Role Description

We are looking for a Cyber Security & Information Security Lead to take end-to-end ownership of security at CarePay. This is a hands-on, critical role in the organization. You will be the subject-matter expert for cyber and information security, responsible for both day-to-day execution and long-term strategic direction.

You will enhance and build upon existing framework, implement and operate CarePay’s security capability, while working closely with engineering, product, operations, and leadership to ensure security enables, rather than slows down, our mission.

Cyber Security & Information Security Leadership

• Own and continuously evolve CarePay’s information security and cyber security strategy
• Establish and maintain security policies, standards, and controls appropriate for a growing, international insurtech
• Turn policy into practice through effective implementation of policies, standards and controls
• Act as CarePay’s primary authority on cyber and information security

Data Protection and Privacy

• Ensure appropriate protection of sensitive data, including PII, financial, and health data
• Support or act as Data Protection Officer (DPO) where required
• Lead or support Data Protection Impact Assessments (DPIAs)
• Advise teams on privacy-by-design and data minimisation principles

Risk, Governance and Compliance

• Identify, assess, and manage security, technology and privacy risks across products, platforms, and operations
• Lead security risk assessments and define pragmatic mitigation plans
• Ensure alignment with relevant standards and regulations (e.g. ISO 27001, GDPR, SOC 2, local regulatory requirements)
• Prepare for and support audits, certifications, and customer security assessments
• Serve as a key point of contact for regulators, partners, and enterprise customers on security matters

Secure Product and Platform Enablement

• Partner closely with Engineering and Product teams to embed security by design and secure SDLC practices
• Advise on cloud, application, and API security architecture
• Oversee vulnerability management, penetration testing, and remediation efforts
• Proactively identify emerging threats and weaknesses in CarePay’s technology stack

Incident Preparedness and Response

• Design and maintain CarePay’s incident response and breach management processes
• Lead security and privacy incident response activities when required, ensuring calm, clear communication and effective coordination
• Drive post-incident reviews and continuous improvement

Culture, Awareness & Influence

• Build security and privacy awareness across CarePay through training, guidance and practical support
• Translate technical security risks into clear business impact for non-technical stakeholders
• Act as a trusted advisor to leadership, contributing to long-term technology and risk decisions

Requirements

8+ years’ experience in cyber and information security and privacy function, including business continuity planning and risk management

Solid understanding of:

• Information security frameworks (ISO 27001, NIST, SOC 2)
• Risk management and control design
• Application, cloud, and API security
• Incident response and vulnerability management
• Data protection and privacy (GDPR)

Experience in regulated environments (insurtech, fintech, health, insurance, or financial services)

Strong knowledge of business impact assessments, disaster recovery, RTOs/RPOs and system criticality mapping

Hands-on experience with cloud-native environments and modern SaaS architectures

Proven ability to work independently with excellent communication and interpersonal skills, including delivering effective training across the company

Analytical and detail-oriented with a proactive approach to risk identification and mitigation

Experience working across multiple countries or regions is a strong advantage

Nice to have:

• Relevant certifications (e.g. CISSP, CISM, ISO 27001 Lead Implementer/Auditor)
• Previous experience acting as a DPO
• Experience scaling security in a growing or mission-driven organisation

• Own and continuously evolve CarePay’s information security and cyber security strategy
• Establish and maintain security policies, standards, and controls appropriate for a growing, international insurtech
• Turn policy into practice through effective implementation of policies, standards and controls
• Act as CarePay’s primary authority on cyber and information security
• Ensure appropriate protection of sensitive data, including PII, financial, and health data
• Support or act as Data Protection Officer (DPO) where required
• Lead or support Data Protection Impact Assessments (DPIAs)
• Advise teams on privacy-by-design and data minimisation principles
• Identify, assess, and manage security, technology and privacy risks across products, platforms, and operations
• Lead security risk assessments and define pragmatic mitigation plans
• Ensure alignment with relevant standards and regulations (e.g. ISO 27001, GDPR, SOC 2, local regulatory requirements)
• Prepare for and support audits, certifications, and customer security assessments
• Serve as a key point of contact for regulators, partners, and enterprise customers on security matters
• Partner closely with Engineering and Product teams to embed security by design and secure SDLC practices
• Advise on cloud, application, and API security architecture
• Oversee vulnerability management, penetration testing, and remediation efforts
• Proactively identify emerging threats and weaknesses in CarePay’s technology stack
• Design and maintain CarePay’s incident response and breach management processes
• Lead security and privacy incident response activities when required, ensuring calm, clear communication and effective coordination
• Drive post-incident reviews and continuous improvement
• Build security and privacy awareness across CarePay through training, guidance and practical support
• Translate technical security risks into clear business impact for non-technical stakeholders
• Act as a trusted advisor to leadership, contributing to long-term technology and risk decisions

• Information security frameworks (ISO 27001, NIST, SOC 2)
• Risk management and control design
• Application, cloud, and API security
• Incident response and vulnerability management
• Data protection and privacy (GDPR)
• Business impact assessments
• Disaster recovery
• RTOs/RPOs
• System criticality mapping
• Cloud-native environments
• Modern SaaS architectures
• Communication skills
• Interpersonal skills
• Training delivery
• Analytical skills
• Detail-oriented approach
• Proactive risk identification
• Risk mitigation

• BA/BSc/HND
• Professional Certificate
• 8+ years’ experience in cyber and information security and privacy function, including business continuity planning and risk management
• Experience in regulated environments (insurtech, fintech, health, insurance, or financial services)
• Hands-on experience with cloud-native environments and modern SaaS architectures
• Proven ability to work independently with excellent communication and interpersonal skills, including delivering effective training across the company
• Analytical and detail-oriented with a proactive approach to risk identification and mitigation
• Relevant certifications (e.g. CISSP, CISM, ISO 27001 Lead Implementer/Auditor) - Nice to have
• Previous experience acting as a DPO - Nice to have
• Experience scaling security in a growing or mission-driven organisation - Nice to have