GRC Analyst

GRC Analyst

Location: London (3 days a week in the office)

Salary: Up to £75k (depending on how much value you bring, not how loudly you talk in meetings)

12 Month FTC initially - then will go perm after.

Right, let’s get this out of the way: if your idea of “governance” is writing policies no one reads and updating spreadsheets no one understands, then this isn’t for you.

We’re not hiring a box-ticker. We need a Governance, Risk and Compliance Analyst who actually understands how cyber controls work in the real world - not just how they should work in a PDF written by someone who’s never configured a firewall.

You’ll be the person who helps us stay out of the headlines, not by saying “no” to everything, but by helping teams do things securely without grinding innovation to a halt.

Yes, you'll deal with frameworks and policies. But you’ll also need to understand them, challenge them, and - crucially - implement them in a way that actually works.

What you’ll actually be doing:

• Keeping us audit-ready - internal, external, regulatory - and no, that doesn’t mean spending your life in SharePoint.
• Making sure our policies don’t just exist, but are actually useful, followed, and updated before they become embarrassing.
• Understanding and applying control frameworks like NIST, COBIT, and ISO27001. Ideally all three, not just whichever one was in last year’s training.
• Translating cyber security controls into real business impact. Vulnerability Management, IAM, DevSecOps, Third-Party Risk - you know the drill.
• Making sense of operational risk and mapping it back to the actual tech we run.
• Supporting our regulatory compliance in the UK, EU, US & Asia - and knowing the difference between “guidelines” and “you’re about to get fined.”
• Helping us stay resilient in the face of inevitable chaos. Because “resilience” is more than just a buzzword on a slide.
• Data protection. You know the difference between a DPA and a DPIA - and care enough not to mix them up.

You should apply if:

• You’ve worked in GRC before and actually liked it.
• You understand the point of these frameworks, not just the acronyms.
• You can talk to engineers without sounding like compliance personified.
• You know the difference between a good control and one that just looks good in a policy doc.
• You’ve got experience with real-world cyber operations, not just theories from a training course.

Bonus points if:

• You’ve worked in regulated environments and lived to tell the tale.
• You understand the pressures of modern business, and still manage to help people do the right thing - without being that person.

This isn’t a foot-in-the-door gig. It’s for someone who wants to own this space, work cross-functionally, and actually make a difference in a security function that takes itself seriously - just not too seriously. We’re not building a fortress. We’re building something that works.

Sound like you?

Apply. If not, thanks for reading this far — you probably won’t like the meetings anyway.