Head Of Information Security

Head Of Information Security

Thndr is looking for a head of information security to serve as the company's most senior security leader with full ownership of the information security program across governance, risk, compliance, assurance, and engineering (security planning and operations).

Reporting directly to executive leadership, you will set the vision and direction for how Thndr manages security risk, and ensure the security function is performing at the level the business and its regulators expect, balancing business agility with risk management. You will lead two established teams and be accountable for their output, development, and alignment to the broader security strategy:

• Information Security (Governance, Risk, Compliance & Assurance) — owns the security program at the governance level, including the policy and control framework, cyber risk management, regulatory alignment, and independent oversight across all business functions.

• Security Engineering — designs, plans and builds, and operates Thndr's security capabilities and tech stack, from access controls and CI/CD security to logging, and the broader tooling estate.

This is not a hands-on technical role. It is a leadership role for someone who knows the domain deeply enough to ask the right questions, set the right expectations, and hold the right people accountable — while building a function that is trusted by the business, respected by regulators, and capable of scaling with Thndr's growth across Egypt, the UAE, and KSA.

Security Strategy & Program Ownership

• Define and own Thndr's information security strategy and multi-year roadmap, balancing risk reduction, regulatory obligations, and business velocity.

• Set the operating model for the security function, including how teams are structured, how accountability is distributed, and how performance is measured at the individual level and the function level.

• Act as Thndr's most senior security voice — advising executive leadership, representing the function in governance committees, and providing clear, independent views on residual risk and strategic priorities.

Governance, Risk & Compliance

• Own the information security program at the governance level: policy framework, control framework, and cyber risk management approach.

• Drive the organization's alignment to applicable frameworks and regulations — including ISO 27001, NIST CSF, PCI DSS, SOC 2, and the regulatory requirements of EG-FRA, ADGM-FSRA, and the emerging KSA landscape.

• Ensure the risk register, KPIs/KRIs, and maturity measures are maintained and used to drive accountability — with your teams executing the underlying work.

• Commission, lead and review independent reporting on the security program's effectiveness; challenge control owners where performance falls short of expectations.

Security Engineering & Technical Oversight

• Sufficient depth across application security, cloud and infrastructure security, IAM, and CI/CD pipeline security to set architectural direction, review engineering proposals, and challenge technical decisions — without operating tools directly.

• Familiarity with the capabilities and trade-offs of a modern security tooling estate (SIEM/SOAR, SAST/DAST/SCA, WAF, EDR, secrets management) to evaluate coverage gaps and prioritize engineering investment.

• Ability to assess security engineering output — including detection logic, automation coverage, and operational readiness — and hold engineering leads accountable for quality, SLAs, and alignment to the security roadmap.

• Experience defining or influencing secure-by-design standards across product and platform engineering teams in a cloud-native, fast-shipping environment.

Team & Function Leadership

• Provide unified leadership across both the Information Security and Security Engineering teams, ensuring they operate cohesively with clear mandates, aligned priorities, and shared accountability to the security strategy.

• Lead, develop, and retain high-performing teams — creating clear career pathways, a culture of ownership, and a bench of future leaders, while holding functional leads accountable for outcomes without directing day-to-day work.

• Build the security function's reputation as a trusted partner internally and a credible, independent voice on risk externally — with regulators, auditors, and commercial stakeholders alike.

What You'll Need

Experience

• 8+ years in information security, with at least 4–5 years in a senior leadership role (CISO, Head of Security, or equivalent) owning a security function end-to-end.

• Proven track record leading multi-disciplinary security teams spanning both GRC and technical/engineering domains.

• Experience operating in a regulated financial services or fintech environment, with direct exposure to regulatory engagement and audit defense.

• Demonstrated ability to build and scale security programs in high-growth environments.

Domain Knowledge

• Deep understanding of the security landscape across GRC, application security, infrastructure security, IAM, and cloud environments — sufficient to set direction, challenge practitioners, and make informed risk trade-offs.

• Familiarity with the tooling and capabilities underpinning a modern security function (SIEM, SAST/SCA, WAF, DLP, access management, etc.), without being expected to operate them directly.

Frameworks & Compliance

• Strong working knowledge of ISO 27001, NIST CSF, PCI DSS, and/or SOC 2 — including how to govern against them at scale.

• Experience managing regulatory relationships and preparing board- and committee-level security reporting.

Leadership & Communication

• Exceptional executive presence — able to represent security credibly at the board level and translate complex risk into clear business language.

• A natural leader who builds trust with technical and non-technical stakeholders alike, and who holds teams to high standards without micromanaging.

• Strategic thinker with the judgment to prioritize effectively, navigate ambiguity, and make decisions under uncertainty.

Nice to Have

• Familiarity with financial regulatory requirements across Thndr's operating markets: EG-FRA (Egypt), ADGM-FSRA (UAE), and the emerging KSA regulatory landscape.

• Relevant certifications: CISSP, CISM, or equivalent.

Who Are We?

Thndr was founded on a bold dream to democratize access to investing through smart tech and human-centric design. This is simply our way of saying we give anyone with a smartphone the simple and easy access they need to preserve and grow their wealth. At the same time, we're shaping the future of investing while actively driving the economies we serve by promoting local investment products.

History has shown that investing is the single greatest way to build long-term wealth, but before Thndr, only a very small percentage of people had access to it due to:

• High barriers to entry — in the form of excessive minimum account balances, complex, outdated onboarding, and low financial literacy.

• Irrelevant experience — catered toward expert traders and financial specialists, therefore alienating the majority of the population.

• Fragmented offering — investment products were not gathered in a single, intuitive outlet.

We don't just talk about change, we deliver it. Here's a glimpse into our impact so far:

• 5.5 million app downloads

• EGP 1B+ average daily traded value across 2025

• #1 digital investing platform in Egypt for the third consecutive year

• 76% of users are first-time investors

• 40% of our users come from outside of capital cities and have previously had limited access to financial institutions

Building on the success of our core platform, we are continuing to change culture and break down