CISO

foodpanda is part of the Delivery Hero Group, the world’s pioneering local delivery platform, our mission is to deliver an amazing experience—fast, easy, and to your door. We operate in over 70+ countries worldwide. Headquartered in Berlin, Germany. Delivery Hero has been listed on the Frankfurt Stock Exchange since 2017 and is part of the MDAX stock market index.

Who are we?

At Delivery Hero, we believe in delivering more than just food - we deliver experiences. Operating in over 70+ countries worldwide, and headquartered in Berlin, we are one of the world’s leading local delivery platforms, listed on the Frankfurt Stock Exchange since 2017.

Role Summary

As CISO for 3 of our brands (foodora, foodpanda and Yemeksepeti) you are the central voice for security of the platform that serves 17 countries and will be responsible for executing the security strategy, implementing the associated operating model and monitoring security risks.

• Ensuring compliance with DH security policies, and local laws & regulations.

• Managing security budgets.

• Facilitating the recruitment, retention and development of security profiles.

What’s On Your Plate?Security Strategy, Operating Model, and Risk (60%) 

• Adapt and execute locally the security strategy with stakeholders across the organisation, in line with the worldwide global security strategy.

• Ensures security objectives are understood and continuously worked towards across the organization.

• Takes ownership of security decisions made across pandora.

• Collect, monitor, manage and report on security risks for pandora.

• Handle security incidents across pandora.

• Build DevSecOps culture and ensure security is embedded in how tech and other functions work.

• Ensure business projects undergo security validation processes.

Security Assurance & Compliance (20%):

• Ensure compliance with Delivery Hero internal policies and guidelines.

• Ensure compliance with regional security laws and regulations.

• Promote security awareness and culture across pandora.

• Represent pandora and interact with local security authorities and external auditors.

• Represent pandora security in the Global Security Council, other regulatory bodies, and interact/coordinate accordingly for specific security topics in pandora.

• Evangelize the importance of security across pandora helping to shift culture where needed to a security-first mindset.

Financial Resources (10%):

• Manage and monitor the pandora security budget

• Define and implement a local security Make or Buy strategy, derived from the Global security Make or Buy strategy.

People, Talents & Competences (10%):

• Facilitate the recruitment of security profiles, in line with the local and global recruitment plans to build and grow a strong security team.

• Adapt, tailor and execute locally the corporate attractiveness & retention plan, the competence & development plan and the diversity & inclusion plan.

What Did We Order?

• 12+ years of experience in security, with at least 6 years prior experience as CISO managing security teams (optimal in finance/fintech/e-commerce/ insurance sector)

• Ability to work under high workload

• Security thought leadership.

• Strong experience in building highly secured products and systems.

• Expert in different security topics (defensive, offensive, cloud sec, app sec, compliance).

• Executive level communication skills.

• Deep business acumen.

• Deep understanding of zero trust principles and architectures.

• Long Term strategic focus and ability to translate strategic business objectives to security objectives.

• Ability to build trust across organizations to grow together as a tech team.

• Ability to execute complex projects that span across the organization.

• Good understanding of agile and lean concepts.

• Ability to lead without authority creating clarity and alignment across the organization.

• Ability to find and hire the best talent.

• Ability to lead with high emotional intelligence.

• Ability to grow and mentor leaders.

• Ability to make executive-level decisions.

• Takes extreme ownership of pandora’s strategy and goals.

• Certifications:

  • CISSP 

  • At least 2 cloud certifications among AWS SAA, AWS Security, GCP Cloud Engineer, GCP Cloud Security Engineer

  • Nice to have:

    •  at least 2 SANS courses (GREM, GCFA, GCDA, GNFA, GCIH) 

    • 1 offensive security certification, such as OSCP 

Other detailed qualifications:

• Deep understanding of network and security protocols and familiarity with a wide range of security tools such as firewalls, intrusion detection systems, and vulnerability scanners, as well as how they can be exploited by attackers 

• Experience designing and implementing security measures for cloud-based systems 

• Experience with developing and reviewing aggregated performance metrics (KPI's) to report and measure performance, including MTTR and MTTD 

• Experience with incident response processes and best practices, including the ability to identify and contain security incidents, perform forensic analysis, and recover from cyber attacks [*]

• Experience working with various cloud platforms such as AWS, GCP, or Azure [*]

• Experience with MITRE/ATT&CK

• Knowledge of computer networking including TCP/IP, routing, and network security [*]

• Ability to analyze and improve team productivity based on KPIs

• Ability to drive implementation and improvement of new tools, capabilities, frameworks, and methodologies across the security operations center teams

• Ability to ensure team engagement by incorporating ideas from the team

• Ability to grow the team and ensure a smooth hiring and onboarding process

• Ability to identify and evaluate potential security risks to systems and data, and develop strategies to mitigate them

• Ability to identify and implement automation of manual processes to shorten cycles and processes

• Ability to make broad recommendations on improving the squad services and/or procedures across the organization and partner with stakeholders to implement solutions

• Ability to prepare and deliver meaningful metrics to security operations leadership 

• Ability to proactively identify changing regulatory requirements in terms of data processing and retention and ensure the security operations center services process data accordingly

• Ability to successfully execute quarterly OKRs

• Ability to take ownership and responsibility for organizational practices and processes and their continuous improvement

• Ability to understand cross team's approach and use metrics to identify gaps

• Ability to work closely with development and operations teams to ensure security of cloud systems is incorporated from the inception

• Excellent communication and interpersonal skills, with the ability to effectively coordinate with other teams and stakeholders during a security incident

• Familiarity with a wide range of security tools, such as firewalls, intrusion detection systems, and vulnerability scanners

• Hands-on experience with SIEMs (eg Splunk Security Enterprise, SentinelOne, JupiterOne) and SAST/DAST tools, Bug bounty services

• Knowledge of relevant security monitoring tools, such as AWS Guard Duty and GCP Security Command Center

• Knowledge of various operating systems including Windows, Linux, and macOS with the ability to troubleshoot and debug on these platforms

• Strong analytical skills with the ability to identify patterns and trends in security data 

• Strong understanding of cloud computing security concepts and best practices

• Understanding of the current threat landscape and ability to manage and remediate discovered security breaches

• Working knowledge of agile security methods