CarePay is a Kenyan company that administers conditional healthcare payments between funders, patients and healthcare providers. Through our M-TIBA platform, CarePay directs funds from public and private funders directly to patients into a "health wallet” on their mobile phone. The use of these funds is restricted to conditional spending at selected healthcare providers across Kenya. With every transaction, we combine a digital payment with real time medical and financial data collection, to help make healthcare safer and more transparent for both patients and healthcare providers. CarePay has contracted more than 2,000 healthcare facilities across Kenya, with an ambition to drive healthcare inclusion for millions of Kenyans.Role Description   We are looking for a Cyber Security & Information Security Lead  to take end-to-end ownership of security at CarePay. This is a hands-on, critical role in the organization. You will be the subject-matter expert for cyber and information security, responsible for both day-to-day execution and long-term strategic direction.  You will enhance and build upon existing framework, implement and operate CarePay’s security capability, while working closely with engineering, product, operations, and leadership to ensure security enables, rather than slows down, our mission.  Cyber Security & Information Security Leadership   Own and continuously evolve CarePay’s information security and cyber security strategy  Establish and maintain security policies, standards, and controls appropriate for a growing, international insurtech  Turn policy into practice through effective implementation of policies, standards and controls  Act as CarePay’s primary authority on cyber and information security   Data Protection and Privacy  Ensure appropriate protection of sensitive data, including PII, financial, and health data  Support or act as Data Protection Officer (DPO) where required  Lead or support Data Protection Impact Assessments (DPIAs)  Advise teams on privacy-by-design and data minimisation principles  Risk, Governance and Compliance  Identify, assess, and manage security, technology and privacy risks across products, platforms, and operations  Lead security risk assessments and define pragmatic mitigation plans  Ensure alignment with relevant standards and regulations (e.g. ISO 27001, GDPR, SOC 2, local regulatory requirements)  Prepare for and support audits, certifications, and customer security assessments  Serve as a key point of contact for regulators, partners, and enterprise customers on security matters  Secure Product and Platform Enablement  Partner closely with Engineering and Product teams to embed security by design and secure SDLC practices  Advise on cloud, application, and API security architecture  Oversee vulnerability management, penetration testing, and remediation efforts  Proactively identify emerging threats and weaknesses in CarePay’s technology stack  Incident Preparedness and Response  Design and maintain CarePay’s incident response and breach management processes  Lead security  and privacy incident response activities when required, ensuring calm, clear communication and effective coordination  Drive post-incident reviews and continuous improvement  Culture, Awareness & Influence  Build security and privacy awareness across CarePay through training, guidance and practical support  Translate technical security risks into clear business impact for non-technical stakeholders  Act as a trusted advisor to leadership, contributing to long-term technology and risk decisions  Requirements  8+ years’ experience in cyber and information security and privacy function, including business continuity planning and risk management   Solid understanding of:  Information security frameworks (ISO 27001, NIST, SOC 2)  Risk management and control design  Application, cloud, and API security  Incident response and vulnerability management  Data protection and privacy (GDPR)  Experience in regulated environments (insurtech, fintech, health, insurance, or financial services)  Strong knowledge of business impact assessments, disaster recovery, RTOs/RPOs and system criticality mapping  Hands-on experience with cloud-native environments and modern SaaS architectures  Proven ability to work independently with excellent communication and interpersonal skills, including delivering effective training across the company  Analytical and detail-oriented with a proactive approach to risk identification and mitigation  Experience working across multiple countries or regions is a strong advantage  Nice to have:  Relevant certifications (e.g. CISSP, CISM, ISO 27001 Lead Implementer/Auditor)  Previous experience acting as a DPO  Experience scaling security in a growing or mission-driven organisation