Fractional Chief Information Security Officer (CISO)

Overview

Fractional Chief Information Security Officer (CISO)

London, UK – Employees can work remotely. Contract position as a permanent fractional engagement reporting to the CTO.

Company

ApprovalMax is redefining how finance teams manage the Money Out cycle — from purchase orders and supplier bills to employee expense management. Trusted by 18,000+ businesses worldwide, our platform automates financial controls, enables compliance, and supports scalable growth. At the end of 2024, ApprovalMax secured a £10 million growth investment from Yttrium, a leading European technology investor.

Job Description

We are seeking an experienced Fractional CISO to provide hands-on security leadership as we evolve our security function to support continued growth and European expansion. This role is a permanent fractional engagement reporting to the CTO. You will own our information security strategy, maintain ISO 27001 certification, build our security roadmap, and prepare the organization for SOC 2 readiness in 2026-2027. The role requires strategic and tactical operating ability—from policy development to reviewing cloud configurations.

Key Responsibilities

Strategy & Governance

• Develop and own the Information Security strategy aligned with ApprovalMax's business objectives and European expansion plans
• Maintain and continuously improve the Information Security Management System (ISMS)
• Create, review, and maintain core security policies, standards, and procedures
• Establish and chair a cross-functional Security Working Group (Engineering, Architecture, IT, HR)
• Build and present a multi-year security roadmap with milestones, resource requirements, and priorities
• Serve as the central authority on risk assessment, risk treatment, and risk acceptance decisions
• Assess and provide guidance on secure AI adoption across the organization, including AI-powered product features and internal AI tooling

Compliance & Certification

• Maintain ISO 27001 certification and prepare for the 2027 recertification audit
• Lead SOC 2 Type II readiness programme (target: 2026-2027), including gap analysis and control mapping
• Ensure GDPR and data protection compliance across EU/UK/US/AU/NZ/CA/ZA
• Collaborate with external DPO support provider on privacy matters and customer security questionnaires as needed

Cloud & Technical Security

• Provide security oversight across Azure, AWS, and Google Workspace
• Conduct access reviews and advise on identity and access management best practices
• Evaluate and guide security tooling (SIEM, vulnerability management, endpoint protection)
• Oversee VMware Workspace ONE MDM deployment and device security policies
• Advise engineering teams on secure SDLC, DevSecOps, and application security

Operational Security

• Develop and maintain incident response plans and procedures
• Lead incident response tabletop exercises and post-incident reviews
• Provide guidance on business continuity and disaster recovery planning
• Advise on vendor security assessments and third-party risk management

Awareness & Culture

• Design and deliver company-wide security awareness training
• Mentor and upskill internal staff on security best practices
• Foster a security-first culture across departments
• Act as a trusted advisor to leadership on emerging threats and security trends

Stakeholder Engagement

• Report to the CTO on security posture, risks, and programme progress
• Prepare board-level security presentations as required (infrequent)
• Support commercial teams by contributing to customer security discussions when escalated

Qualifications

Experience

• 8+ years in information security, including at least 3 years in a CISO, Head of Security, or senior leadership role
• Experience in B2B SaaS, fintech, finance software, or similarly regulated industries
• Proven track record of achieving and maintaining ISO 27001 certification
• Experience preparing organizations for SOC 2 Type II
• Hands-on cloud security experience (Azure and/or AWS required; GCP a plus)
• Experience with Google Workspace security configuration and administration
• Background working with distributed, remote-first engineering teams

Technical Knowledge

• Cloud security architecture, identity management, and zero-trust principles
• Secure SDLC and DevSecOps practices
• MDM solutions (VMware Workspace ONE preferred)
• API security and integration risk management
• Security tooling: SIEM, vulnerability scanners, endpoint protection
• Awareness of AI/ML security risks and governance frameworks (desirable)

Compliance & Regulatory

• ISO 27001:2022 requirements and audit processes
• SOC 2 Trust Service Criteria (Security, Availability, Confidentiality, Privacy)
• GDPR, UK Data Protection Act, and international data transfers
• Regional requirements across EU, UK, US, Australia, New Zealand, Canada, and South Africa

Additional information

• Growing international business with 10,000+ subscribers
• Regular performance-based compensation reviews
• 26 days paid time off
• 1 additional day off for your Birthday
• Remote office assistance
• Service years recognition financial reward

#J-18808-Ljbffr