Head of Information Security

Remote·Posted today
cybersecuritygo
CFTC-Regulated Business Unit (DCM) Location: Chicago, IL. Fully remote to start, transitioning to 3 days/week in office. About Smarkets Smarkets is a prediction market exchange for sports and political trading that has handled over $50 billion in volume since 2010. We are upending the sports betting industry by growing a platform that offers the best value for traders, with not only the fairest prices but also the best technology, alongside a superior customer experience. We believe the foundation to our success is attracting the best people to our organisation and creating a high-performance environment where they can thrive. We are searching for an atypical candidate with a wealth of regulated business experience to support the development of our CFTC business. The Role This is a senior security leadership role sitting within our CFTC-regulated business unit, responsible for the information security, cybersecurity, and operational resilience of our Designated Contract Market (DCM). You will design and enforce the policies and controls that protect the confidentiality, integrity, and availability of our critical systems and data, in alignment with Core Principle 20 (System Safeguards) under 17 CFR § 38.1050 et seq. This is a founding build: our licensing applications are in-flight and you will stand up the security programme through to go-live, then operate and mature it as the business scales. You will lead efforts to identify and mitigate cyber and physical threats, coordinate incident response, and ensure the DCM can continue operating under stress, working closely with engineering, risk, and compliance, including our UK-based teams, to embed security across the software development life cycle and infrastructure. You will work directly with the CEO and senior management, with the support of the Smarkets UK team behind you. About You Senior security leader with 7+ years of senior-level information security experience, ideally within financial services, exchange infrastructure, or critical regulated systems. Demonstrated leadership in implementing cybersecurity, compliance, and resilience programmes in high-risk environments. Deep familiarity with CFTC expectations around system safeguards, including Core Principle 20 and 17 CFR § 38.1050 et seq. Direct experience with security and risk assessments, incident response planning and execution, cybersecurity compliance audits (internal or regulatory), and disaster recovery and business continuity programmes. Experience managing or working with geographically distributed engineering and infrastructure teams. Strong understanding of security frameworks and secure software development practices. Excellent communication and reporting skills, including for executive and regulatory audiences. Responsibilities Define and implement the DCM's information security vision, strategy, and programme, consistent with CFTC Core Principle 20 and industry-aligned best practice. Lead risk identification, vulnerability management, and cyber threat mitigation across all DCM technology assets. Ensure the design and enforcement of security controls across infrastructure, software development, vendor relationships, and end-user operations. Own the incident response framework, including procedures for detection, containment, reporting, recovery, and root cause analysis. Direct the business continuity and disaster recovery programmes, ensuring systems and teams can operate during disruption. Prepare and maintain system safeguards documentation, audit logs, penetration tests, and other evidence for CFTC oversight and examinations. Serve as the executive lead for cybersecurity audits, control testing, and CFTC technology compliance. Collaborate with engineering, DevOps, product, and risk to ensure secure-by-design development and deployment, including across UK-based teams. Regularly brief the CEO and senior management on security posture, threats, incidents, and risk levels. Desirable Attributes Personal interest in sports, exchanges, or trading Experience securing exchange, clearing, or trading infrastructure. Relevant certifications such as CISSP, CISM, or equivalent. Familiarity with event contracts, prediction markets, or similar novel futures products and their treatment under the CFTC framework. Experience engaging directly with regulators or examiners on technology and system safeguards. Our Values Push to win Make others better Give a shit Be a pro Bring the energy Our values are at the heart of everything that we do. We believe these are the fundamentals to ensure we are delivering what's expected of us in the best way possible for ourselves and for those around us. Compensation and Benefits Base salary range: $130,000 to $200,000 USD per year. The actual offer within this range will depend on experience, qualifications, and other job-related factors. We have designed our benefits offering around Health, Wealth, Lifestyle and Development. From day one you will receive: 25 days' annual leave, plus public holidays. 401(k) plan: Smarkets matches 100% of employee contributions up to the first 6% of salary. Participation is voluntary, with automatic enrolment at a default contribution rate of 6% unless you select an alternative rate or choose to opt out. Private medical insurance: a monthly reimbursement towards the private health insurance plan of your choice. Performance bonus of up to 25% of base salary. Equity via share options scheme. Annual professional development budget of $1,000 for conferences, training, courses, books, and other learning opportunities. Work From Anywhere: up to 20 days per year (pro-rated) to work remotely from locations around the world. Additional Information This role is offered subject to satisfactory background screening and, where applicable, CFTC fitness and eligibility requirements. We use Ashby, our applicant tracking system, to manage applications, and AI-assisted tools may be used to support parts of our recruitment process. Applications are reviewed by our team, and hiring decisions are made by people rather than by automated tools.