Job Description
As the Chief Information Security Officer at INFINIT, you will be the single point of contact for the Board and the CSSF on all ICT, security and operational resilience matters for our CSSF-licensed Payment Institution in Luxembourg. In a rapidly evolving regulatory environment like DORA, CSSF Circular 25/880 and PSD3 in progress, you will design and build a robust, proportionate IT and security governance framework from the ground up, suited to our size and risk profile.
The Group has a clear ambition to expand its services across Europe. As we will passport our licence and establish operations in new EU jurisdictions, this role will carry responsibilities beyond the CSSF perimeter including engagement with local regulators and compliance with jurisdiction-specific ICT and security requirements.
You will also operate within the Group鈥檚 existing infrastructure and technology team, coordinating closely with the Group IT function while building the PI鈥檚 own regulated governance framework.
In accordance with DORA and CSSF Circular 25/880, this role requires the formal designation of the appointee as the entity鈥檚 ICT Risk Management responsible before the CSSF. The incumbent must be able to represent the entity during on-site and remote supervisory reviews conducted by the CSSF.
What do we want to achieve together?
Governance & DORA Compliance
-
Design and maintain the ICT risk management framework in line with DORA and CSSF Circular 25/880
-
Draft, implement and keep up to date information security policies and procedures
-
Build and maintain the ICT third-party register (cloud providers, software vendors, critical sub-contractors)
-
Prepare and deliver ICT reporting to the Board and the CSSF (incidents, KRIs, resilience test outcomes)
-
Lead digital operational resilience testing programmes (TLPT where applicable)
-
Anticipate and manage EU-level regulatory implications arising from the Group鈥檚 European expansion, including engagement with local regulators in passported jurisdictions and compliance with any additional ICT/security requirements they may impose
-
Define and oversee the AI security and AI risk management governance framework, ensuring alignment with the Group鈥檚 AI-first strategy and applicable regulatory requirements
Information Security (CISO)
-
Define and oversee the entity鈥檚 cybersecurity strategy and policy
-
Manage detection, response and notification of major ICT security incidents via the CSSF eDesk portal
-
Supervise access management, data protection and payment system security
-
Ensure PCI-DSS compliance and strong customer authentication requirements (SCA/PSD2)
-
Facilitate and coordinate internal audits, risk assessments, and penetration tests
IT Oversight (CIO)
-
Oversee IT infrastructure (primarily cloud-based), technical service providers and related contracts
-
Define the technology roadmap in alignment with business needs and regulatory requirements
-
Manage relationships with critical IT vendors and monitor SLA compliance
-
Lead cross-functional IT projects (migrations, integrations, payment platform evolutions)
-
Own and maintain Business Continuity and Disaster Recovery plans (BCP/DRP)
-
Coordinate with the Group IT function (existing infrastructure and technology team) to ensure alignment between the PI鈥檚 regulated IT/security requirements and Group-level systems, while building the PI鈥檚 own governance framework from the ground up
Leadership & Cross-functional
-
Raise security awareness and deliver training across the organisation
-
Collaborate closely with Compliance, Risk Management and Internal Audit
-
Act as the primary contact during CSSF on-site and remote inspections
What do you need to be successful in this role?
Experience
-
Minimum 7 years in IT, including at least 3 years in a CISO or equivalent role
-
Master鈥檚 degree in computer science, Cybersecurity, Engineering or equivalent
-
Professional certifications valued: CISSP, CISM, ISO 27001 Lead Implementer/Auditor, CRISC, CCSP
-
Mandatory experience in a regulated financial environment (bank, PSP, insurance, PSF)
-
Hands-on knowledge of DORA, PSD2 and CSSF requirements preferable
-
Proven experience with cloud environments (AWS, Azure, GCP) and payment architectures
Technical Skills
-
ICT risk management and security frameworks (ISO 27001, NIST, TIBER-EU)
-
API security and payment system security (SWIFT, SEPA, open banking)
-
Incident management, forensics, SOC oversight (in-house or MSSP)
-
Working knowledge of PCI-DSS requirements and SCA implementation
-
Fluent English and French required, Luxembourgish or German is a great plus
-
Ability to operate autonomously in a lean, growing organisation
-
Strong communication skills with Board members and non-technical stakeholders
-
Rigorous documentation discipline is essential for CSSF inspections
-
Pragmatic approach: ability to apply the DORA proportionality principle effectively
What will you find working at INFINIT?
- Competitive Salary and Equity: We offer highly competitive salaries and a stake in our success with share options because we're building this together.
- Diverse and Inclusive Team: Join a dynamic and international team in excess of 8 nationalities. You'll have the chance to work with experienced professionals from around the world, fostering a rich learning environment.
- Inspiring Mission: We are dedicated to revolutionizing business financing and making a positive impact on the European economy. Your work at INFINIT will have a lasting effect on businesses and communities.
- Health and Well-being: Your health matters to us. You will have access to top-quality Medical & Mental Health Insurance.
- Quality Time Together: We foster a sense of community with annual gatherings and bi-weekly office team gatherings. You're more than welcome to join us for quality time.
- Personal Time Off: Enjoy flexibility with your personal time off.
- Flexibility and Ownership: We trust our team and we are goal-oriented. Enjoy the flexibility of hybrid working 3 days a week in our Luxembourg office and 2 days at home.