Head of Technology Risk – CISO

November 11

Apply Now

Receive Emails with Similar Jobs

Addi

WebsiteLinkedInAll Job Openings

Addi es una empresa de tecnología que busca impulsar y habilitar el comercio digital en Latinoamérica. En Addi queremos que las personas compren lo que quieran, cuando quieran, de forma fácil, rápida y transparente. Como debe ser.

201 - 500 employees

📋 Description

• Establish and lead Addi's 2nd Line of Defense Technology Risk & Cybersecurity function, acting as the CISO for the regulated entity while driving a robust governance framework that provides independent risk oversight, ensuring compliance (SFC/SIC), and safeguards the company by aligning technology and security practices with Addi's defined risk appetite • Develop and maintain a comprehensive Technology & Security Risk Framework approved by the Board and aligned with Addi's risk appetite and 3LoD model • Establish clear, quantitative and qualitative technology- and security-risk appetite statements that reflect Addi's strategic objectives and regulatory expectations • Maintain a clear technology-risk taxonomy and standardized risk-assessment methodology integrated with enterprise risk management • Develop and maintain a consolidated KRI/KPI dashboard for technology and security risk, integrated into enterprise-level reporting • Define and validate incident-classification, escalation, and regulatory-reporting processes to ensure timely compliance with company policies and SFC requirements • Oversee and challenge the design and execution of business continuity and IT disaster-recovery plans • Promote risk awareness and ownership across first-line engineering, security, product, and operations teams • Sustain ISO 27001 implementation, leading supervisory engagements, and ensuring continuous audit preparedness against SFC and SIC regulatory expectations

🎯 Requirements

• Deep expertise in technology risk, cybersecurity, IT resilience & governance • 12+ years of progressive experience across the three lines of defense, ideally starting in first-line security operations or architecture and advancing into governance and oversight roles within a regulated industry (Fintech, Banking, or otherwise regulated industry is strongly preferred) • Proven ability to translate operational security knowledge (e.g., vulnerability management, SOC, cloud security) into second-line challenge and risk-assurance practices • Skilled in designing and maintaining integrated technology-, cyber-, and resilience risk frameworks aligned with the likes of ISO 27001, ISO 22301/27031, ISO 31000, COBIT, DORA, and the Colombian Circular Externa 007/2018 (SFC) • Experienced in defining, monitoring, and reporting technology-risk appetite and related metrics, ensuring measurable alignment with enterprise risk tolerance and regulatory expectations • Demonstrated success in leading and managing internal & external audits, regulatory examinations and similar with minimal findings and building productive relationships with auditors and regulators • Track record in establishing and maturing comprehensive technology risk and security programs from the ground up or significantly transforming existing ones • Ability to independently assess, challenge & communicate technology risks • Experienced in performing independent oversight of risk identification, assessment, and mitigation plans across infrastructure, applications, and third-party providers • Capable of transforming technical risk data into meaningful insights and recommendations for senior leadership and regulators • Adept at facilitating targeted risk-awareness sessions. Leverages first-line credibility to drive constructive challenge and alignment with risk appetite • Proficiency in incident oversight, IT resilience & third-party risk governance • First-hand understanding of incident response, continuity planning and resilience testing from prior first-line exposure, combined with the ability to evaluate their adequacy as a second-line function • Skilled in overseeing incident classification, escalation, and post-incident reviews for targeted lessons learned and regulatory reporting accuracy • Experienced in assessing the security and resilience impact of critical third-party providers, reviewing test outcomes, and ensuring integration of vendor risks into continuity and operational-resilience frameworks • Strong strategic influence across 3LoD & executive stakeholders : • Ability to understand and create a technology- and security-risk strategy that supports Addi's dual business model. This means enabling rapid innovation and growth for the BNPL unit while applying a more stringent, compliance-focused risk posture for the regulated Compañía de Financiamiento • Ability to translate technology-risk insights (architecture, resilience, change, third-party, data integrity) into business-relevant risk narratives for executive decision-making anchored in risk appetite • Experience providing independent 2nd-line challenge to CIO/CTO and engineering teams on large technology-change initiatives, outsourcing, and cloud operations • Experience successfully articulating complex security risks, compliance status, and strategy to an executive team and Board of Directors, influencing investment and strategic decision-making • Leadership in driving a risk-aware & resilient technology culture • Advocates for “resilient-by-design” and “secure-by-design” principles across product, engineering, and operations • Leverages first-line empathy to influence without direct authority and embed accountability for risk ownership throughout the business • Champions continuous improvement, maturity benchmarking, and integration of lessons learned into governance, policy, and awareness programs

🏖️ Benefits

• Competitive compensation & meaningful ownership • Generous salary • Equity in the company • Benefits that go beyond the basics to support your growth