About us
XBTO is a leading institutional provider for digital assets. In 2015, XBTO was first to provide institutional-grade liquidity to major trading platforms. Since then, we have made significant efforts to create stability in the cryptocurrency markets.
XBTO offers a comprehensive regulated platform for digital assets and tailored investment solutions catered to sophisticated non-US investors and institutions. Our offering spans Asset Management, Trading, Custody, and Market Making.
With over nine years of experience in digital assets and more than twenty years in traditional finance, we offer expert insights and solutions to navigate the relatively new and dynamic field of digital assets. We combine deep technical and trading expertise with established industry-wide relationships to provide sophisticated solutions for our counterparties.
Description
The Information Security Officer (ISO) works closely with the XBTO Chief Information Security Officer (CISO) to define and drive the execution of the company’s information security program.
The ISO is instrumental in Governance, Risk, and Compliance (GRC) management, creating tailored requirements and controls that align with business objectives, contractual commitments, and regulatory standards.
Additionally, the ISO is responsible for conducting risk assessments, performing compliance gap analyses, and supporting the continuous development of KPIs to assess the effectiveness of XBTO’s security program.
As a strong advocate for promoting a robust risk management and compliance culture, the ISO ensures that security practices are embedded across the organization.
Responsibilities
Governance
- Collaborate with the CISO to define and implement the organization’s information security program.
- Assist the CISO in managing the information security framework by developing security policies, standards, and initiatives that align with regulatory requirements and business objectives.
- Propose and track Key Performance Indicators (KPIs) to assess the effectiveness of the information security program.
- Contribute to the preparation of detailed risk and compliance reports for senior leadership and relevant committees.
- Support compliance efforts with applicable standards and frameworks, such as ISO 27001 and GDPR.
- Assist in compliance efforts with relevant regulatory frameworks, including BMA DABA, ADGM FSRA, UK FCA, European MiCA, European DORA, and others.
- Collaborate with both the first and second lines of defense in information security to ensure the appropriate level of governance and security assurance.
- Evaluate, maintain, and enhance existing information security processes.
Risk Management
- Lead and conduct regular risk assessments, compliance gap analyses, and internal audits to assess the effectiveness of the security program and identify areas for improvement.
- Support the third-party due diligence process by performing information security risk assessment.
- Maintain the information security risk register and report on the status of identified risks and mitigations.
Compliance Management
- Continuously assess the compliance status of business activities, systems, and projects to identify non-compliance and recommend corrective actions.
- Develop and maintain tailored security controls to address specific business and regulatory needs.
- Support the CISO in acquiring and maintaining authorization to operate from financial authorities.
- Monitor the regulatory landscape to ensure the company’s information security program remains compliant with existing and future regulations.
- Collaborate with legal and compliance teams to monitor and address non-compliance issues and regulatory changes.
Training and Awareness
- Act as a key advocate for information security, promoting awareness and ensuring adherence to information security policies and standards across the organization.
- Support the implementation of the information security awareness program (i.e., monthly training, regular phishing campaign, etc.) throughout the organization.
- Foster a strong risk management and compliance culture, ensuring that security practices are integrated into all departments and business processes.
Incident Management
- Support the incident response process, ensuring that appropriate actions are taken following security breaches and other information security incidents.
- Contribute to post-mortem activities, including lessons learned, after major incidents, and recommend improvements to prevent future occurrences.
- Report on risk and compliance metrics to senior leadership and stakeholders, highlighting areas of concern and opportunities for improvement.
Qualifications
Required
- A minimum of 5 years of experience in information security, with a strong background in GRC management within highly regulated environments.
- Proven ability to conduct risk assessments and drive the implementation of risk mitigation plans.
- Demonstrated experience with compliance gap analyses and the development of meaningful security KPIs and OKRs.
- Experience in implementing standards and frameworks such as ISO 27001, EBIOS, NIST, SOC 2 Type II, and GDPR.
- Experience with regulations specific to the crypto-asset sector, such as BMA DABA Operational Cyber Risk Code of Conduct, MiCA, DORA, GDPR, ADGM, or similar.
- Strong understanding of security concepts, modern architectures, and technologies.
- Experience with business continuity and disaster recovery in high-availability and high-frequency environments.
- Experience in the fintech or digital asset industries, with a deep understanding of the unique regulatory and security challenges.
Skills
- Proficient and pragmatic in risk management.
- Skilled in defining and implementing an information security program.
- Ability to develop relevant and meaningful KPIs and OKRs.
- Strong interest in law and regulatory compliance.
- Capable of working independently and applying project management methodologies.
- Ability to manage multiple priorities in a fast-paced environment.
- Excellent communication skills, with the ability to collaborate across departments and report to senior management and risk committees.
- Knowledge of computer science and information systems to ensure an effective communication with other stakeholders, including internal engineering and infrastructure teams.
- Knowledge of information security beyond the GRC scope, including incident response, application security, and network security, to ensure an effective collaboration with the other team members.
Education
- A Bachelor’s degree or a Master’s degree in Computer Science or Information Security is required.
- Professional certifications such as CRISC, CISM, CISSP, ISO 27001 Lead Implementer, or ISO 22301 Lead Implementer are a plus.
Working at XBTO
The dynamic team at XBTO is made up of some of the best talents in digital assets, traditional finance and technology. We work in a collegiate environment with relentless focus on our mission and team. We’re looking for individuals who share the same values and principles such as:
- Entrepreneurial spirit - Takes ownership showcasing a high-degree of drive, perseverance and accountability to achieve our goals
- Trust & integrity - Exemplifies the highest ethical and professional standards to serve our clients
- Collaboration & care - Genuinely cares about other team members and champions working as one team
- Humility and candor - Showcases openness to the diverse ideas and perspectives of co-workers and seeks to receive and give constructive feedback
- Innovation & knowledge - Stays abreast of the dynamic industry, pursues opportunities to anticipate the evolving needs of our clients
- Risk and compliance mindset - Demonstrates a commitment to compliance and appropriate sensitivity to risk and control related issues
Our hiring process
In compliance with applicable law, all persons hired will be required to verify their identity and eligibility to work and to complete employment eligibility verification and background checks.
XBTO is an equal opportunity employer. We seek a diverse applicant pool and hire without regard to race, colour, gender identity, religion, national origin, ancestry, citizenship, physical abilities (or disability), age, sexual orientation, veteran status, or any other characteristic protected by law.
We are an equal opportunity employer and place a high value on diversity and inclusion at our company.
