Fractional Chief Information Security Officer (CISO)

We are seeking an experienced Fractional CISO to provide hands-on security leadership as we evolve our security function to support continued growth and European expansion. This is a permanent fractional engagement reporting directly to the CTO.

You will own our information security strategy maintain our ISO 27001 certification build our security roadmap and prepare the organisation for SOC 2 readiness in 2026-2027. This role requires someone who can operate both strategically and tactically developing policy one day and reviewing cloud configurations the next.

Key Responsibilities

Strategy & Governance

• Develop and own the Information Security strategy aligned with ApprovalMaxs business objectives and European expansion plans
• Maintain and continuously improve the Information Security Management System (ISMS)
• Create review and maintain core security policies standards and procedures
• Establish and chair a cross-functional Security Working Group (Engineering Architecture IT HR)
• Build and present a multi-year security roadmap with clear milestones resource requirements and priorities
• Serve as the central authority on risk assessment risk treatment and risk acceptance decisions
• Assess and provide guidance on secure AI adoption across the organisation including AI-powered product features and internal AI tooling

Compliance & Certification

• Maintain ISO 27001 certification and prepare for the 2027 recertification audit
• Lead SOC 2 Type II readiness programme (target: 2026-2027) including gap analysis and control mapping
• Ensure compliance with GDPR and data protection requirements across EU/UK/US/AU/NZ/CA/ZA jurisdictions
• Collaborate with external DPO support provider on privacy-related matters and customer security questionnaires as needed

Cloud & Technical Security

• Provide security oversight across Azure AWS and Google Workspace environments
• Conduct access reviews and advise on identity and access management best practices
• Evaluate and guide implementation of security tooling (SIEM vulnerability management endpoint protection)
• Oversee VMware Workspace ONE MDM deployment and device security policies
• Advise engineering teams on secure SDLC practices DevSecOps integration and application security principles

Operational Security

• Develop and maintain incident response plans and procedures
• Lead incident response tabletop exercises and post-incident reviews
• Provide guidance on business continuity and disaster recovery planning
• Advise on vendor security assessments and third-party risk management

Awareness & Culture

• Design and deliver company-wide security awareness training programmes
• Mentor and upskill internal staff on security best practices
• Foster a security-first culture across all departments
• Act as a trusted advisor to leadership on emerging threats and security trends

Stakeholder Engagement

• Report regularly to the CTO on security posture risks and programme progress
• Prepare board-level security presentations as required (infrequent)
• Support commercial teams by contributing to customer security discussions when escalated

Qualifications :

• 8 years of progressive experience in information security with at least 3 years in a CISO Head of Security or senior security leadership role
• Demonstrated experience in B2B SaaS environments ideally in fintech finance software or similarly regulated industries
• Proven track record of achieving and maintaining ISO 27001 certification
• Experience preparing organisations for SOC 2 Type II certification
• Hands-on experience securing cloud environments (Azure and/or AWS required; GCP a plus)
• Experience with Google Workspace security configuration and administration
• Background working with distributed remote-first engineering teams

Technical Knowledge

• Strong understanding of cloud security architecture identity management and zero-trust principles
• Familiarity with secure software development lifecycle (SDLC) and DevSecOps practices
• Knowledge of MDM solutions (VMware Workspace ONE experience preferred)
• Understanding of API security and integration risk management
• Practical experience with security tooling: SIEM vulnerability scanners endpoint protection etc.
• Awareness of AI/ML security risks including secure AI adoption practices and emerging AI governance frameworks (desirable)

Compliance & Regulatory

• Deep knowledge of ISO 27001:2022 requirements and audit processes
• Familiarity with SOC 2 Trust Service Criteria (Security Availability Confidentiality Privacy)
• Understanding of GDPR UK Data Protection Act and international data transfer mechanisms
• Awareness of regional requirements across EU UK US Australia New Zealand Canada and South Africa

Additional Information :

• Growing international business with 10000 subscribers
• Regular performance-based compensation reviews
• 26 days paid time off
• 1 additional day off for your Birthday
• Remote office assistance
• Service years recognition financial reward

Remote Work :

Yes

Employment Type :

Contract