Job Specifications
Join the EPEX SPOT Team: Innovate, Collaborate, Thrive
Job Summary: As a Chief Information Security Officer (CISO), you coordinate the protection of our client data and the systems/applications that process it, while strengthening our security governance and meeting cyber regulatory obligations across multiple European countries in a multi-cloud environment.
This is a high-visibility role requiring strong stakeholder management and communication to C-level leadership and the Supervisory Board. A key part of the mission is balancing and harmonizing different implementation and reporting requirements, with a near-term focus on NIS2, NCCS cyber laws, and advancing ISO 27001 certification.
You lead a cultural shift that positions information security as a value-adding partner rather than a constraint. You empower teams to take ownership of security risks while supporting business objectives.
Key Responsibilities:
1.Team and partner leadership
Collaborate with the IT Department, mainly with Cloud Center of Excellence (CCoE), Cloud Platform, and IT User experience teams, fostering strong leadership.
Build visibility, alignment, and support across internal and external stakeholders.
Provide decision-oriented reporting to C-level and Supervisory Board: top risks, posture, roadmap progress, and investment needs.
Drive a security narrative that supports business outcomes and regulatory confidence.
You lead and coordinate a security capability mix, including:
2 SOC resources
1 Security Architect
1 Cloud Security Specialist
1 Risks and Regulations Expert
2 Vulnerability and Asset Management resources
external SIEM/MSSP (managed through SLA)
2.Security strategy, governance, and risk ownership
Develop and execute a company-wide security strategy aligned with business goals and risk appetite.
Establish a clear governance model: decision forums, risk acceptance workflow, and security steering cadence.
Own the cyber risk register, including treatment plans, and formal risk sign-off.
Ensure the existence and consistency of policies/standards that work across multiple countries and operating contexts.
3.Regulatory compliance and assurance (NIS2, NCCS, ISO 27001)
Lead compliance readiness and ongoing program execution for NIS2 and NCCS requirements.
Drive the ISO 27001 certification journey (ISMS scope, risk assessment approach, Statement of Applicability, internal audits, management review, external audit readiness).
Oversee security evidence, audit responses, and regulatory reporting inputs (where applicable).
Ensure requirements are translated into practical, measurable controls across the organization.
4.Security operations, detection, and incident response
Oversee the SOC/SIEM/MSSP ecosystem to ensure effective detection, triage, response, and continuous improvement.
Strengthen incident response capability: playbooks, escalation paths, crisis communication coordination, and exercises/tabletops.
Ensure meaningful reporting on incidents, trends, and operational effectiveness—tailored for technical and executive audiences (Management Board, Supervisory Board).
5.Multi-cloud security leadership
Lead security direction for a multi-cloud environment, ensuring consistent baseline controls and accountability.
Partner with IT and architecture to embed security-by-design in identity, logging/monitoring, configuration baselines, network controls, software development, and data protection.
Enable secure delivery: integrate security into projects and change management with pragmatic guardrails.
6.Vulnerability, asset & third-party risk management
Oversee a risk-based vulnerability and asset management program (inventory quality, prioritization, remediation SLAs).
Key Requirements:
Hard Skills:
-Familiarity with DevSecOps practices.
-Familiarity with cloud services such as AWS, Azure, or Google Cloud, with an understanding of key concepts including networking, security, and cloud-native services.
-Knowledge of security in GCP environments (e.g. IAM, security baselines, compliance and controls) is an advantage.
-Ability to understand technical discussions to facilitate alignment and decision-making, without acting as a technical owner.
Soft Skills:
-Strong leadership that is both supportive and demanding, encouraging collective intelligence, individual initiative, and knowledge sharing.
-Strong communication skills, enabling constructive and productive dialogue with team members and stakeholders while providing decision-oriented reporting to C-level and Supervisory Board.
-Critical thinking and problem-solving skills to find effective and pragmatic solutions.
-High emotional intelligence, maintaining a positive and productive team environment that encourages accountability and learning.
-Conflict resolution skills, navigating disagreements in a way that promotes trust and collaboration.
-Adaptability and flexibility in response to changing priorities, scope, and team dynamics while maintaining focus on sha
About the Company
The European Power Exchange, EPEX SPOT SE, is the Exchange for short-term power trading in Europe. It enables electricity producers, utilities, trading companies and industrial consumers to trade power for today or the following day, balancing their supply and demand. EPEX SPOT and its affiliates operate organised short-term electricity markets for Central Western Europe, the United Kingdom and Denmark, Finland, Norway and Sweden. Striving for the well-functioning European single market for electricity, EPEX SPOT shares its...
Know more