Information Security GRC Specialist

Information Security GRC Specialist – Permanent – Hybrid

My client is a leading global investment management organisation seeking a Cyber GRC Specialist to join its Global Technology function in London.

This is a senior hire within the Information Security GRC function, acting as deputy to the Head of Information Security & GRC, supporting the leadership and day‑to‑day running of the team. The role combines hands‑on delivery with leadership responsibility, operating in a 1.5 line capacity – working closely with technology teams while maintaining strong governance oversight.

The Information Security GRC Specialist is expected to:

• Act as second‑in‑command within the GRC function, supporting the Head of Information Security & GRC across BAU, projects, and stakeholder engagement.
• Operate in a hands‑on 1.5 line capacity, working closely with SecOps, IAM, and cloud teams to ensure controls are effective in practice.
• Lead cyber risk assessments and control reviews, identifying gaps and driving remediation through to closure.
• Act as a bridge between GRC and technical teams, confidently challenging and validating control design and implementation.
• Support board‑level reporting and risk metrics, translating technical issues into clear, business‑focused insights.
• Contribute to the development and rollout of GRC tooling, with a focus on automation, reporting, and adoption across technical teams.
• Support incident response oversight, including post‑incident reviews and control improvements.
• Maintain and enhance security policies, standards, and frameworks aligned to ISO 27001 and NIST.
• Work across Technology, Risk, Compliance, and Audit to embed security into business processes and decision‑making.

The successful Information Security GRC Specialist will possess:

• Proven experience within financial services.
• Proven experience in Information Security, Cyber GRC, or Technology Risk within a regulated environment.
• Experience operating in a hands‑on capacity across both governance and technical security domains (e.g. vulnerability management, SIEM/SOC, IAM, cloud security).
• Strong understanding of security frameworks such as ISO 27001 and/or NIST.
• Ability to engage with and challenge technical teams, ensuring controls are implemented effectively rather than existing as policy only.
• Experience producing senior‑level reporting, including risk metrics and board‑facing outputs.
• Exposure to GRC tooling and/or automation initiatives.
• Strong stakeholder management skills, with the ability to work across technical and non‑technical audiences.
• Certifications (e.g. CISSP, CISM) are not essential – practical, real‑world experience is key.

#J-18808-Ljbffr