GRC Leader - Governance, Awareness & TPRM

Operationalize Governance: Policies only have value if people know they exist and can realistically follow them. Your job is to align documented policy with day-to-day practice. That means renegotiating existing policies and standards to make them practical, risk-calibrated, and enforceable. You will run the stakeholder process across security, engineering, and the business to land on controls that reduce risk without grinding operations to a halt. Once agreed, you own the rollout and track whether adoption is real.

Drive Security Awareness & Champions: Redefine how security expectations are communicated across the organization. No generic broadcasts. You will build targeted, high-ROI interventions using modern tools (including AI-assisted delivery) that actually change behavior. Alongside this, you will build and run a Security Champions program: recruiting motivated individuals embedded in engineering and business teams who act as the first line of security awareness and a feedback loop back to the security team.

Own TPRM & Payment Processor Risk: Take direct ownership of our global Third-Party Risk Management program, including the Payment Processor Assessment Framework. You will implement tiered, context-based reviews, eliminate unnecessary overhead, and clearly communicate residual risk positions to business stakeholders in language they can act on.

Run the Risk Register & Shift Left: Identify risks, quantify them in business terms, assign owners, and track remediation to closure. You will be in regular contact with business and engineering stakeholders to ensure risks are understood and actioned. When a risk needs to be formally accepted or escalated, you draft the paperwork and ensure the business owner (the first line of defense) actually signs it.

Lead Your Team & Execute Hands-On: Lead and mentor a sub-team across governance, awareness, and TPRM. You set a high delivery standard and own your team's output. When audit season hits or the workload requires it, you roll up your sleeves alongside your team to execute manual framework mapping across PCI DSS, SOX, and DORA.

Pragmatic Operator Mentality: You move fast and fix broken processes. You know the difference between what genuinely needs to change and what is noise. You are not a methodology presenter; you get things done where ambiguity and speed are the norm.

Stakeholder Navigation (High EQ & IQ): You read people and complex situations perfectly. You negotiate with VP-level commercial leaders, engineering directors, and external vendors. You find pragmatic compromises between security requirements and business velocity, and you know how to bring people along rather than impose.

Disciplined Multi-Threading: You are ruthlessly organized. You can manage a Payment Processor security review, a policy overhaul, and a team of direct reports simultaneously without dropping the ball.

AI Fluency: Deeply comfortable using LLMs to automate administrative governance work and move your team faster, expertly leveraging AI capabilities while ensuring strict data accuracy and hallucination governance.

Regulatory Knowledge: Strong working knowledge of PCI DSS, SOX, DORA, ISO 27001, and SOC 2. You can map controls, prepare audit evidence, and hold a credible conversation with an examiner.

Exceptional Communication: Fluent English is mandatory. You distill complex risk and governance topics into clear language for non-technical executive audiences and are equally comfortable in a policy workshop and a board-level risk briefing.

Prior experience leading GRC or Cyber Assurance teams in a fintech, payments, or tech scale-up environment.

Direct experience assessing or securing payment processors and financial institutions in emerging markets.