Information Security Officer

About Anyfin

Anyfin is a fintech on a mission to challenge the status quo lowering interest rates removing unnecessary fees and helping people take control of their finances. With more than a million app downloads across Sweden Norway Finland and Germany weve helped hundreds of thousands of people save money.

We recently obtained our banking license which means new opportunities and new responsibilities. Were looking for someone to own security and help us meet regulatory requirements (including DORA) without drowning in bureaucracy.

Your mission

This is a hands-on generalist role where youll own Anyfins security posture across governance technical security and operations. But you wont do it in isolation youll have support from legal compliance and engineering. Your job is to coordinate drive and make sure things actually happen.

Some areas require your depth (security governance technical security practices). Other areas require you to coordinate and oversee (incident response vendor security training). Were looking for someone whos comfortable with that mix and pragmatic about where to focus.

This is not a build a security empire role. Its roll-up-your-sleeves work: drafting policies that make sense running access reviews helping out in GCP and making sure were genuinely secure and not just compliant on paper.

What youll do

Security is a top priority for Anyfin right now not someday. With a banking license in place and new regulatory requirements (including DORA) this role will be central to making sure we scale in a secure resilient and pragmatic way.

Youll own and drive the full security agenda across three core areas:

1) Governance & compliance (done pragmatically)

Youll make sure we have the right foundations in place such as policies routines documentation and reporting without creating unnecessary overhead. This includes:

• Drafting and maintaining security policies instructions and routines that meet both operational and regulatory requirements

• Internal and external reporting

• Staying on top of DORA and relevant frameworks (with support from legal/compliance)

• Maintaining the Registry of Information and supporting risk assessments including NPAP

• Preparing for and following up on audits

2) Technical security (not just compliance on paper)

Youll work closely with engineering to ensure our security practices are real working and continuously improving not something that just looks good in a document. This includes:

• Making sure were actually secure not just compliant

• Defining and enforcing technical security practices together with engineering

• Helping implement changes where needed (hands-on when it matters)

• Supporting or owning IAM and access administration

3) Security operations (prepared tested and running)

Youll coordinate the operational side of security and make sure we stay on top of risks incidents and third parties as we grow. This includes:

• Running access reviews and ensuring follow-up and remediation

• Commissioning penetration tests reviewing results and making sure findings are addressed

• Operational support on ICT risks including risk assessments

• Leading incident response when things go wrong and making sure were prepared before they do

• Driving security awareness and building a security-conscious culture

• Overseeing vendor and supply chain security assessments

• Supporting business continuity and disaster recovery planning

• Providing training

What were looking for

Were looking for someone with 58 years of experience in security roles and a strong technical foundation (security engineering DevSecOps infrastructure security or similar). You have hands-on cloud security experience (GCP preferred) and are familiar with security frameworks such as ISO 27001 SOC 2 or similar.

Youre able to translate regulatory requirements into pragmatic processes that work in the real world and you communicate clearly and confidently across the organisation. Youre also comfortable being a generalist and the only dedicated ICT security person while still believing that security is everyones responsibility here.

Nice to have: experience in financial services or with DORA/EBA guidelines experience with Google Cloud Security Command Center and the ability to read and review code.

Why Anyfin

• A real challenge: help a newly licensed bank get security right during a critical growth phase

• Autonomy and ownership no security theatre just meaningful work

• A collaborative culture where security is seen as an enabler not a blocker

• Competitive compensation a central Stockholm office and the usual perks

• We work from the office in Stockholm four days a week