Location: Johannesburg
Business Unit: Information Technology (CIO Office)
Reports to: Chief Information Officer
Why This Role Matters
We operate in a regulated payments environment with PCI DSS and SOX ITGC obligations and a 24x7 threat landscape. We are looking for a security leader who can think strategically and operate effectively. Someone who can shape direction, run a high performing security function and partner credibly with engineering. Someone proactive enough to prevent the incident and composed enough to lead through one.
About Lesaka
Lesaka is a fintech company on a mission to digitise commerce in Africa. We are listed on NASDAQ (LSAK) and the JSE (LSK) and serve merchants, consumers and enterprises across the continent. From spaza shops and taxi ranks to restaurants and city traders, our products power the small exchanges and the big steps of African commerce. One platform. Many products. One ambition: to be the most loved Merchant Operating Platform in Africa.
How We Operate
Our strategy starts from a simple operating truth. Exceptional customer experiences come from exceptional staff experiences. We balance four pillars across everything we do: Customer Experience, Staff Happiness, Cost Discipline and Risk Control. Each one amplifies the others when properly aligned. We have organised around one merchant journey with and clear execution and accountability.
Our North Star
Deliver exceptional experiences to our customers and our staff. We measure ourselves against CHAP (Customer Happiness), SHAP (Staff Happiness), Cost-to-Serve efficiency and Regulatory Impact. Happy customers, happy staff, disciplined cost, controlled risk.
The Role
You will be accountable for the security posture of the Merchant Division. You will set strategy and standards, run security operations, govern access and ensure that technical controls meet our regulatory obligations. The role contributes directly to Risk Control.
You will lead a team of four, partner closely with the Head of Infrastructure, Cloud and DevOps on embedding security into platform engineering, work with the Group ISO function on governance and govern AI tool risk in partnership with the AI Champion.
What You'll Own
Strategy and Standards
-
Define and own the enterprise security strategy and posture for the Merchant Division.
-
Develop and maintain a security risk framework with regular threat assessments.
-
Set security standards for new technology deployments and embed security review into solution design.
-
Own the IAM governance framework including role based access standards, privileged access policy and access review protocols.
-
Govern the AI security framework in partnership with the AI Champion.
Security Operations
-
Run a 24x7 security operations capability with continuous threat detection and response.
-
Govern vulnerability management across the merchant estate with critical findings tracked and remediated within SLA.
-
Own the penetration testing programme with annual third party tests and findings tracked to closure.
-
Define and test incident response plans with playbooks for every severity level.
-
Maintain a security event register and report all material events to the CIO.
Compliance and Assurance
-
Ensure ongoing compliance with PCI DSS technical controls and SOX ITGC IT general controls.
-
Manage internal and external security audits.
-
Maintain security control frameworks and evidence.
Stakeholder and Risk Alignment
-
Advise the CIO and executive leadership on security risk and mitigation strategies.
-
Align security initiatives with business priorities.
-
Collaborate across IT and the broader business to embed a strong security culture.
People and Culture Leadership
-
Build a high performing security team across threat detection, security operations and security architecture.
-
Develop specialist capability internally and reduce reliance on managed security services over time.
-
Maintain composure during incidents and hold the team to high standards in an always on environment.
What You'll Bring
You have run a 24x7 security function. You have sat through PCI DSS and security audits and come out clean. You can write the policy, defend the architecture decision and brief an executive on why something matters all in the same morning. You hold the line on standards without becoming the team that says no to everything.
-
Strong grounding in security architecture theory and practice across network, cloud, application and data domains.
-
Working knowledge of PCI DSS technical controls and advantageous to have SOX ITGC IT general controls.
-
Experience setting IAM governance frameworks in a peer model alongside infrastructure and operations functions.
-
Familiarity with industry frameworks such as NIST CSF, ISO 27001, TOGAF and SABSA.
-
Working knowledge of the contemporary security tooling landscape covering SIEM, EDR or XDR, vulnerability management, WAF, IAM and PAM tools and cloud security posture management.
-
Emerging fluency in AI risk assessment and AI governance.
How You'll Show Up
-
Performing under pressure. Incidents are when leadership is judged.
-
Result orientated cooperation. Security only works as a partnership.
-
Creating support. You build coalitions inside and outside IT.
-
Service orientated. You protect the business by enabling it.
-
Analysing and forming opinions. You bring sharp judgment to ambiguous risk decisions.
Experience & Qualifications
Experience
-
10+ years in information security with at least 5 years in a senior leadership role.
-
Proven experience running a 24x7 security function in a financial services or payments environment.
-
Strong PCI DSS and SOX ITGC IT general controls background.
-
Experience setting IAM governance frameworks in a peer model with infrastructure and operations.
-
Financial services, fintech or payments security exposure strongly preferred.
Qualifications & Certifications
-
Bachelor's degree in IT, Computer Engineering or equivalent.
-
CISSP (required) or CISM (acceptable).
-
CEH, OSCP or equivalent offensive security certification (advantageous).
-
Cloud security certification such as AWS Security Specialty, Azure Security Engineer or GCP Professional Cloud Security (advantageous).
-
NIST Cybersecurity Framework and ISO 27001 awareness (advantageous).
Ready to Build With Us?
If this is the kind of work you want to be part of, we want to hear from you. Apply now or share this with someone exceptional.