Specialist, Information Security & Privacy
Own and manage controls across SOC 2 Type II, ISO 27001, GDPR, and HIPAA frameworks, maintaining an up-to-date control landscape and evidence inventory.
- Coordinate and support external audits end-to-end from audit scoping and evidence preparation to auditor walkthroughs and post-audit remediation tracking.
- Manage compliance tracking across Google Workspace (Sheets, Drive, Docs, Gmail) maintaining structured control registers, evidence repositories, and policy documentation.
- Send and track corrective action communications to control owners, following up through resolution and maintaining a clear audit trail.
- Conduct periodic internal compliance reviews and produce structured reports for leadership.
- Participate in Vulnerability Assessment and Penetration Testing (VAPT) cycles reviewing findings, contextualising them for engineering teams, and tracking remediation to closure.
- Monitor and triage security findings from external risk and rating platforms including SecurityScorecard, Panorays, UpGuard, Whistic, ProcessUnity, Qualys SSL Labs, and similar sources.
- Act as the liaison between the security team and engineering translating security findings into actionable tickets in Jira, validating fixes post-sign-off, and gradually taking ownership of resolutions.
- Maintain a working knowledge of common vulnerability classes (OWASP Top 10), exploits, and secure architecture patterns relevant to cloud-hosted SaaS platforms.
- Support cloud security reviews and configuration assessments on AWS (primary) and GCP, with an understanding of IAM, network security groups, storage controls, and logging configurations.
- Build and maintain Python-based automation scripts that collect compliance evidence from internal systems, APIs, and Google Workspace reducing manual evidence gathering for external audits.
- Develop automated email workflows and scheduled reports that keep control owners, team leads, and leadership informed of compliance status, upcoming obligations, and open remediation items.
- Create and maintain compliance dashboards that provide a real-time view of control health, audit readiness, and key risk indicators.
- Progressively design and deploy AI-assisted internal audit workflows acting as the orchestrator of agentic pipelines that perform control checks, generate evidence summaries, and flag anomalies for human review.
- Leverage AI-assisted coding tools such as Cursor and Claude Code to accelerate development of automation and internal tooling.
- Collaborate with Engineering, DevOps, Legal, and HR teams to ensure controls are implemented, tested, and documented in alignment with framework requirements.
- Maintain and periodically review information security policies, procedures, and standards in Google Docs, ensuring they remain current and aligned with framework controls.
- Coordinate access reviews, vendor security assessments, and third-party risk evaluations as part of the ongoing compliance calendar.
- Support onboarding and awareness initiatives by contributing to security training content and policy communications.
We d love to hear from you, if you:
Experience and background
- 2 3 years of hands-on experience in information security, GRC (Governance, Risk and Compliance), or a security-adjacent technical role.
- Demonstrated experience working with at least one major compliance framework (SOC 2, ISO 27001, GDPR, or HIPAA) including evidence collection, control testing, or audit support.
- 1+ year of programming experience, with practical Python skills for scripting, automation, or data processing tasks.
- Exposure to cloud platforms, with working knowledge of AWS services (IAM, S3, CloudTrail, Security Hub, or equivalent) and basic familiarity with GCP.
- Understanding of common vulnerability classes, OWASP Top 10, and secure development principles sufficient to contextualise findings and communicate them to engineering teams.
- Familiarity with VAPT processes including scoping, findings review, and remediation validation.
- Basic understanding of network security concepts: TLS/SSL, DNS, firewalls, VPNs, and cloud-native security controls.
- Working knowledge of authentication and identity concepts: SSO, OAuth 2.0, SAML, IAM, RBAC, and MFA.
- Ability to read and interpret security findings from external platforms such as SecurityScorecard, Qualys, or similar security rating and scanning tools.
- Proficient in Google Workspace comfortable using Sheets for control tracking and mapping, Drive and Docs for policy and evidence management, Gmail for formal communications and sign-offs, and Calendar for compliance scheduling.
- Experience using Jira for cross-functional issue tracking and Slack for team collaboration.
- Comfortable writing Python scripts for automation, data extraction, API integrations, or report generation.
- Exposure to or genuine curiosity about AI tooling, LLMs, and agent-based workflows.
- Strong written communication skills able to draft clear policy documents, corrective action notices, and executive summaries.
- Methodical and organised able to manage multiple concurrent workstreams, deadlines, and stakeholders without losing detail.
- Comfortable with ambiguity and ad-hoc requests in a fast-paced SaaS environment.
- Proactive and self-driven able to identify gaps, propose solutions, and execute independently once direction is set.
Good to have:
- Certifications: CISA, CISSP, CEH, CompTIA Security+, or any recognised AI / machine learning certification.
- Experience building or interacting with AI agents, LLM-based pipelines, or automation using frameworks such as LangChain or LangGraph.
- Hands-on experience with AI-assisted development tools such as Cursor or Claude Code.
- Familiarity with third-party risk and security rating platforms (SecurityScorecard, Panorays, UpGuard, Whistic, ProcessUnity).
- Prior experience with GCP services for development or workflow automation.
- Understanding of data privacy principles under GDPR and HIPAA, including data classification, retention policies, and subject rights processes.
- Exposure to SAST/DAST tooling, container security, or cloud security posture management (CSPM).
