All job openings

Head of Security

Full Time
Infrastructure
Budapest
Lead/Principal
Apply for this position

Head of Security

Apply

Quanloop is hiring a Head of Security to build and run security across three scopes: product and engineering security, corporate security, and the security of client infrastructure operated under Cyprus regulatory residency.

Role Snapshot

  • Location: Office-first. The role is based in Budapest, where most engineering, client infrastructure, and corporate IT work sits, with regular travel to Limassol and occasional travel to Tallinn.
  • Reports to: CEO initially, later to the CISO/ICT Risk & Compliance Officer once appointed.
  • Scope: product and engineering security, corporate security, client infrastructure security.
  • Team: assembled during year one through external hiring.
  • Working relationship with the CISO/ICT Risk & Compliance Officer: advisory and operational support to the regulated Cyprus entity, without holding the statutory mandate.

What You’ll Be Responsible For

  • Product and engineering security. Threat modelling on the services that handle onboarding, accounts, and reporting. Secure development standards that engineers can actually apply. Code review practices, build pipeline controls, container and orchestration security, secrets handling, dependency hygiene. The work is done with engineering leads, in their planning cycles.
  • Corporate security. Identity and privileged access across the group. Endpoint and mobile device management. Network segmentation across the three offices. Insider risk and protection of internal material that should not leave the business. Business continuity testing that produces usable evidence.
  • Client infrastructure security. The hosting environment supporting the regulated Cyprus entity, including the resident-copy obligations attached to that jurisdiction. Access control, change control, production incident response, and the evidence trail a regulator can follow.

Across all three: incidents, investigations, security reviews of new work, vendor and third-party assessments, and the policies and controls that sit underneath. DORA defines the ICT-risk obligations the regulated entity has to meet. Translating those obligations into working controls across hosting, change, and incident response is part of this role.

What This Role Is Not

  • The Head of Security is not the statutory CISO/ICT Risk & Compliance Officer for the Cyprus regulated entity. That appointment sits in Limassol, carries the CIF mandate under Cyprus law, and is the regulatory point of contact for CySEC. It also carries the ICT Compliance Officer responsibilities under DORA, with the planning, reporting, and accountability those obligations involve. The Head of Security does not hold that mandate.
  • The role is not a CTO seat. Product architecture, engineering delivery, and platform ownership sit with engineering leadership. The Head of Security works alongside them on the security of what gets built and run, not on what gets built.

What Success Looks Like in the First 3–6 Months

The role begins operational and shifts towards strategic as the team forms. In the early months the Head of Security is hands-on across reviews, controls, and incidents. As internal conversions complete and external hires land, day-to-day ownership moves to named leads while the Head of Security retains accountability and focuses on standards, priorities, and decisions that cross teams.

  • First three months. Map what exists across the three scopes. Sit with engineering leads, infrastructure leads, and client operations. Identify the controls that are real, the controls that exist on paper, and the areas nobody currently owns. Produce a written baseline the CEO and the regulated entity can both work from. Open conversations with internal candidates for the team.
  • By six months. A working security operating model across the three scopes, with named owners for the work that does not require a full hire. First internal conversions in place. External hiring brief signed off where internal capability is genuinely absent. Threat modelling embedded in at least one engineering stream. The incident process tested on something live. An initial control set documented and being followed in practice.
  • By twelve months. The team is substantially in place. Standards are published, applied, and reviewed. The evidence base for the regulated entity is in working order. Strategic priorities for year two are agreed with the CEO and, by that point, with the appointed CISO/ICT Risk & Compliance Officer.

A Typical Week

  • Time in Budapest with engineering and infrastructure leads on current work.
  • Threat modelling sessions and security reviews of new services.
  • One-to-ones with direct reports as the team forms.
  • A recurring slot with client operations on onboarding and account-related risk.
  • Regular travel to Limassol for the regulated entity, the resident-copy environment, and time with the CISO/ICT Risk & Compliance Officer once that appointment is made.
  • Incident handling when it arrives.

What We’re Looking For

  • A security leader who has built or substantially rebuilt a security function inside a regulated business, with direct responsibility for engineering security and corporate security.
  • Comfortable in a hands-on phase and able to step back as the team takes shape.
  • Close enough to code to challenge engineering decisions on technical grounds, and close enough to policy to hold a serious conversation with legal and compliance.
  • Has worked with or near a statutory CISO function in financial services and understands what that boundary requires day to day.
  • Plain verbal and written communication in English (minimum C1 or IELTS 7 level, no certificate required).
  • Decisions recorded in writing.
  • Standards that hold because they are usable on the ground.

The CISO/ICT Risk & Compliance Officer Relationship

Quanloop’s Cyprus entity is a regulated CIF, which carries a statutory CISO appointment under Cyprus law and, under DORA, the ICT Compliance Officer responsibilities that go with it. That appointment sits in Limassol and is the subject of a separate search. The Head of Security is not that appointment.

The boundary is between the regulatory work and the operational work. The CISO/ICT Risk & Compliance Officer holds the statutory mandate, the CySEC-facing reporting, and the DORA planning that defines what the regulated entity has to do. The Head of Security implements that across the three scopes: the controls, the engineering practices, the operating model, and the evidence that the controls work. The two roles work closely day to day.

Before You Apply

If you want more context before applying, the pages below may be useful:

  • Benefits and rewards — details on health cover, time off, learning support and role-dependent bonus arrangements
  • Our offices — information on our office-first model and locations
  • Teams at Quanloop — an overview of how teams work and where this role sits
  • Our story — background on the company and the way we work

This is optional reading, but it should give you a better sense of what to expect before you apply.

How to Apply

Apply with your CV. A short note is welcome, but not required.

Copy LinkFacebookLinkedInTwitter

Apply for This Position

Maximum allowed file size is 100 MB. Allowed Type(s): .pdf, .doc, .docx