Cyber GRC Specialist – Permanent – Hybrid

My client is a leading global investment management organisation seeking a Cyber GRC Specialist to join its Global Technology function in London.

This is a key role within a highly regulated financial services environment, supporting the organisation’s mission to deliver secure, resilient, and compliant technology operations across global markets. Sitting at the intersection of cybersecurity, risk, compliance, and enterprise governance, you will play a critical role in strengthening the firm’s security posture, ensuring regulatory alignment, and embedding robust risk management practices across the business.

The Cyber GRC Specialist is expected to:

• Develop and maintain cybersecurity policies and standards aligned with frameworks such as ISO 27001 and NIST.
• Conduct regular cyber risk assessments and support tracking of remediation actions.
• Help embed cyber risk into enterprise risk reporting and governance processes.
• Support compliance with key regulations including FCA, SEC, MAS, and DORA.
• Produce clear risk and compliance reports for senior stakeholders.
• Assist with incident response activities and post-incident reviews.
• Support cybersecurity awareness and training across the business.
• Work closely with Technology, Risk, Compliance, Legal, and Internal Audit teams.

The successful Cyber GRC Specialist will possess:

• 3–5 years’ experience in Information Security, Cyber Risk, or IT Risk & Compliance.
• Experience in financial services (banking, insurance, asset management, or fintech).
• Understanding of security frameworks such as ISO 27001 and/or NIST.
• Awareness of regulatory requirements (FCA strongly preferred; SEC/MAS/DORA beneficial).
• Basic knowledge of core security areas:
• Network security (firewalls, TCP/IP, DNS)
• Operating systems (Windows/Linux)
• Cloud environments (AWS/Azure/GCP – basic understanding)
• IAM concepts (SSO, MFA, RBAC)
• Strong communication skills and ability to work with both technical and non-technical stakeholders.
• Security certifications (e.g. CISSP) are desirable but not essential.