Information Security Lead

At NOVACARD , we’re redefining how people use credit.
We are the first interest-free and no-annual-fee credit card in Mexico, designed to simplify personal finances and give users complete control - all from a mobile app. With NOVACARD, users can access up to $200,000 MXN in credit, only pay when they use it, and manage everything digitally in under 5 minutes. Our mission is to empower people to make smarter financial decisions by offering flexibility, transparency, and the freedom they need to reach their goals. Simple finances, big goals.

About the Role:

We are looking for an Information Security Lead to embed security practices into product development and business operations while ensuring compliance with local regulations and global security standards. In this role, you will work closely with engineering, product, DevOps, and compliance teams to integrate security into delivery processes, strengthen monitoring and incident response capabilities, and continuously improve security controls in a fast-paced product environment.

The role is mostly remote, with business trips when required.

Key Responsibilities:

• Work closely with Engineering, Product and DevOps teams to ensure security is embedded into products, platforms, and operational processes from early design stages through delivery and release cycles.

• Participate in product discovery, architecture discussions, sprint planning, change management, and release processes to ensure security requirements are addressed early and do not become delivery blockers.

• Collaborate with Compliance and Legal teams to align local regulatory requirements with product and engineering roadmaps.

• Implement and maintain controls required by CNBV, PCI DSS, and other applicable local regulatory obligations, ensuring continuous compliance.

• Implement central information security policies and develop country-specific procedures and controls in coordination with local compliance stakeholders.

• Integrate secure development practices into the SDLC, including architecture reviews, threat modeling, vulnerability management, and security checkpoints within delivery pipelines.

• Improve security monitoring capabilities and SOC coverage for the local IT environment, including configuring monitoring rules and defining incident escalation procedures.

• Lead incident response activities, coordinate investigations with engineering and product teams, conduct root cause analysis, and organize post-incident awareness sessions.

• Manage and operate local Data Loss Prevention (DLP) solutions and related processes.

• Develop, maintain, and test Disaster Recovery Plans (DRP), including organizing annual recovery exercises.

• Establish and operate vulnerability management processes, including regular scanning, prioritization of findings, and tracking remediation efforts.

• Define and deliver regular security reporting and metrics to local business leadership and the central CISO organization.

• Organize and coordinate annual assessments of the cybersecurity management system and support remediation planning.