About Addi

We are a leading financial platform, building the future of payments, shopping, and banking—a world where consumers and merchants can transact effortlessly and grow together. Today, we serve over 2 million customers and partner with more than 20,000 merchants, making Addi Colombia’s fastest-growing marketplace.

With a state-of-the-art, technology-first approach, we provide banking solutions (deposits, payments, unsecured credit) and commerce services (e-commerce, marketing), bridging the financial gap for millions and redefining how people experience financial freedom. As the country’s leading Buy Now, Pay Later provider, we have secured regulatory approval to operate as a bank, unlocking even greater opportunities for our customers. In the past year, we have also achieved profitability, reinforcing the strength of our business model and our ability to scale sustainably.

Our mission has earned the trust of world-class investors, including Andreessen Horowitz, Architect Capital, GIC, Goldman Sachs, Greycroft, Monashees, Notable Capital, Quona Capital, Union Square Ventures, Victory Park Capital, and more, who back our vision for the future. With their support, we are not just growing—we are transforming Latin America’s financial ecosystem and shaping the next generation to shop, pay, and bank in Colombia.

But what truly sets us apart is how we build. We are a conscious company, driven by deep experience in scaling technology, services and products, and we live by our values every day.

About the Role

This is where you come in. Below, you’ll find what this role is all about—the impact you’ll drive, the challenges you’ll tackle, and what it takes to thrive at Addi. If you’re ready to be part of something big, keep reading.

What’s the mission you’ll drive

Establish and lead Addi's 2nd Line of Defense Technology Risk & Cybersecurity function, acting as the CISO for the regulated entity while driving a robust governance framework that provides independent risk oversight, ensuring compliance (SFC/SIC), and safeguards the company by aligning technology and security practices with Addi's defined risk appetite.

What you will do

• Establish Technology Risk Governance & Framework: Develop and maintain a comprehensive Technology & Security Risk Framework approved by the Board and aligned with Addi's risk appetite and 3LoD model. Further strengthen the existing ISO 27001-aligned security governance framework to embed continuous control testing and regulatory readiness across Addi's technology landscape.

• Define & Maintain Technology Risk Appetite: Establish clear, quantitative and qualitative technology- and security-risk appetite statements that reflect Addi's strategic objectives and regulatory expectations. Translate appetite into measurable risk metrics and thresholds (e.g. target control expectation levels, residual risk limits, incident tolerance, recovery time objectives). Benchmark and report the actual risk posture against defined thresholds and targets.

• Identify, Assess & Challenge Technology Risks : Maintain a clear technology-risk taxonomy and standardized risk-assessment methodology integrated with enterprise risk management. Independently challenge first-line risk identification , assessment, and mitigation plans to ensure completeness and proportionality. Lead a quarterly independent oversight cycle covering critical processes, systems and third-party vendors, delivering formal "challenge" reports to the CRO and relevant governance bodies that lead to targeted risk treatment in line with risk appetite. Conduct high-impact deep dives, control reviews, structured self-assessments, and workshops with technology and security teams based on defined priorities and emerging themes.

• Monitor, Report & Escalate Technology Risk Posture: Develop and maintain a consolidated KRI/KPI dashboard for technology and security risk, integrated into enterprise-level reporting. Formalize and chair a quarterly board-level Tech Risk & Security Committee, delivering risk-based metrics that provide clear visibility into control effectiveness, emerging exposures, and alignment with risk appetite.

• Oversee Incident Management & Response: Define and validate incident-classification, escalation, and regulatory-reporting processes to ensure timely compliance with company policies and SFC requirements. Oversee the handling of major technology and security incidents, ensuring transparent governance and effective communication to senior management and regulators. Lead post-incident reviews to verify root-cause analysis and ensure lessons learned are embedded into risk and control frameworks.

• Strengthen IT Resilience, Continuity & Third-Party Risk Governance: Oversee and challenge the design and execution of business continuity and IT disaster-recovery plans, ensuring alignment with critical service objectives and regulatory expectations. Define resilience metrics (RTO, RPO, availability SLAs) and ensure they are tested, tracked, and reported to senior management. Govern the lifecycle of critical third-party providers, ensuring due diligence, contractual safeguards, ongoing monitoring, and concentration-risk analysis in alignment with first-line risk and relationship owners

• Foster a Risk-Aware & Resilient Technology Culture: Promote risk awareness and ownership across fist-line engineering, security, product, and operations teams. Demonstrate measurable maturity growth in technology-risk management, reflected in audit results and self-assessments. Conduct selected high-impact activities with senior management, and functional leaders, including simulations exercises with regards to ransom ware, DDoS, and similar thread scenarios

• Drive regulatory and certification readiness: Sustaining ISO 27001 implementation, leading supervisory engagements, and ensuring continuous audit preparedness against SFC and SIC regulatory expectations like Circulars 029/2014, 007/2018 & 008/2018.

What we’re looking for

• Deep expertise in technology risk, cybersecurity, IT resilience & governance

  • 12+ years of progressive experience across the three lines of defense, ideally starting in first-line security operations or architecture and advancing into governance and oversight roles within a regulated industry (Fintech, Banking, or otherwise regulated industry is strongly preferred).

  • Proven ability to translate operational security knowledge (e.g., vulnerability management, SOC, cloud security) into second-line challenge and risk-assurance practices.

  • Skilled in designing and maintaining integrated technology-, cyber-, and resilience risk frameworks aligned with the likes of ISO 27001, ISO 22301/27031, ISO 31000, COBIT, DORA, and the Colombian Circular Externa 007/2018 (SFC)

  • Experienced in defining, monitoring, and reporting technology-risk appetite and related metrics, ensuring measurable alignment with enterprise risk tolerance and regulatory expectations.

  • Demonstrated success in leading and managing internal & external audits, regulatory examinations and similar with minimal findings and building productive relationships with auditors and regulators.

  • Track record in establishing and maturing comprehensive technology risk and security programs from the ground up or significantly transforming existing ones.

• Ability to independently assess, challenge & communicate technology risks

  • Experienced in performing independent oversight of risk identification, assessment, and mitigation plans across infrastructure, applications, and third-party providers.

  • Capable of transforming technical risk data into meaningful insights and recommendations for senior leadership and regulators.

  • Adept at facilitating targeted risk-awareness sessions. Leverages first-line credibility to drive constructive challenge and alignment with risk appetite.

• Proficiency in incident oversight, IT resilience & third-party risk governance

  • First-hand understanding of incident response, continuity planning and resilience testing from prior first-line exposure, combined with the ability to evaluate their adequacy as a second-line function.

  • Skilled in overseeing incident classification, escalation, and post-incident reviews for targeted lessons learned and regulatory reporting accuracy.

  • Experienced in assessing the security and resilience impact of critical third-party providers, reviewing test outcomes, and ensuring integration of vendor risks into continuity an doperational-resilience frameworks.

• Strong strategic influence across 3LoD & executive stakeholders :

  • Ability to understand and create a technology- and security-risk strategy that supports Addi's dual business model. This means enabling rapid innovation and growth for the BNPL unit while applying a more stringent, compliance-focused risk posture for the regulated Compañía de Financiamiento.

  • Ability to translate technology-risk insights (architecture, resilience, change, third-party, data integrity) into business-relevant risk narratives for executive decision-making anchored in risk appetite.

  • Experience providing independent 2nd-line challenge to CIO/CTO and engineering teams on large technology-change initiatives, outsourcing, and cloud operations.

  • Experience successfully articulating complex security risks, compliance status, and strategy to an executive team and Board of Directors, influencing investment and strategic decision-making.

• Leadership in driving a risk-aware & resilient technology culture

  • Advocates for “resilient-by-design” and “secure-by-design” principles across product, engineering, and operations.

  • Leverages first-line empathy to influence without direct authority and embed accountability for risk ownership throughout the business.

  • Champions continuous improvement, maturity benchmarking, and integration of lessons learned into governance, policy, and awareness programs.

Why join us?

• Work on a problem that truly matters – We are redefining how people shop, pay, and bank in Colombia, breaking down financial barriers and empowering millions. Your work will directly impact customers' lives by creating more accessible, seamless, and fair financial services.

• Be part of something big from the ground up – This is your chance to help shape a company, influencing everything from our technology and strategy to our culture and values. You won’t just be an employee—you’ll be an owner

• Unparalleled growth opportunity – The market we’re tackling is massive, and we’re growing faster than almost any fintech lender at our stage. If you’re looking for a high-impact role in a company that’s scaling fast, this is it.

• Join a world-class team – Work alongside top-tier talent from around the world, in an environment where excellence, ownership, and collaboration are at the core of everything we do. We care deeply about what we build and how we build it—and we want you to be a part of it.

• Competitive compensation & meaningful ownership – We believe in rewarding our talent. You’ll receive a generous salary, equity in the company, and benefits that go beyond the basics to support your growth.

How the hiring process looks like

We believe in a fast, transparent, and engaging hiring experience that allows both you and us to determine if there's a great fit. Here’s what our process looks like:

• Step 1: People Interview (30 min)
  A conversation with a recruiter to get to know you, your experience, and what you're looking for. We’ll also share more about Addi, our culture, and the role.

• Step 2: Initial Interview (45 min)
  A more in-depth conversation with the hiring manager, where we explore your skills, experience, and problem-solving approach. We want to understand how you think and work.

• Step 3: Deep Dive Interview (30 min)
  You'll meet future colleagues and cross-functional team members to get a feel for how we work together. We’re looking for strong contributors and cultural fits, so bring your questions, too!

• Step 4: Case Study (3-5 Days)
  You may receive a real-world challenge or case study to complete. This is a chance to showcase your expertise and how you approach key problems relevant to the role.

• Step 5: Co-Founder Interview
  If there’s a strong match, you’ll have a final conversation with our Founder to align on expectations, cultural fit and ensure

We value efficiency and respect for your time, so we aim to complete the process as quickly as possible. Our goal is to make this experience insightful and exciting for you, just as much as it is for us. Regardless of the outcome, we are committed to always providing feedback, ensuring that you walk away with valuable insights from your experience with us.