Chief Information Security Officer

TodaPay is an international fintech company operating in the digital payments and financial infrastructure space across multiple jurisdictions. We support high-growth payment operations with multi-currency transactions, crypto payments, and complex corporate structures

The Chief Information Security Officer (CISO) is the C-suite executive accountable for information security, cyber resilience, and corporate IT operations across the group. Operating in a regulated, multi-jurisdictional PSP and fintech environment spanning card acquiring&gateway, card issuing / BaaS, and crypto / Web3 payment rails, the CISO defines and executes the enterprise security strategy, safeguards cardholder data, customer funds, private keys, and proprietary platforms, and ensures continuous compliance with PCI DSS, PSD2/SCA, GDPR,DORA, NIS2, MiCA, SOC 2, ISO 27001, FCA/EBA expectations, and equivalent requirements in other operating jurisdictions. In addition to leading security, the CISO owns corporate IT— internal infrastructure, endpoints, identity, productivity tooling, and IT service delivery -and
drives its modernization in lockstep with business growth.

Key Responsibilities:
Security Strategy & Governance
• Define, own, and execute the multi-year information security and cyber resilience strategy aligned with business growth, product roadmap, and regulatory obligations.
• Establish and maintain the Information Security Management System (ISMS) based on ISO 27001, NIST CSF, and PCI DSS control frameworks.
• Report security posture, risks, incidents, and investment needs to the CEO, Executive Committee, and Board on a regular cadence.
• Set and enforce enterprise security policies, standards, and acceptable use across all business units.

Regulatory Compliance & Risk Management
• Maintain continuous compliance with PCI DSS Level 1, PSD2/SCA, GDPR, DORA, NIS2, MiCA (for crypto activity), SOC 1/SOC 2 Type II, ISO 27001/27017/27018, and EBA/FCA guidelines, plus equivalent obligations in other operating jurisdictions.
• Own the security risk register, third-party / vendor risk program, and risk treatment plans; ensure alignment with enterprise risk management and the CRO.
• Lead external and internal audits, QSA assessments, penetration tests, and regulatory examinations; remediate findings within agreed timelines.
• Oversee data protection program in coordination with the DPO, including DPIAs, data residency, cross-border transfers, and breach notification procedures.

Cybersecurity Operations & Engineering
• Operate a 24/7 Security Operations Center (SOC) covering threat detection, monitoring, incident response, digital forensics, and threat intelligence across acquiring, issuing, and crypto rails.
• Lead the response to security incidents, payment fraud events, account-takeover, and data breaches; act as the primary executive interface with regulators (FCA, EBA,national CAs), card schemes, acquirers, and law enforcement during incidents.
• Mature vulnerability management, red/purple teaming, and threat hunting across multicloud (AWS/GCP/Azure), Kubernetes, on-prem, PCI cardholder data environments(CDE), and crypto custody/HSM enclaves.
• Drive Zero Trust architecture, network segmentation, cryptography/HSM/key management, tokenization, secrets management, and secure key ceremonies for cryptocustody. 

Cloud, DevSecOps & Product Security
• Embed Security-by-Design and Privacy-by-Design across the SDLC for payment gateways, issuing platforms, APIs, mobile/web apps, merchant/partner portals, and crypto wallets.
• Own a modern DevSecOps toolchain: SAST, DAST, SCA, secrets scanning, IaC scanning, container & K8s posture (CSPM/KSPM), and policy-as-code in CI/CD.
• Operate a cloud security program across AWS/GCP/Azure: landing zones, guardrails, workload identity, CNAPP, runtime protection, and continuous compliance.
• Partner with Engineering and Product to secure new payment products, BaaS/issuing APIs, open banking integrations, crypto on/off-ramp and custody, and AI/ML use cases.
• Champion fraud and financial-crime prevention with Risk, Fraud, and AML −3DS2, device fingerprinting, behavioral biometrics, transaction monitoring, sanctions screening, and Travel Rule for crypto flows.

Identity, Access & Insider Risk
• Own enterprise identity (SSO, MFA, PAM, IGA), least-privilege enforcement, joiner/mover/leaver processes, and privileged access to production and payment systems.
• Run an insider risk and data loss prevention (DLP) program covering cardholder data, PII, and sensitive financial information.
Business Continuity & Cyber Resilience
• Own cyber-resilience, DR, and business continuity planning for critical payment processing services, ensuring RTO/RPO meet regulatory and scheme requirements.
• Run regular tabletop exercises, ransomware simulations, and crisis-management drills with executive participation. Corporate IT Management & Modernization (Additional Responsibility)
• Own end-to-end Corporate IT: infrastructure, networking, end-user computing, collaboration suites ( Google Workspace), SaaS administration, telephony, and meeting rooms across all offices and a globally distributed remote workforce.
• Drive the Corporate IT modernization roadmap: cloud-first, SaaS-first, MDM/UEM, passwordless identity and convergence of corporate networking.
• Own IT asset and SaaS lifecycle management, software licensing, spend optimization (FinOps for SaaS), and IT vendor / contract management.
• Ensure secure, automated onboarding/offboarding for employees and contractors, including device provisioning, access entitlements (joiner/mover/leaver), and data recovery.
• Manage the Corporate IT budget, capacity planning, and operational efficiency; align corporate IT controls with security, privacy, and regulatory requirements (incl. DORA ICT scope).
• Support M&A integration of acquired entities’ IT estates -consolidating identity, endpoints, SaaS, and networking into the group standard.

People, Culture & Awareness
• Build, mentor, and retain a high-performing security and IT organization; define career paths, hiring plans, and succession.
• Run enterprise-wide security awareness, phishing simulations, and role-based training for engineers, operations, and customer-facing teams.
• Foster a strong security and service culture that treats security as a business enabler, not a blocker.

Budget & Vendor Management
• Own consolidated Security + Corporate IT budget (capex and opex); optimize spend across tooling, services, and headcount.
• Manage strategic relationships with security vendors, MSSPs, cloud providers, QSAs, auditors, and IT service partners.

Requirements:
• 7+ years in information security, with 5+ years in a CISO, Deputy CISO, or equivalent C-suite role inside a PSP, acquirer, issuer/BaaS provider, card network, EMI, bank, or regulated fintech operating in EU or US.
• Demonstrated hands-on accountability for PCI DSS Level 1 (RoC), PSD2/SCA, GDPR, SOC 2 Type II, ISO 27001 programs; working knowledge of DORA, NIS2, and MiCA.
• Proven experience leading security across acquiring/gateway and card issuing or BaaS stacks; familiarity with crypto / Web3 payment rails and custody is required.
• Deep technical fluency in cloud security (AWS/GCP/Azure), Kubernetes, API security, DevSecOps toolchains, cryptography, HSM/KMS, tokenization, and Zero Trust.
• Track record of leading 24/7 SOC and incident response for material cyber, fraud, and payment incidents -including regulator, card-scheme, and partner-bank communications.
• Direct accountability for corporate IT operations at scale (service desk, endpoint, M365 /Google Workspace, identity, networking) and for leading an IT modernization program.
• Strong partnership track record with Fraud, AML, and Financial Crime teams -including transaction monitoring, sanctions, and Travel Rule implementation.
• Experience reporting to Boards, Risk & Audit Committees, regulators, and external auditors.
• Relevant certifications: CISSP, CISM, CISA, CRISC, CCSP, or equivalent.

Nice to Have:
• Experience with issuing/processing platforms (e.g., Marqeta, Galileo, Paymentology, in-house BIN-sponsored issuing) and acquiring stacks.
• Hands-on familiarity with crypto custody (MPC / HSM), stablecoin rails, on/off-ramp flows, and Travel Rule tooling (e.g., TRP, Notabene, Sumsub).
• Open Banking, embedded finance, and BaaS exposure.
• Experience scaling security and IT through rapid headcount growth, geographic expansion, and M&A integration.

We offer:
• Opportunity to work in a fast-growing international fintech company
• Professional growth opportunities alongside with company
• 24 paid vacation days per year and 5 paid sick leave days per year
• 10 Public holidays days
• An opportunity to work full remote or hybrid flexibility
• Collaborative and friendly team
• Professional education budget after 6 months working in the company
• Birthday gift bonus for all our employees