
WPP · United Kingdom
WPP is the trusted growth partner for the world’s leading brands. We unite cutting-edge media intelligence and data solutions, world-class creativity, next-ge...
WPP is the trusted growth partner for the world’s leading brands.
We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative
enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing
platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth.
We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise.
Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning,
attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow.
For more information, visit WPP.com.
The ISMS and Risk Officer (DTS) is responsible for managing and continuously improving the Information Security Management System
(ISMS) across Data & Technology Solutions. You will ensure that security policies, controls, risks, exceptions, and governance
processes are properly maintained, evidenced, reviewed, and acted upon.
Reporting to the SVP Security and Compliance, you will provide the operational backbone for security governance across DTS. This
is a hands-on Governance, Risk, and Compliance (GRC) role. You will collaborate across security, product, engineering,
infrastructure, architecture, legal, risk, compliance, and delivery teams to transform security governance into a dynamic, working
management system rather than a static documentation exercise.
requirements.
Technology stakeholders.
appropriate forums.
risks.
scores, treatment plans, and target dates.
leadership.
material risks.
delivery.
You're open: We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views.
We are open-minded: to new ideas, new partnerships, new ways of working.
You're optimistic: We believe in the power of creativity, technology and talent to create brighter futures or our people, our
clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected.
You're extraordinary: we are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers
of our industry; we provide extraordinary every day.
Passionate, inspired people – We aim to create a culture in which people can do extraordinary work.
Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the
industry.
Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the
challenge?
#LI-Hybrid
We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve
adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please
discuss this with the hiring team during the interview process.
WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular
characteristics. We are committed to fostering a culture of respect in which everyone feels they belong and has the same
opportunities to progress in their careers.
PLEASE READ OUR PRIVACY NOTICE (HTTPS://WWW.WPP.COM/EN/CAREERS/WPP-PRIVACY-POLICY-FOR-RECRUITMENT) FOR MORE INFORMATION ON HOW WE
WPP is the trusted growth partner for the world’s leading brands. We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth. We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise. Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning, attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow. For more information, visit WPP.com. Why we're hiring: The Identity, AI and Data Access Governance Lead is responsible for governing who, and what, can access DTS systems, data, APIs, tools, workflows and AI-enabled capabilities. This is a hands-on governance and control role, reporting into the SVP Security and Compliance. The role ensures that access across DTS is appropriate, auditable, reviewed, least-privileged and aligned with security, privacy, compliance and client commitments. The scope covers traditional human access, external users, privileged access, service accounts, machine identities, API keys, tokens, dataset access, and the emerging governance of AI agents and agentic workflows. The role will work closely with Architecture, Security, Product, Engineering, Infrastructure, Privacy, Legal/DPO, TechOps, Enterprise Technology and the ISMS and Risk Officer to ensure DTS has a clear and controlled model for access across platforms such as WPP Open, Choreograph, InfoSum, Open Intelligence, Resolve and related DTS capabilities. What you'll be doing: 1. IDENTITY AND ACCESS GOVERNANCE FRAMEWORK Define and maintain the access governance framework for DTS. This includes: * Defining access governance standards, processes and control expectations. * Establishing how access should be requested, approved, provisioned, reviewed, revoked and evidenced. * Ensuring access governance covers internal users, external users, clients, partners, vendors, service accounts, machine identities and AI agents. * Aligning identity and access governance with DTS architecture, security, privacy, compliance and data governance requirements. * Ensuring access governance is practical for product and engineering teams to implement. 2. ACCESS REVIEWS AND RECERTIFICATION Own the process for regular access reviews and recertification across DTS. This includes: * Defining the scope, frequency and evidence requirements for access reviews. * Coordinating access reviews for critical DTS systems, production environments, privileged roles, sensitive datasets, client-facing platforms and administrative tools. * Ensuring access review outcomes are tracked, remediated and evidenced. * Identifying stale, excessive, orphaned or poorly owned access. * Escalating overdue, high-risk or unresolved access issues through the appropriate governance channels. 3. PRIVILEGED ACCESS GOVERNANCE Ensure privileged access across DTS is properly controlled, justified and auditable. This includes: * Reviewing access to production systems, cloud environments, security tools, databases, CI/CD tooling, administrative consoles and sensitive platforms. * Supporting least-privilege, just-in-time and time-bound access models where appropriate. * Working with Cloud and Platform Security and Infrastructure to improve privileged access controls. * Ensuring privileged access risks are visible in the DTS risk register where required. 4. EXTERNAL USER, CLIENT AND PARTNER ACCESS GOVERNANCE Govern access for external users, clients, agencies, partners and vendors. This includes: * Defining standards for external user onboarding, approval, permissions, expiry and offboarding. * Ensuring external access has a clear business owner and justification. * Supporting access governance across client workspaces, agency environments, partner integrations and shared collaboration areas. * Working with Product and Engineering to ensure tenant, workspace and client-level isolation is appropriately governed. * Tracking risks related to stale accounts, vendor access, partner permissions and external user overprivilege. 5. SERVICE ACCOUNT, MACHINE IDENTITY AND API ACCESS GOVERNANCE Govern non-human access across DTS systems and platforms. This includes: * Defining standards for service accounts, machine identities, automation users, API keys, tokens, secrets and integration credentials. * Ensuring non-human access has clear ownership, purpose, scope, rotation, expiry and auditability. * Working with Product, Engineering, Cloud Security and Infrastructure to reduce unmanaged credential risk. * Ensuring service accounts and machine identities are included in access reviews. * Supporting stronger governance of API access, token issuance, credential lifecycle and integration permissions. 6. AI AND AGENTIC ACCESS GOVERNANCE Define and oversee the governance model for AI agents and agentic workflows across DTS. This includes: * Defining how AI agents are identified, permissioned, monitored, reviewed and revoked. * Ensuring agents have clear ownership, scoped permissions and auditable actions. * Defining which agent actions require human approval or additional control. * Governing agent access to APIs, tools, datasets, workflows, client environments and production capabilities. * Ensuring agents act within delegated authority and cannot exceed the permissions of the user, system or business process they represent. * Working with Product, Architecture and Security to ensure agentic workflows are designed with clear action boundaries. * Working with the Product, Application and Offensive Security Lead to test whether agent permissions and action boundaries can be bypassed. * Working with Privacy Engineering to ensure AI access models support permitted use, minimisation and data protection requirements. 7. DATA ACCESS GOVERNANCE Govern access to sensitive, client, partner and WPP-owned data across DTS. This includes: * Defining standards for dataset access approval, review, revocation and evidence. * Supporting data classification from an access-control and security-governance perspective. * Ensuring access to sensitive data is role-based, purpose-based, least-privileged and auditable. * Supporting controls for cross-client, cross-market, cross-agency and partner data access. * Ensuring data access governance supports InfoSum, Open Intelligence, Resolve, WPP Open and other DTS data collaboration use cases. * Working with Privacy Engineering on data minimisation, permitted use, retention and privacy-by-design requirements. * Ensuring data access risks are surfaced through the DTS risk process. 8. GOVERNANCE OF ACCESS TO TOOLS, WORKFLOWS AND ACTIONS Ensure access governance extends beyond systems and datasets into tools, workflows and actions. This includes: * Defining governance for access to operational tools, workflow automation, orchestration systems, AI tools and administrative actions. * Ensuring high-risk actions are subject to appropriate approval, logging and monitoring. * Supporting segregation of duties across sensitive workflows. * Ensuring automated workflows and agents have clearly scoped authority. * Working with Security Operations to ensure high-risk access and actions are visible in monitoring and detection processes. 9. AUDITABILITY, EVIDENCE AND REPORTING Maintain clear evidence of access governance and support audit and assurance requirements. This includes: * Producing access governance evidence for SOC 2, ISO 27001, client assurance, internal audit and risk reviews. * Working with the ISMS and Risk Officer to ensure access controls, reviews, exceptions and remediation actions are documented. * Reporting on access review completion, high-risk access, overdue actions and access control gaps. * Supporting client and audit questions related to identity, access, privileged roles, service accounts, AI agents and data access. * Ensuring access governance is repeatable, measurable and auditable. Who you'll be working with: The Identity, AI and Data Access Governance Lead will be accountable for: * DTS identity and access governance standards. * Regular access reviews and recertification. * Privileged access governance. * External user, client, partner and vendor access governance. * Service account, machine identity, API key and token governance. * AI agent identity, permission and action governance. * Dataset and sensitive data access governance. * Governance of access to tools, workflows and high-risk actions. * Access governance evidence for audit, compliance and client assurance. * Escalation of material access risks into the DTS risk process. What you'll need: The successful candidate will have: * Experience in identity governance, access management, IAM, security governance, GRC, data access control or platform security. * Strong understanding of least privilege, role-based access control, attribute-based access control, access reviews, privileged access and segregation of duties. * Experience governing access across SaaS platforms, cloud environments, APIs, data platforms or enterprise technology estates. * Knowledge of identity platforms such as Okta, Auth0, Keycloak, Azure AD / Entra ID or similar. * Understanding of service accounts, machine identities, API keys, tokens, secrets and non-human access governance. * Understanding of AI agents, agentic workflows, delegated authority and tool-access governance would be highly valuable. * Understanding of data classification, dataset access governance, privacy-by-design and audit requirements. * Ability to work across security, architecture, product, engineering, infrastructure, legal, privacy and compliance teams. * Strong organisational skills and ability to coordinate reviews, evidence, remediation and reporting. * Ability to translate complex access issues into clear risks, controls and practical actions. LEADERSHIP EXPECTATIONS The Identity, AI and Data Access Governance Lead is expected to: * Be structured, disciplined and pragmatic. * Bring clarity to complex access and permission models. * Challenge excessive, unclear or poorly governed access. * Work constructively with product and engineering teams to design workable controls. * Avoid creating unnecessary bureaucracy while ensuring access is properly governed. * Treat human, machine and agent access as part of the same control landscape. * Escalate material access risks clearly and early. * Support DTS in building a secure, auditable and scalable access governance model. SUCCESS MEASURES Success in the role will be measured by: * DTS having clear identity, access and data access governance standards. * Regular access reviews completed on schedule with evidence. * Reduction in stale, excessive, orphaned or poorly owned access. * Stronger governance of privileged access and production access. * Clear ownership and review of service accounts, machine identities, API keys and tokens. * Defined governance for AI agent identities, permissions and actions. * Improved auditability of access to data, APIs, tools, workflows and production systems. * Better alignment between identity, security, privacy, architecture, product and engineering teams. * Material access risks being visible through the DTS risk register and Risk Review Board. * Increased confidence that DTS can answer: who or what has access to what, why, and when was it last reviewed? Who you are: You're open: We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views. We are open-minded: to new ideas, new partnerships, new ways of working. You're optimistic: We believe in the power of creativity, technology and talent to create brighter futures or our people, our clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected. You're extraordinary: we are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers of our industry; we provide extraordinary every day. What we'll give you: Passionate, inspired people – We aim to create a culture in which people can do extraordinary work. Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the industry. Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the challenge? #LI-Hybrid We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please discuss this with the hiring team during the interview process. WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular characteristics. We are committed to fostering a culture of respect in which everyone feels they belong and has the same opportunities to progress in their careers. PLEASE READ OUR PRIVACY NOTICE (HTTPS://WWW.WPP.COM/EN/CAREERS/WPP-PRIVACY-POLICY-FOR-RECRUITMENT) FOR MORE INFORMATION ON HOW WE PROCESS THE INFORMATION YOU PROVIDE.
WPP is the trusted growth partner for the world’s leading brands. We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth. We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise. Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning, attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow. For more information, visit WPP.com. * Department: Data & Technology Solutions (DTS) * Reports To: SVP Security and Compliance * Location: [London/Hybrid 2 days a week in office] * Position Type: Full-Time ROLE OVERVIEW The Product, Application and Offensive Security Lead is responsible for embedding security directly into the design, development, testing, and operation of DTS products and platforms. This is a hands-on security engineering role. The role requires someone who can work directly with product and engineering teams, review designs, assess APIs, run threat models, test systems, coordinate penetration testing, identify vulnerabilities, and help teams remediate issues. The role ensures DTS products, APIs, data collaboration capabilities, AI-enabled workflows, and client-facing services are designed, built, and tested securely. It also owns the practical offensive security and adversarial assurance activity needed to test DTS products from an attacker’s perspective. The Product, Application and Offensive Security Lead will work closely with Product, Engineering, Architecture, Infrastructure, Security Operations, Privacy, Cloud and Platform Security, and the ISMS and Risk Officer to ensure security issues are identified early, fixed effectively, and tracked through governance where required. ---------------------------------------------------------------------------------------------------------------------------------- KEY RESPONSIBILITIES 1. HANDS-ON PRODUCT AND APPLICATION SECURITY Provide hands-on security support across DTS products and engineering teams. This includes: * Reviewing product designs, technical designs, APIs, services, and integrations. * Identifying security weaknesses in applications, workflows, and data flows. * Advising engineering teams on secure implementation. * Supporting secure design decisions during product discovery and delivery. * Helping teams resolve security issues pragmatically without creating unnecessary delivery friction. 2. SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC) Embed security into the software development lifecycle across DTS. This includes: * Defining and applying secure engineering standards. * Supporting secure coding practices. * Reviewing CI/CD security controls. * Supporting SAST, DAST, SCA, secrets scanning, dependency scanning, and container scanning. * Helping teams triage, prioritise, and remediate security findings. * Working with engineering teams to make security checks practical and repeatable. 3. THREAT MODELLING AND SECURITY DESIGN REVIEWS Run threat modelling and security design reviews for new and changed capabilities. This includes: * Facilitating threat modelling sessions with engineering and product teams. * Reviewing authentication and authorization designs. * Assessing API exposure, data flows, trust boundaries, and abuse cases. * Identifying risks around tenant isolation, privilege escalation, data leakage, and misuse. * Documenting key findings, recommendations, and residual risks. 4. OFFENSIVE SECURITY AND ADVERSARIAL TESTING Carry out and coordinate offensive security testing across DTS products and platforms. This includes: * Performing hands-on security testing of products, APIs, and workflows. * Coordinating external penetration tests. * Supporting red team and purple team exercises where required. * Testing abuse cases and attacker paths. * Testing access control, authentication, authorization, and data leakage risks. * Validating remediation of security findings. * Feeding material risks into the ISMS and Risk Officer for tracking. 5. API, INTEGRATION AND DATA PRODUCT SECURITY Provide security assurance for APIs, integrations, and data products. This includes: * Reviewing externally exposed APIs and partner integrations. * Assessing rate limiting, authorization, tenant isolation, logging, abuse prevention, and data leakage controls. * Supporting secure integration between InfoSum, Open Intelligence, Resolve, WPP Open, and third-party platforms. * Reviewing data product workflows for misuse, excessive access, or unintended exposure. * Working with Privacy Engineering on privacy-sensitive APIs, algorithms, and outputs. 6. AI AND AGENTIC SECURITY TESTING Provide hands-on security review and adversarial testing for AI-enabled and agentic capabilities. This includes: * Testing prompt injection, tool misuse, data leakage, and excessive agency. * Reviewing how agents access APIs, data, tools, and workflows. * Testing whether agent permissions can be bypassed or escalated. * Assessing action boundaries and human approval points. * Working with Identity, AI, and Data Access Governance to validate agent access models. * Documenting AI and agentic security risks and remediation actions. 7. VULNERABILITY TRIAGE AND REMEDIATION SUPPORT Help teams understand, prioritise, and fix security vulnerabilities. This includes: * Reviewing vulnerability findings from scans, penetration tests, code reviews, cloud tools, and external reports. * Prioritising findings based on exploitability, exposure, data sensitivity, and business impact. * Working directly with engineers to define remediation options. * Validating that fixes are effective. * Supporting exception and risk acceptance decisions where remediation is delayed. * Ensuring significant issues are visible through the DTS risk process. 8. ENGINEERING ENABLEMENT AND SECURITY COACHING Act as a practical security partner to engineering teams. This includes: * Providing secure implementation guidance. * Creating lightweight security patterns and examples. * Coaching engineers on common application, API, and AI security risks. * Helping teams understand the “why” behind security requirements. * Supporting a culture where security is part of product quality, not a separate approval gate. ---------------------------------------------------------------------------------------------------------------------------------- KEY ACCOUNTABILITIES The Product, Application and Offensive Security Lead will be accountable for: * Hands-on application and product security support across DTS. * Secure SDLC guidance and practical adoption. * Threat modelling and security design reviews. * API, integration, and data product security reviews. * Offensive security and adversarial testing activity. * AI and agentic security testing. * Vulnerability triage, remediation guidance, and fix validation. * Coordination with ISMS/Risk to ensure material risks and exceptions are tracked. * Helping engineering teams build secure systems without unnecessary delivery drag. ---------------------------------------------------------------------------------------------------------------------------------- SKILLS AND EXPERIENCE The successful candidate will have: * Strong hands-on experience in application security, product security, offensive security, security engineering, or penetration testing. * Good understanding of modern software engineering, APIs, SaaS platforms, distributed systems, and cloud-native applications. * Experience with threat modelling and secure design reviews. * Practical knowledge of common application and API security risks, including authentication, authorization, tenant isolation, injection, data leakage, privilege escalation, and supply chain risk. * Experience using security testing tools and techniques across web applications, APIs, cloud services, and CI/CD pipelines. * Familiarity with SAST, DAST, SCA, secrets scanning, dependency scanning, and vulnerability management workflows. * Experience working directly with engineers to remediate findings. * Understanding of AI and agentic security risks would be highly valuable. * Ability to communicate clearly with engineering, product, architecture, security, and leadership stakeholders. * A pragmatic, delivery-aware approach to security. ---------------------------------------------------------------------------------------------------------------------------------- LEADERSHIP EXPECTATIONS The Product, Application and Offensive Security Lead is expected to: * Be hands-on and technically credible with engineering teams. * Act as a trusted security partner, not just a reviewer or approver. * Challenge insecure designs constructively. * Help teams find practical ways to reduce risk. * Prioritise issues based on real-world exploitability and business impact. * Work across multiple DTS product areas without becoming a delivery bottleneck. * Escalate material risks clearly through the appropriate governance routes. * Promote secure engineering habits through practical guidance and example. ---------------------------------------------------------------------------------------------------------------------------------- SUCCESS MEASURES Success in the role will be measured by: * Security being embedded earlier in product and engineering delivery. * Reduction in high-risk application, API, and product vulnerabilities. * Regular threat modelling and security reviews for critical DTS capabilities. * Effective offensive and adversarial testing of products, APIs, and workflows. * Faster remediation of penetration test and security testing findings. * Improved security assurance for AI and agentic workflows. * Engineering teams receiving practical, actionable security guidance. * Material security risks being surfaced and tracked through the DTS risk process. * Security being viewed by engineering teams as an enabler of trusted delivery rather than a blocker. You're open: We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views. We are open-minded: to new ideas, new partnerships, new ways of working. You're optimistic: We believe in the power of creativity, technology and talent to create brighter futures or our people, our clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected. You're extraordinary: we are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers of our industry; we provide extraordinary every day. What we'll give you: Passionate, inspired people – We aim to create a culture in which people can do extraordinary work. Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the industry. Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the challenge? #LI-Hybrid We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please discuss this with the hiring team during the interview process. WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular characteristics. We are committed to fostering a culture of respect in which everyone feels they belong and has the same opportunities to progress in their careers. PLEASE READ OUR PRIVACY NOTICE (HTTPS://WWW.WPP.COM/EN/CAREERS/WPP-PRIVACY-POLICY-FOR-RECRUITMENT) FOR MORE INFORMATION ON HOW WE PROCESS THE INFORMATION YOU PROVIDE.
About Us Hawk is the leading provider of AI-supported anti-money laundering and fraud detection technology. Banks and payment providers globally are using Hawk’s powerful combination of traditional rules and explainable AI to improve the effectiveness of their AML compliance and fraud prevention by identifying more crime while maximizing efficiency by reducing false positives. With our solution, we are playing a vital role in the global fight against Money Laundering, Fraud, or the financing of terrorism. We offer a culture of mutual trust, support and passion – while providing individuals with opportunities to grow professionally and make a difference in the world. Your Mission: We are seeking a highly skilled and technically strong (Senior) Information Security Officer to join Hawk’s Information Security function. This role is critical to maintaining trust with our customers, supporting pre-sales and sales engagements, and ensuring Hawk remains compliant with security standards such as ISO 27001. You will act as a key technical and communication bridge between customers, auditors, internal teams, and our security tooling landscape. From managing security enquiries and RFPs to strengthening our ISMS and improving endpoint and access security, you will play a vital role in safeguarding Hawk’s platform, data, and operations. This is an ideal opportunity for someone who combines excellent communication skills and strong security fundamentals, with the ability to operate confidently with both technical and non-technical stakeholders. Fluent German is essential for this role due to regular engagement with German-speaking customers. Key Responsibilities: Customer & Pre-Sales Security Support * Respond to security questionnaires, RFPs, and due-diligence requests in collaboration with Sales and Pre-Sales. * Participate in customer calls to explain Hawk’s security posture and answer technical, compliance, and infrastructure-related questions. * Represent Hawk’s security capabilities clearly and confidently to regulated financial institutions. ISMS & Compliance (ISO 27001) * Support the ongoing operation and improvement of Hawk’s ISMS, ensuring alignment with ISO 27001 controls and underlying processes. * Assist in internal audits, evidence gathering, and risk assessments. * Help maintain certification readiness by driving documentation, process adherence, and corrective actions. Platform & 3rd-Party Security Oversight * Monitor the security posture of Hawk’s corporate tools, infrastructure, and integrations. * Support vendor assessments and due diligence for security-related tools. * Collaborate with Engineering, IT, and InfoSec to strengthen platform and enterprise security baselines. Cross-Functional Collaboration & Stakeholder Communication * Work closely with Information Security, IT, Engineering, Sales, Customer Success, and Procurement teams. * Translate complex technical and security concepts into clear explanations for both technical and non-technical audiences. * Contribute to internal security awareness, documentation, and operational processes. Your Profile: Technical Experience & Skills: * 5+ years of hands-on experience in Information Security, IT Security, or a related GRC role within a B2B tech or SaaS environment * Proven experience operating and improving an ISMS aligned to ISO 27001, including policy development, risk assessments, internal audits, and certification maintenance * Working knowledge of additional regulatory and compliance frameworks — SOC 2, DORA, and NIS 2 * Solid understanding of IT security fundamentals: authentication, endpoint security, encryption, network basics * Good technical competence across multiple operating systems (macOS, Windows, Linux) * Experience coordinating with external auditors, certification bodies, and regulators * Relevant certifications highly desirable (e.g., ISO 27001 Lead Implementer/Auditor, CISSP, CISM, CRISC, CompTIA Security+) Communication & Stakeholder Management: * Fluent German and English — mandatory due to regular engagement with German-speaking customers, auditors, and regulators * Ability to articulate complex security and compliance topics clearly to diverse audiences (engineers, customers, auditors, leadership) * Strong documentation skills with attention to accuracy, consistency, and audit-readiness Bonus: * Experience with identity and access management tools (e.g., JumpCloud, Okta), MDM solutions, and enterprise security platforms * Exposure to 3rd-party risk management, vendor security assessments, or SaaS security tooling * Experience supporting security questionnaires, RFPs, or due-diligence calls with regulated financial customers * Familiarity with data protection requirements (GDPR) in a security context * A proactive, structured, and collaborative approach with the ability to balance multiple priorities in a fast-paced environment