Chief Information Security Officer

Design and maintain the ICT risk management framework in line with DORA and CSSF Circular 25/880

Draft, implement and keep up to date information security policies and procedures

Build and maintain the ICT third-party register (cloud providers, software vendors, critical sub-contractors)

Prepare and deliver ICT reporting to the Board and the CSSF (incidents, KRIs, resilience test outcomes)

Lead digital operational resilience testing programmes (TLPT where applicable)

Anticipate and manage EU-level regulatory implications arising from the Group’s European expansion, including engagement with local regulators in passported jurisdictions and compliance with any additional ICT/security requirements they may impose

Define and oversee the AI security and AI risk management governance framework, ensuring alignment with the Group’s AI-first strategy and applicable regulatory requirements

Define and oversee the entity’s cybersecurity strategy and policy

Manage detection, response and notification of major ICT security incidents via the CSSF eDesk portal

Supervise access management, data protection and payment system security

Ensure PCI-DSS compliance and strong customer authentication requirements (SCA/PSD2)

Facilitate and coordinate internal audits, risk assessments, and penetration tests

Oversee IT infrastructure (primarily cloud-based), technical service providers and related contracts

Define the technology roadmap in alignment with business needs and regulatory requirements

Manage relationships with critical IT vendors and monitor SLA compliance

Lead cross-functional IT projects (migrations, integrations, payment platform evolutions)

Own and maintain Business Continuity and Disaster Recovery plans (BCP/DRP)

Coordinate with the Group IT function (existing infrastructure and technology team) to ensure alignment between the PI’s regulated IT/security requirements and Group-level systems, while building the PI’s own governance framework from the ground up

Raise security awareness and deliver training across the organisation

Collaborate closely with Compliance, Risk Management and Internal Audit

Act as the primary contact during CSSF on-site and remote inspections

Minimum 7 years in IT, including at least 3 years in a CISO or equivalent role

Master’s degree in computer science, Cybersecurity, Engineering or equivalent

Professional certifications valued: CISSP, CISM, ISO 27001 Lead Implementer/Auditor, CRISC, CCSP

Mandatory experience in a regulated financial environment (bank, PSP, insurance, PSF)

Hands-on knowledge of DORA, PSD2 and CSSF requirements preferable

Proven experience with cloud environments (AWS, Azure, GCP) and payment architectures

ICT risk management and security frameworks (ISO 27001, NIST, TIBER-EU)

API security and payment system security (SWIFT, SEPA, open banking)

Incident management, forensics, SOC oversight (in-house or MSSP)

Working knowledge of PCI-DSS requirements and SCA implementation

Fluent English and French required, Luxembourgish or German is a great plus

Ability to operate autonomously in a lean, growing organisation

Strong communication skills with Board members and non-technical stakeholders

Rigorous documentation discipline is essential for CSSF inspections

Pragmatic approach: ability to apply the DORA proportionality principle effectively