Senior Security GRC Lead

Ant International strives to become the most trusted digital services connector to achieve sustainable growth of global commerce.

With a focus on Travel, Trade, Technology, and Talent, Ant International is committed to enhancing the digital mindset and capacities of businesses worldwide. Through fostering collaborative efforts with partners, we are driving responsible innovation and increase market accessibility for global SMEs.

In EMEA we do so across 3 key businesses: Alipay+, Antom and WorldFirst (Where you will partner as HRBP+ also).

We are seeking an experienced Senior Security GRC Lead to join our dynamic fintech team in Luxembourg. This critical role will be responsible for developing and maintaining our comprehensive information security governance, risk, and compliance framework in alignment with CSSF regulations, DORA requirements, and international standards. The successful candidate will play a pivotal role in ensuring our digital operational resilience and protecting our financial services infrastructure.

• 50% supporting the EMEA regional team with security strategy, risk management, and security compliance initiatives
• 50% supporting the local Luxembourg entity with CSSF regulatory compliance, DORA implementation, and local security operations

• Develop and maintain the information security strategy, ensuring alignment with business objectives and regulatory requirements
• Establish and oversee the information security governance framework, including policies, standards, and procedures
• Lead the Information Security Committee and provide regular reporting to senior management

• DORA Compliance: Ensure full compliance with the Digital Operational Resilience Act (DORA) requirements, including ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management
• CSSF Regulations: Maintain compliance with CSSF Circular 25/880 and other relevant Luxembourg financial regulations
• Industry Standards: Ensure adherence to PSD2-SCA, PCI-DSS, SWIFT CSP, ISO27001, and other applicable financial industry standards
• EBA (European Banking Authority) guidelines and technical standards

• Identify, assess, and prioritize security risks across the organization
• Develop and implement comprehensive risk mitigation strategies and action plans
• Conduct regular ICT risk assessments and oversee the annual Long Form Report preparation
• Implement and maintain a robust third-party vendor security risk management program

• Design and implement the DORA-compliant ICT risk management framework
• Plan and execute digital operational resilience testing programs, including threat-led penetration testing
• Establish and maintain incident response capabilities aligned with DORA incident reporting requirements
• Implement continuous security monitoring and threat detection capabilities

• Good understanding of technology and security architectural designs
• Good understanding of SIEM, DLP, Endpoint Security

• Oversee and deliver Security awareness and training programs
• Foster a security-conscious culture throughout the organization
• Provide security guidance and support to business units and technical teams

• Act as the primary contact point for IT security audits, inspections, and regulatory examinations
• Coordinate responses to regulatory inquiries and implement corrective actions
• Maintain relationships with CSSF and other regulatory authorities

• Experience: 5+ years in information security management roles as Security GRC Lead, or equivalent position in the financial services industry
• Technical Background: Strong technical foundation in cloud security, IT infrastructure, and application security
• Regulatory Expertise:

1. DORA (Digital Operational Resilience Act) and its implementation requirements
2. CSSF regulations, including Circular 25/880 on ICT security and risk management
3. PSD2-SCA, PCI-DSS, SWIFT CSP, and other financial industry standards
4. ISO27001 and NIST cybersecurity frameworks

• Cloud Security: Good background of Cloud Security controls and best practices
• Security Technologies: Good Knowledge of SIEM, EDR, vulnerability management, and identity management solutions
• Architecture: Understanding Security architectures
• Emerging Technologies: Knowledge of AI security.

• Leadership: Proven ability to lead security initiatives and influence stakeholders at all levels
• Communication: Excellent presentation and communication skills, with experience presenting to Risk Management Committees, Board of Directors, and regulatory bodies
• Problem-Solving: Strong analytical and decision-making abilities in complex regulatory environments
• Project Management: Experience managing security projects and compliance initiatives