Head of Cybersecurity / vCISO NIS2/DORA
Description:
Secure what matters. Build what lasts.
Were growing Nimber Cyber Defend and looking for a senior security leader who blends governance & regulation with real-world engineering. If you can translate risk into board decisions, stand up pragmatic controls, and guide regulated clients through NIS2/DORA/ISO 27001 without the theaterlets talk.
What youll do
Own the security program for a portfolio of clients (regulated sectors): strategy, policies, control framework, KPIs/KRIs, and board reporting.
Lead NIS2/DORA readiness: gap assessments, remediation roadmap, third-party risk, operational resilience, and evidence packs.
Build/maintain ISO/IEC 27001: SoA, risk treatment plans, internal audits, certification readiness.
Drive privacy-by-design with Legal/Data (GDPR, DPIAs) across cloud & data products.
Establish cloud & identity guardrails (M365/Azure/AWS, Entra/Okta), baseline hardening, vulnerability and patch governance.
Oversee SIEM/SOAR & EDR operations (e.g., Microsoft Sentinel/Splunk; Defender/CrowdStrike).
Run IR governance (playbooks, tabletop exercises), improve MTTD/MTTR, and measure what matters.
Mentor a compact team; coordinate partners for red teaming, DFIR, and audits.
What you bring
8+ years in Information Security with 3+ leading GRC / Security Programs (CISO, vCISO, Head of GRC, or similar).
Track record delivering NIS2/DORA or ISO 27001 in production environments.
One or more: C CISO, CISSP, CISM, ISO 27001 LA/LI, CCSP, AZ-500/SC-200 (or equivalent).
Comfortable with Azure/M365 security, Entra/Okta, Sentinel/Splunk, EDR ecosystems.
Strong executive communication: you brief boards, align budgets, and land change.
Fluent English; Portuguese is a plus. Based in Lisbon/Porto with client-onsite availability when needed.
Why Nimber
Impact, not theater: boutique team, hands-on engineers, fast time-to-value.
Greenfield & autonomy: help shape our Cyber Defend playbooks, tooling, and hiring.
Growth & learning: budget for certs/conferences, peer coaching, and modern stacks.
Hybrid by default (Lisbon/Porto), flexible schedule, trust-first culture.
30/60/90 youll lead
30 days: baseline risk & NIS2 Quick Scan, policy gap list, KPI/KRI pack.
60 days: board-ready roadmap, supplier risk method, M365/Identity hardening plan.
90 days: controls in production (top risks remediated), SIEM monitoring live, 1st tabletop done.