Search...

VP Information Security

Finoa logo
Finoa

Finoa is a regulated crypto-financial services platform providing custody, staking, and prime brokerage for digital assets. Catering to institutional investors, corporations, and high-net-worth individuals, Finoa offers a secure and compliant environment for managing and growing crypto-assets. The company is regulated by Germany's BaFin and serves a wide range of clients, including family offices, asset managers, and venture capital funds. Finoa Consensus Services, a part of the company, specializes in institutional-grade staking solutions.

Berlin, DE

Projects

About Finoa

Finoa is a regulated digital asset platform founded in 2018, designed for institutional investors, corporations, and high-net-worth individuals. As a qualified crypto-asset custodian supervised by the German Federal Financial Supervisory Authority (BaFin), Finoa provides a secure and user-friendly environment for clients to manage, protect, and grow their digital assets. The company's core services include institutional-grade custody, in-custody staking for over 180 assets, and prime brokerage for integrated trading solutions with deep liquidity. Finoa serves a diverse client base, including family offices, asset managers, venture capital funds, and foundations, with a minimum investment position of €100,000. Additionally, Finoa Consensus Services offers specialized staking solutions like delegated staking and white-label nodes for various protocols, further supporting the crypto ecosystem.

View jobs by Finoa

Skills

About the Role

You will lead security for the Group, acting as the appointed CISO for one of the regulated entities while also running operational security day to day across the wider organization. You'll own the cybersecurity framework, continuously improving strategy, policies, risk register and controls, and you'll run the cyber risk-management lifecycle, maintaining the asset inventory and reporting regularly to the Board. You'll lead regulatory incident notification, working closely with the Data Protection Officer, and you'll set baseline security-configuration and access-control standards, commissioning independent vulnerability scans and penetration tests. You'll own vendor and outsourcing security due diligence, build the security awareness culture across the group, and support independent assurance of cyber resilience. You'll be the primary point of contact for the Board and internal functions on cyber risk. On the hands-on side, you'll own and operate the SIEM, designing detection use cases, onboarding log sources and triaging alerts. You'll run security monitoring and lead incident response, working hand in hand with engineering leadership. You'll run vulnerability management day to day, operate threat intelligence, own security tooling configuration such as EDR, firewalls and network monitoring, and own on-call coverage for security incidents.

Requirements

  • Ideally 5+ years in information security or similar roles with a mix of hands-on SOC / detection-engineering work and governance or senior-management-level accountability
  • A track record owning a cybersecurity framework in a regulated environment requiring senior-level reporting and regulatory incident notification (financial services, VASP, e-money or comparable)
  • Real, practical experience owning a SIEM (design, tuning, operation) and leading incident response
  • Comfortable being a named, accountable CISO to a regulator, subject to fit and proper assessment, and presenting to a Board
  • Clean regulatory and criminal record, no disqualification from a director or senior-management role, sound personal finances
  • Willingness to be in the Vilnius office 2-3 days per week
  • Nice to have: CISSP, CISM or equivalent
  • Nice to have: SANS/GIAC or other operational security certifications
  • Nice to have: prior exposure to regulatory regimes

Responsibilities

  • Own the cybersecurity framework and continuously improve strategy, policies, risk register and controls
  • Run the cyber risk-management lifecycle and report regularly to the Board
  • Lead regulatory incident notification and coordinate with the Data Protection Officer
  • Set baseline security-configuration and access-control standards
  • Commission independent vulnerability scans and penetration tests at least annually
  • Own vendor and outsourcing security due diligence including cloud providers
  • Build and run a group-wide security awareness programme
  • Support independent assurance and help the Board approve the security audit plan
  • Act as the primary point of contact for the Board and internal functions on cyber risk
  • Act as CISO representing the regulated entity to the regulator on IT security matters
  • Own and operate the SIEM including detection use cases and log source onboarding
  • Run security monitoring and escalation into incident response
  • Lead incident response including containment eradication and recovery
  • Run vulnerability management including scanning triage and remediation tracking
  • Operate threat intelligence and maintain indicators of compromise
  • Own security tooling configuration including EDR firewalls and network monitoring
  • Own on-call coverage for security incidents
VP Information Security at Finoa | JobStash