Fractional Chief Information Security Officer (CISO)
Company Description
ApprovalMax is redefining how finance teams manage the Money Out cycle — from purchase orders and supplier bills to employee expense management and payroll. Trusted by 18,000+ businesses worldwide, our platform empowers companies to automate financial controls, ensure compliance, and scale efficiently.
At the end of 2024, ApprovalMax secured a £10 million growth investment from Yttrium, a leading European technology investor. This funding marks the beginning of a new chapter in our journey — scaling our category leadership in Money Out automation, expanding enterprise capabilities, and accelerating product innovation.
Job Description
We are seeking an experienced Fractional CISO to provide hands-on security leadership as we evolve our security function to support continued growth and European expansion. This is a permanent fractional engagement reporting directly to the CTO.
You will own our information security strategy, maintain our ISO 27001 certification, build our security roadmap, and prepare the organisation for SOC 2 readiness in 2026-2027. This role requires someone who can operate both strategically and tactically — developing policy one day and reviewing cloud configurations the next.
Key Responsibilities
Strategy & Governance
Develop and own the Information Security strategy aligned with ApprovalMax's business objectives and European expansion plans
Maintain and continuously improve the Information Security Management System (ISMS)
Create, review, and maintain core security policies, standards, and procedures
Establish and chair a cross-functional Security Working Group (Engineering, Architecture, IT, HR)
Build and present a multi-year security roadmap with clear milestones, resource requirements, and priorities
Serve as the central authority on risk assessment, risk treatment, and risk acceptance decisions
Assess and provide guidance on secure AI adoption across the organisation, including AI-powered product features and internal AI tooling
Compliance & Certification
Maintain ISO 27001 certification and prepare for the 2027 recertification audit
Lead SOC 2 Type II readiness programme (target: 2026-2027), including gap analysis and control mapping
Ensure compliance with GDPR and data protection requirements across EU/UK/US/AU/NZ/CA/ZA jurisdictions
Collaborate with external DPO support provider on privacy-related matters and customer security questionnaires as needed
Cloud & Technical Security
Provide security oversight across Azure, AWS, and Google Workspace environments
Conduct access reviews and advise on identity and access management best practices
Evaluate and guide implementation of security tooling (SIEM, vulnerability management, endpoint protection)
Oversee VMware Workspace ONE MDM deployment and device security policies
Advise engineering teams on secure SDLC practices, DevSecOps integration, and application security principles
Operational Security
Develop and maintain incident response plans and procedures
Lead incident response tabletop exercises and post-incident reviews
Provide guidance on business continuity and disaster recovery planning
Advise on vendor security assessments and third-party risk management
Awareness & Culture
Design and deliver company-wide security awareness training programmes
Mentor and upskill internal staff on security best practices
Foster a security-first culture across all departments
Act as a trusted advisor to leadership on emerging threats and security trends
Stakeholder Engagement
Report regularly to the CTO on security posture, risks, and programme progress
Prepare board-level security presentations as required (infrequent)
Support commercial teams by contributing to customer security discussions when escalated
Qualifications
8+ years of progressive experience in information security, with at least 3 years in a CISO, Head of Security, or senior security leadership role
Demonstrated experience in B2B SaaS environments, ideally in fintech, finance software, or similarly regulated industries
Proven track record of achieving and maintaining ISO 27001 certification
Experience preparing organisations for SOC 2 Type II certification
Hands-on experience securing cloud environments (Azure and/or AWS required; GCP a plus)
Experience with Google Workspace security configuration and administration
Background working with distributed, remote-first engineering teams
Technical Knowledge
Strong understanding of cloud security architecture, identity management, and zero-trust principles
Familiarity with secure software development lifecycle (SDLC) and DevSecOps practices
Knowledge of MDM solutions (VMware Workspace ONE experience preferred)
Understanding of API security and integration risk management
Practical experience with security tooling: SIEM, vulnerability scanners, endpoint protection, etc.
Awareness of AI/ML security risks, including secure AI adoption practices and emerging AI governance frameworks (desirable)
Compliance & Regulatory
Deep knowledge of ISO 27001:2022 requirements and audit processes
Familiarity with SOC 2 Trust Service Criteria (Security, Availability, Confidentiality, Privacy)
Understanding of GDPR, UK Data Protection Act, and international data transfer mechanisms
Awareness of regional requirements across EU, UK, US, Australia, New Zealand, Canada, and South Africa
Additional Information
Growing international business with 10,000+ subscribers
Regular performance-based compensation reviews
26 days paid time off
1 additional day off for your Birthday
Remote office assistance
Service years recognition financial reward
About the job
Apply for this position
Fractional Chief Information Security Officer (CISO)
Company Description
ApprovalMax is redefining how finance teams manage the Money Out cycle — from purchase orders and supplier bills to employee expense management and payroll. Trusted by 18,000+ businesses worldwide, our platform empowers companies to automate financial controls, ensure compliance, and scale efficiently.
At the end of 2024, ApprovalMax secured a £10 million growth investment from Yttrium, a leading European technology investor. This funding marks the beginning of a new chapter in our journey — scaling our category leadership in Money Out automation, expanding enterprise capabilities, and accelerating product innovation.
Job Description
We are seeking an experienced Fractional CISO to provide hands-on security leadership as we evolve our security function to support continued growth and European expansion. This is a permanent fractional engagement reporting directly to the CTO.
You will own our information security strategy, maintain our ISO 27001 certification, build our security roadmap, and prepare the organisation for SOC 2 readiness in 2026-2027. This role requires someone who can operate both strategically and tactically — developing policy one day and reviewing cloud configurations the next.
Key Responsibilities
Strategy & Governance
Develop and own the Information Security strategy aligned with ApprovalMax's business objectives and European expansion plans
Maintain and continuously improve the Information Security Management System (ISMS)
Create, review, and maintain core security policies, standards, and procedures
Establish and chair a cross-functional Security Working Group (Engineering, Architecture, IT, HR)
Build and present a multi-year security roadmap with clear milestones, resource requirements, and priorities
Serve as the central authority on risk assessment, risk treatment, and risk acceptance decisions
Assess and provide guidance on secure AI adoption across the organisation, including AI-powered product features and internal AI tooling
Compliance & Certification
Maintain ISO 27001 certification and prepare for the 2027 recertification audit
Lead SOC 2 Type II readiness programme (target: 2026-2027), including gap analysis and control mapping
Ensure compliance with GDPR and data protection requirements across EU/UK/US/AU/NZ/CA/ZA jurisdictions
Collaborate with external DPO support provider on privacy-related matters and customer security questionnaires as needed
Cloud & Technical Security
Provide security oversight across Azure, AWS, and Google Workspace environments
Conduct access reviews and advise on identity and access management best practices
Evaluate and guide implementation of security tooling (SIEM, vulnerability management, endpoint protection)
Oversee VMware Workspace ONE MDM deployment and device security policies
Advise engineering teams on secure SDLC practices, DevSecOps integration, and application security principles
Operational Security
Develop and maintain incident response plans and procedures
Lead incident response tabletop exercises and post-incident reviews
Provide guidance on business continuity and disaster recovery planning
Advise on vendor security assessments and third-party risk management
Awareness & Culture
Design and deliver company-wide security awareness training programmes
Mentor and upskill internal staff on security best practices
Foster a security-first culture across all departments
Act as a trusted advisor to leadership on emerging threats and security trends
Stakeholder Engagement
Report regularly to the CTO on security posture, risks, and programme progress
Prepare board-level security presentations as required (infrequent)
Support commercial teams by contributing to customer security discussions when escalated
Qualifications
8+ years of progressive experience in information security, with at least 3 years in a CISO, Head of Security, or senior security leadership role
Demonstrated experience in B2B SaaS environments, ideally in fintech, finance software, or similarly regulated industries
Proven track record of achieving and maintaining ISO 27001 certification
Experience preparing organisations for SOC 2 Type II certification
Hands-on experience securing cloud environments (Azure and/or AWS required; GCP a plus)
Experience with Google Workspace security configuration and administration
Background working with distributed, remote-first engineering teams
Technical Knowledge
Strong understanding of cloud security architecture, identity management, and zero-trust principles
Familiarity with secure software development lifecycle (SDLC) and DevSecOps practices
Knowledge of MDM solutions (VMware Workspace ONE experience preferred)
Understanding of API security and integration risk management
Practical experience with security tooling: SIEM, vulnerability scanners, endpoint protection, etc.
Awareness of AI/ML security risks, including secure AI adoption practices and emerging AI governance frameworks (desirable)
Compliance & Regulatory
Deep knowledge of ISO 27001:2022 requirements and audit processes
Familiarity with SOC 2 Trust Service Criteria (Security, Availability, Confidentiality, Privacy)
Understanding of GDPR, UK Data Protection Act, and international data transfer mechanisms
Awareness of regional requirements across EU, UK, US, Australia, New Zealand, Canada, and South Africa
Additional Information
Growing international business with 10,000+ subscribers
Regular performance-based compensation reviews
26 days paid time off
1 additional day off for your Birthday
Remote office assistance
Service years recognition financial reward