Information Security Risk Lead

ABOUT TIDE

At Tide, we are building a business management  platform designed to save small businesses time and money. We provide our members with business accounts and related banking services, but also a comprehensive set of connected administrative solutions from invoicing to accounting.

Launched in 2017, Tide is now used by over 1 million small businesses across the world and is available to UK, Indian and German SMEs. Headquartered in central London, with offices in Sofia, Hyderabad, Delhi, Berlin and Belgrade, Tide employs over 2,000 employees.

Tide is rapidly growing, expanding into new products and markets and always looking for passionate and driven people. Join us in our mission to empower small businesses and help them save time and money.

ABOUT THE ROLE 

You’ll be an information security expert, with a great eye for information security risk reduction and continual improvement opportunities. If fast-paced environments, cross-team exposure, inquisitive freedom and the ability to have a real impact on a rapidly growing scale-up appeals to you, then you already have the mind of a Tidean. You’ll join an ambitious team of highly motivated security specialists who interface with all areas of the business in order to drive down information security risk at Tide, whether it is technical, procedural or cultural. 

Some of the things you’ll be doing: 

• You’ll operate as part of the Second Line of Defence (2LOD), providing independent oversight and challenge on information security controls - focusing on governance, regulatory alignment, risk management  and reporting, rather than hands-on control implementation.
• You will be responsible for filling TPSA ‘s Information security returns to the CSSF and responding to enquiries and you will keep abreast of regulatory requirements and reporting obligations for ICT related topics including Tech and Cyber, DORA , IT Incident management etc. 
• Interacting with Tide’s third party stakeholders in Europe such as partners and regulators, on behalf of Tide Risk & Compliance Luxembourg.
• Defining information security standards specific to Tide Platform SA  operations, in close alignment with the global ISMS.
• Acting as a thought leader in the context of local information security requirements.
• Managing information security risk in accordance with Tide’s Global Risk Management Framework & CSSF Articles regulatory requirements.
• Managing Tide’s global ISMS, with a focus on Tide’s people, process and technology controls in Luxembourg.
• Implementing real-time compliance monitoring and risk management processes using modern GRC tooling, utilising automation wherever possible.
• Ensuring alignment with industry recognised information security control frameworks, such as ISO 27001, NIST, NIS2, DORA. 
• Conducting local information security risk assessments and control oversight, and driving best practices globally.

• Working with 1LOD stakeholders across the business in order to deliver information security risk treatment plans.

• Defining and measuring global (and local where relevant) key risk indicators, and interpreting data from modern information security tooling to develop insightful risk reporting.
• Facilitating external audit requirements in Europe, and working with stakeholders across 1LOD and 3LOD to close information security audit findings. You will be responsible for supporting all technology related audits for long form reports including coordination and collation of records, security policies, documents required for security and IT resilience topics.
• Reinforcing a strong security culture and awareness message throughout the business.
• Prepare and present regular reports on security posture, risk status, and compliance efforts to Tide Platform SA senior leadership, risk committees, key partners and regulatory bodies as required.
• Ensuring Tide’s compliance with all applicable EU and Luxembourg regulatory requirements, and keeping abreast of new regulatory and compliance developments.

WHAT WE ARE LOOKING FOR:

• A minimum of 10 years experience working in information security GRC (governance, risk & compliance) related roles
• Experience interacting with financial regulators and government agencies in Luxembourg (e.g. CSSF , BCL)
• You are familiar with modern engineering and security paradigms such as DevSecOps within CI/CD pipelines, Infrastructure as Code (IaC), Zero Trust architecture, containerisation, microservices, and cloud-native development.
• An understanding how effective change management can be implemented within agile, fast-paced environments, and can balance risk oversight without relying on legacy control models such as monthly CABs.
• Experience using GRC tooling to monitor compliance and carry out risk management activities.
• Proven experience working at or on behalf of a technology-driven, financially regulated organisation
• You’ve implemented, maintained and supported an ISMS using ISO 27001
• You have experience with security control frameworks such as ISO 27001, NIST CSF, CIS Critical Security Controls, PCI DSS, etc.
• You have experience with audits applicable to information security such as ISO 27001, RBI Systems Audit Report (SAR), SOC2, Data Localisation, etc.
• You’ve performed information security risk assessments and control oversight
• You have good technical knowledge in the field of information security 
• You have led information security risk treatment projects
• In-depth knowledge of payment security standards, data protection regulations, RBI Master Directions, and risk management frameworks.
• Relevant certifications such as CISSP, CISM, CISA are strongly preferred.

WHAT YOU’LL GET IN RETURN:

Our team is always keen to ensure the competitiveness of the compensation package, as we grow in the location, we hope to add additional benefits in the long term!

• 26 days holiday with the option to take 5 extra days of unpaid leave per year
• We invest in your development with a 1000 EUR professional L&D budget per year and ability to access thousands of resources through the Learnerbly platform (available after you pass your probation period + (may be lower for A1-A2 folks in India Region, UK/ Europe Region and PCS UK sales team)
• Extended Parental Leave
• At least 3 days of paid leave for volunteering or L&D time off per year.
• Mental health support through Plumm
• Flexible work from home, Tide will also contribute 50% of office equipment for your remote working - up to EUR 200.
• Work and travel globally  - up to 90 days per country outside of your home country (subject of internal policy)
• Sabbatical Leave, after 3 years you can take 1 month unpaid, increasing to 2 months after 4 years. After 5 years, you can take 1 month paid (& 2 months unpaid). Unpaid leave rises 1 month per year, and after 8 years, you will receive 2 months paid and 6 months unpaid.
• Option to take your work device as your own (eligibility applies)

 

TIDE IS A PLACE FOR EVERYONE

At Tide, we believe that we can only succeed if we let our differences enrich our culture. Our Tideans come from a variety of backgrounds and experience levels. We consider everyone irrespective of their ethnicity, religion, sexual orientation, gender identity, family or parental status, national origin, veteran, neurodiversity or differently-abled status. We celebrate diversity in our workforce as a cornerstone of our success. Our commitment to a broad spectrum of ideas and backgrounds is what enables us to build products that resonate with our members’ diverse needs and lives. 

We are One Team and foster a transparent and inclusive environment, where everyone’s voice is heard.

 

At Tide, we thrive on diversity, embracing various backgrounds and experiences. We welcome all individuals regardless of ethnicity, religion, sexual orientation, gender identity, or disability. Our inclusive culture is key to our success, helping us build products that meet our members' diverse needs. We are One Team, committed to transparency and ensuring everyone’s voice is heard.

• Tide does not charge any fees at any stage of the recruitment process.
• All official Tide job opportunities are listed exclusively on our Careers Page and applications should be submitted through this channel.
• Communication from Tide will only come from an official @tide.co email address.
• Tide does not work with agencies or recruiters without prior formal engagement, and we do not authorize third parties to make job offers on our behalf.

If you are contacted by anyone misrepresenting Tide or requesting payment, please treat it as fraudulent and report it to us immediately at talent@tide.co
Your safety and trust are important to us, and we are committed to ensuring a fair and transparent recruitment process.

 

You personal data will be processed by Tide for recruitment purposes and in accordance with Tide's Recruitment Privacy Notice.