Head of Information Security

Duco is empowering financial services to transform the work undertaken in Operations by automating manual work and elevating humans from task workers to decision makers. We do this with a combination of proprietary technique innovative cloud computing artificial intelligence technology and deep subject matter expertise. Our agentic Operations platform gives firms the ability to unlock full end-to-end reconciliation data trust and automation of their data regardless of source format or structure. By partnering with the industrys leading firms we are helping to rethink operating models increase efficiency strengthen governance and regulatory compliance reduce risk streamline processes and build the workforce of the future. More than 10000 users across 30 countries process billions of data records every week using the platform.

Duco is headquartered in London with offices in New York Wroclaw Antwerp and Singapore. Customers include global banks investment managers exchanges and insurance firms such as CIBC Mellon ING and Man Group.

The role

We are looking for a Head of Information Security to own our end-to-end security posture govern our risk and compliance programme and lead our IT Operations function. This is a VP Level role with company-wide scope. With approximately 200 employees across London New York Wroclaw Antwerp and Singapore we move fast build with purpose and hold ourselves to a high bar. As we scale information security governance and IT operations sit at the heart of that ambition.

What you will be doing

Security architecture and engineering

Define security architecture standards and lead threat modelling across the organisation

Establish and maintain long-term security architecture aligned to business strategy and regulatory requirements

Guide technology decisions at an enterprise level including cloud strategy and zero trust adoption

Oversee penetration testing DLP and advanced threat detection programmes.

Own the vulnerability management programme

Implement enterprise frameworks including IAM SIEM and data classification.

Anticipate emerging threats leverage AI/ML for predictive security and set the technology vision

Lead Security Incident Response Programme

Governance risk and compliance (GRC)

Define and own the GRC programme including the ISMS policy framework risk registers and audit readiness

Implement and maintain compliance with ISO 27001 SOC 1 SOC 2 NIST CSF GDPR and relevant financial services regulations

Understand the GRC landscape implement appropriate controls and adapt as the threat and regulatory environment shifts

Own execution of GRC strategy across the organisation; ensure frameworks are scalable and adaptable

Own Third Party Risk Management (TRPM) programme including vendor assessments and ongoing oversight

IT operations

Define and own the IT Operations programme setting strategy and standards for the function

Own execution of IT Operations strategy; ensure frameworks are scalable and adaptable as Duco grows

Ensure operational excellence across infrastructure tooling and end-user support

Leadership and stakeholder management

Lead mentor and develop a high-performing team across InfoSec GRC and IT Ops

Build strategic relationships with clients regulators and internal stakeholders

Engage effectively with large complex and multi-national enterprise clients

that have mission-critical operations requirements building trust and

credibility at the most senior levels

Recognise influence and resolve critical issues that may affect company direction

Create strategies that cross organisational boundaries to achieve broad business goals

Work with industry peers and working groups to develop solutions that benefit the wider market

Enterprise Client Assurance: Act as a key partner to Ducos Client Success and Pre-Sales teams. This involves speaking directly with the CISOs and security teams of global financial institutions to assure them of Ducos risk management and data privacy practices.

Core Competencies

Technical leadership

Proven track record of strategic impact at company-wide and industry-wide

Level

Recognised internally and externally as an InfoSec expert with evidence of

exceptional technical and people leadership

Establishes long-term security architecture aligned to business strategy and

regulatory requirements; guides enterprise technology decisions including

cloud strategy and zero trust

Anticipates emerging threats leverages AI/ML for predictive security and

sets the technology vision

Deep understanding of the GRC landscape; implements appropriate controls

and adapts as the environment shifts

End-to-end ownership

Develops proven solutions and replicates them across teams; designs

systems and frameworks built to last

Accountable and collaborative: works with clients and colleagues to resolve

complex issues and views challenges as opportunities to improve

Owns execution of security GRC and IT Ops strategy; ensures frameworks

are scalable adaptable and aligned to business strategy and executive-level

risk expectations

Market knowledge

Deep understanding of the security and risk landscape across fintech and beyond; adapts market knowledge to continuously improve Ducos posture

Evaluates and integrates advanced security technologies and GRC best practices; knows when to buy adapt or build internally

Acts as a recognised industry leader: participates in regulatory advisory groups defines Ducos position on InfoSec maturity and anticipates regulatory shifts before they arrive

Scope and influence

Operates across all departments; builds sponsorship for strategic initiatives

and drives them through

Leads all InfoSec GRC and IT Ops functions with cross-functional influence

across product engineering and compliance

Recognised outside of Duco for technology excellence; participates in

industry events and shapes the wider conversation on risk and threat.

Influences executive peers board decisions and global regulatory

compliance strategy

What We Are Looking For

- 8 years of progressive experience in information security with at least 3 years in a senior or leadership role

- Hands-on experience owning ISO 27001 and SOC 1 and SOC 2 programmes not just supporting them

- Demonstrated experience managing security incidents end-to-end including client and regulatory communications

- Strong understanding of cloud security particularly AWS including IAM logging and observability infrastructure

- Experience operating in a B2B SaaS or fintech environment with exposure to enterprise client security requirements

- Track record of building and managing TPRM programmes at scale

- Excellent stakeholder management skills; comfortable presenting to the board and to client security teams in equal measure

- Ability to make pragmatic decisions based on company culture and risk appetite

- Strong written communication skills: able to translate complex security topics into clear plain-language communications for non-technical audiences

- Experience leading and developing a small high-performing team

- Familiarity with AI governance and the security implications of agentic AI systems

Beneficial Experience

- Experience with DLP SIEM or SOC build-outs

- Relevant certifications such as CISSP CISM or ISO 27001 Lead Implementer

- Experience in capital markets asset management or securities services

Required Experience:

Director