external auditors.
• Relevant certifications: CISSP, CISM, CISA, CRISC, CCSP, or equivalent.

Nice to Have:
• Experience with issuing/processing platforms (e.g., Marqeta, Galileo, Paymentology, in-house BIN-sponsored issuing) and acquiring stacks.
• Hands-on familiarity with crypto custody (MPC / HSM), stablecoin rails, on/off-ramp flows, and Travel Rule tooling (e.g., TRP, Notabene, Sumsub).
• Open Banking, embedded finance, and BaaS exposure.
• Experience scaling security and IT through rapid headcount growth, geographic expansion, and M&A integration.

We offer:
• Opportunity to work in a fast-growing international fintech company
• Professional growth opportunities alongside with company
• 24 paid vacation days per year and 5 paid sick leave days per year
• 10 Public holidays days
• An opportunity to work full remote or hybrid flexibility
• Collaborative and friendly team
• Professional education budget after 6 months working in the company
• Birthday gift bonus for all our employees