Senior Information Security Analyst

Welcome to KTO Group, where innovation drives excitement in iGaming. Founded in 2018 by Andreas Bardun, we're transforming online gaming with a focus on transparency and player satisfaction.

AtKTO.com, we blend the thrill of sports betting with online casino entertainment, tailored to local markets and powered by our proprietary platform for a seamless, personalized experience.

KTO is a rising leader in LATAM, proudly ranked among Brazil's top 10 iGaming brands. Join us as we set new standards in trust, innovation, and the future of iGaming.

SUMMARY OF THE POSITION

We are looking for an experienced and highly skilled Senior Information Security Analyst to join our IT & Security team. In this role, you will be responsible for leading efforts to protect our organization's information systems from security threats and vulnerabilities. You will work closely with cross-functional teams to develop, implement, and monitor security measures that align with industry best practices and regulatory requirements. Your expertise will be crucial in safeguarding our digital assets and ensuring the integrity, confidentiality, and availability of our data.

• Develop, implement, and maintain a comprehensive information security governance framework, including policies, standards, and procedures that align with business objectives and regulatory requirements (e.g., LGPD, GDPR, ISO/IEC 27001).
• Maintain and continuously improve the security policy lifecycle, ensuring clarity, ownership, and compliance across the organization.
• Act as the document custodian for all security governance artifacts (e.g., security policies, exception registers, control frameworks).
• Lead enterprise-wide risk assessments to identify security and privacy risks, determine likelihood and impact, and design risk treatment plans that align with business risk tolerance.
• Maintain and enhance the corporate risk register, mapping threats to controls and tracking mitigation activities with control owners.
• Deliver threat and vulnerability analyses that feed into continuous improvement of risk posture and security controls.
• Ensure ongoing compliance with applicable laws, regulations, and frameworks (e.g., LGPD, GDPR, ISO 27001), providing evidence-based documentation for all key controls.
• Manage and coordinate internal and external audits, including scoping, readiness preparation, control walkthroughs, remediation planning, and stakeholder communication.
• Maintain audit trails and compliance dashboards, enabling timely and transparent reporting to executives and regulators.
• Maintain the organization's Incident Response Plan (IRP), ensuring alignment with legal obligations, business continuity plans, and best practices (e.g., NIST 800-61).
• Lead or support the incident management lifecycle, including detection, analysis, containment, eradication, recovery, and root cause analysis.
• Coordinate post-incident reviews (PIRs), capturing lessons learned, assigning ownership of corrective actions, and updating relevant policies and controls.
• Establish incident playbooks, escalation paths, and communication protocols, including compliance-related notification procedures (e.g., data breach disclosures under LGPD).
• Work with technical teams to ensure incident detection tools (SIEM, endpoint monitoring, CASB) are properly integrated into GRC oversight and tracking systems.
• Support security operations with governance-driven use cases, ensuring security tools (e.g., SASE, SIEM, CASB) produce audit-friendly logs, evidence, and compliance metrics.
• Monitor security dashboards and alerts, reporting meaningful insights and exceptions to the GRC committee and stakeholders.
• Help evaluate vendors and third-party platforms to ensure they meet GRC criteria and supply appropriate audit documentation.
• Design and deliver targeted security awareness and compliance training programs for employees, contractors, and leadership teams.
• Act as a key liaison between Legal, Compliance, IT, and other business units to embed security governance across the organization.
• Communicate GRC posture, control effectiveness, and security metrics to senior leadership and executive stakeholders in a clear, actionable format.
• Stay abreast of regulatory changes, security threats, and GRC best practices, and recommend strategic improvements to enhance the organization's resilience.
• Identify and lead projects for automation and efficiency in compliance monitoring, policy enforcement, and audit readiness.

• Proven experience with information security tools and platforms relevant to risk management, compliance monitoring, and governance (e.g., SIEM, GRC suites, vulnerability management tools, CASB, SASE).
• Demonstrated ability to design and implement information security strategies with a strong emphasis on governance, regulatory compliance, and enterprise risk management.
• Strong understanding of information security frameworks and standards such as ISO/IEC 27001, NIST CSF, LGPD, and GDPR.
• Ability to lead cross-functional initiatives, influence control owners, and drive alignment between security goals and business requirements.
• Exceptional analytical, problem-solving, and documentation skills with a high level of attention to detail — particularly in audit preparation and risk evaluation.
• Excellent written and verbal communication skills, with the ability to translate complex security concepts into business-friendly language for executives and stakeholders

At KTO, diversity isn't just a buzzword – it's our strength. We're all about creating an inclusive environment where everyone feels valued and empowered. Together, we're not just working on projects – we're making a real impact in our communities. Join us in celebrating diversity and driving meaningful change

KTO is licensed for Brazilian sports betting and online gaming under Portaria 2.093/2024, ensuring a secure and regulated environment for our operations.

Participation is prohibited for:

Individuals under 18 (eighteen) years of age;

Public agents with duties directly related to the regulation, control, and supervision of the activity within the federative entity in whose personnel framework they perform their duties;

- Persons who have or may have any influence on the outcome of a real event with a sports theme subject to fixed-odds lottery betting, including:

- Persons holding positions as sports directors, sports coaches, trainers, and members of the technical staff;

- Referees of sports, referee assistants, or equivalents, sports entrepreneurs, agents or representatives of athletes and coaches, coaches or members of the technical staff;

- Members of the administrative or supervisory body of entities responsible for organizing competitions or sporting events;

- Athletes participating in competitions organized by entities within the National Sports System;

Individuals diagnosed with gambling addiction, according to a diagnosis from a qualified mental health professional.