Head of Cyber Security & Interim Data Protection Officer

Head of Cyber Security & Interim Data Protection Officer

 

Location: Kenya

Reporting to: CEO / Board

Department: Technology & Risk

 

Role Purpose:

The Head of Cyber Security is responsible for protecting the digital ROSCA platform against fraud, cyber attacks, data breaches, and system compromise.

This role ensures the platform’s confidentiality, integrity, and availability as it scales across Kenya’s high-risk fintech environment.

This is a leadership role overseeing security architecture, fraud prevention, infrastructure hardening, and incident response.

 

Key Responsibilities:

1. Security Architecture & Infrastructure

  • Design and implement end-to-end security framework.
  • Secure:
  • Mobile applications
  • Backend APIs
  • Cloud infrastructure
  • Payment integrations
  • Oversee:
  • Encryption (at rest & in transit)
  • Identity and access management
  • Multi-factor authentication systems

2. Fraud Prevention & Risk Management

Given the ROSCA nature of the platform:

  • Develop anti-fraud monitoring systems.
  • Implement:
  • Suspicious transaction detection
  • Account takeover prevention
  • Identity verification controls
  • Monitor unusual contribution/disbursement behavior.
  • Work closely with Growth team to manage agent fraud risk.

3. Security Operations

  • Set up:
  • Security monitoring tools
  • Threat detection systems
  • Vulnerability scanning
  • Penetration testing schedules
  • Conduct periodic security audits.
  • Manage third-party security vendors.

4. Incident Response

  • Develop full cyber incident response plan.
  • Lead breach investigations.
  • Coordinate forensic analysis.
  • Report to regulators and stakeholders when required.

5. Compliance & Certifications

  • Lead ISO 27001 implementation roadmap.
  • Align security practices with:
  • CBK guidelines (if applicable)
  • Data Protection Act
  • PCI-DSS (if handling card payments)
  • Prepare security documentation for investors and audits.

6. Security Culture & Training

  • Train staff on:
  • Phishing awareness
  • Social engineering risks
  • Secure password management
  • Implement internal access control policies.

KPIs

  • Zero major security breaches
  • Successful penetration testing reports
  • Fraud rate below industry benchmark
  • 99.9% system uptime
  • Security audit pass rate
  • Incident response within defined SLA

 

Required Experience & Qualifications

Education

  • Bachelor’s degree in:
  • Cyber Security
  • Computer Science
  • Information Security
  • Master’s degree preferred (optional but valuable)

Certifications (Highly Preferred)

  • CISSP
  • CISM
  • CEH
  • CompTIA Security+
  • ISO 27001 Lead Implementer/Auditor

Experience

  • 7–12 years experience in:
  • Cyber security
  • Fintech security
  • Banking security
  • Telecom security
  • At least 3 years in leadership role.
  • Experience securing:
  • Cloud-native applications
  • Mobile-first platforms
  • Proven track record handling:
  • Fraud detection systems
  • Incident response
  • Security audits

Technical Expertise

  • SIEM tools
  • Cloud security architecture
  • Encryption protocols
  • API security
  • DevSecOps
  • Identity and Access Management
  • Fraud analytics

Behavioral Traits

  • Highly proactive
  • Crisis leadership capability
  • Detail-oriented
  • Calm under pressure
  • Ethical and trustworthy

 

Data Privacy Analyst:

The Data Privacy Analyst is responsible for ensuring full compliance with the Kenya Data Protection Act (2019) and all related regulations governing the collection, processing, storage, and sharing of personal data on the digital ROSCA platform.

This role safeguards member data, builds user trust, ensures regulatory compliance, and reduces legal exposure as the platform scales nationally across urban, peri-urban, and rural markets.

 

Key Responsibilities

1. Regulatory Compliance & Governance

Ensure compliance with:

  • Kenya Data Protection Act (2019)
  • Office of the Data Protection Commissioner (ODPC) guidelines
  • Any relevant CBK, ICTA, or financial regulations
  • Lead data mapping exercises across all systems.
  • Maintain Data Processing Registers.
  • Draft and update:
  • Privacy Policies
  • Data Processing Agreements
  • Consent frameworks
  • Cookie policies
  • Ensure lawful basis for all data collection activities.

2. Data Risk Assessment & DPIAs

  • Conduct Data Protection Impact Assessments (DPIAs).
  • Identify privacy risks in new product features.
  • Work closely with product and engineering before feature launches.
  • Review third-party vendors and integrations for compliance.

3. Data Lifecycle Management

  • Oversee:
  • Data retention schedules
  • Data minimization
  • Data deletion protocols
  • Data anonymization/pseudonymization
  • Ensure secure data handling for:
  • ID documents
  • Phone numbers
  • Financial transaction data
  • Group savings information

4. Incident Response & Breach Management

  • Develop and maintain data breach response procedures.
  • Ensure breach notifications are done within legal timelines.
  • Coordinate investigations with Cyber Security Lead.
  • Maintain breach logs and documentation.

5. Training & Awareness

  • Conduct internal privacy awareness training.
  • Develop user-facing education materials.
  • Build privacy-by-design culture within the company.

6. Regulatory Engagement

  • Act as liaison with the Office of the Data Protection Commissioner.
  • Support registration as Data Controller/Processor (if applicable).
  • Prepare documentation during audits or regulatory inquiries.

KPIs

  • Zero regulatory penalties
  • DPIAs completed for all new features
  • 100% vendor compliance documentation
  • Breach response within statutory timeframes
  • Successful regulatory audits

 

Required Experience & Qualifications Education

Bachelor’s degree in:

  • Law
  • Information Systems
  • Data Science
  • Cyber Security
  • Compliance
  • Certified Data Protection Officer (CDPO) – preferred
  • CIPP/E or equivalent certification – highly desirable

Experience

  • 3–6 years experience in:
  • Data protection
  • Privacy compliance
  • Legal/compliance within fintech, banking, telecom, or tech
  • Direct experience with:
  • Kenya Data Protection Act
  • Regulatory filings
  • DPIAs
  • Experience working with digital platforms handling financial data is strongly preferred.

Technical Knowledge

  • Understanding of:
  • Encryption principles
  • Cloud data environments (AWS, Azure, GCP)
  • API integrations
  • Data access controls
  • Familiarity with ISO 27001 principles is a plus.

Soft Skills

  • High integrity
  • Strong documentation discipline
  • Risk-focused mindset
  • Ability to translate legal concepts into operational processes

 

Salary based on experience