GRC & Cybersecurity Lead

Paidy is Japan's pioneer and leading BNPL service company. At Paidy we believe in creating simple, instant experiences to take the hassle out of shopping with a touch of magic.

Paidy offers instant, monthly-consolidated credit to consumers by removing hassles from payment and purchase experiences. Paidy uses proprietary models and machine learning to underwrite transactions in seconds and guarantee payments to merchants. Paidy increases revenue for merchants by reducing the number of incomplete transactions, increasing conversion rates, boosting average order values, and facilitating repeat purchases from consumers. 

Paidy has reached an agreement to join PayPal, the global payments company. Paidy will continue to operate its existing business, maintain its brand and support a wide variety of consumer wallets and marketplaces by providing convenient and innovative services.

Paidy continues to innovate to make shopping easier and more fun both online and offline. For more information, please visit http://www.paidy.com. 

Cybersecurity is everyone’s responsibility, but our security team leads the charge on solving some of the most challenging and consequential problems facing our organization and industry. As a fintech company operating within a larger corporate group, we navigate a dynamic regulatory landscape while integrating our security program with our parent company’s broader initiatives.

The GRC & Cybersecurity Lead is responsible for developing, implementing, and managing governance, risk, and compliance programs that ensure Paidy meets its regulatory, security, and business requirements. This role plays a critical part in aligning cybersecurity initiatives with business objectives, managing IT risk, driving audit readiness, and advancing GRC engineering and automation capabilities. The successful candidate will work closely with stakeholders across IT, Legal, Risk, Compliance, and executive leadership, as well as external auditors, regulatory bodies, and our parent company’s security teams.

• Lead the organization’s IT governance, risk, and compliance (GRC) framework in alignment with corporate strategy, regulatory requirements, and industry best practices
• Identify, assess, and monitor IT risks across Cloud, Application, Software, Hardware, and Networking environments
• Maintain and enhance the IT risk register, performing periodic reviews and updates to reflect changes in the threat and technology landscape
• Support enterprise risk management initiatives by providing risk insights and recommendations to senior leadership
• Manage third-party and vendor security risk, including security assessments, ongoing monitoring, and contract review support

• Ensure adherence to relevant security and privacy frameworks and regulations, including SOC 2 (Type 1 and Type 2), SOC 1 (Type 1 and Type 2), ISO 27001, NIST CSF, APPI, and the Japan Installment Sales Act (割賦販売法)
• Own audit preparation, evidence collection, and remediation tracking for internal and external audits; drive the roadmap toward Type 2 attestations
• Develop and maintain security policies, standards, and procedures in collaboration with key stakeholders
• Deliver compliance reporting to management, executive leadership, the board, and regulatory authorities as required
• Conduct IT audits and manage audit tooling to ensure continuous audit readiness

• Implement, configure, and mature GRC tooling including RSA Archer and Vanta
• Build and maintain automation using scripting, workflow tools (e.g., n8n), and AI tools including Claude Code to reduce manual compliance burden and accelerate audit evidence collection
• Integrate GRC workflows with Atlassian Jira, Confluence, and Slack to embed compliance into engineering and operational processes
• Develop security metrics, dashboards, and reporting pipelines that provide visibility into risk posture and compliance status

• Oversee the design and implementation of cybersecurity controls, tools, and processes to mitigate IT risks
• Collaborate with IT operations and engineering teams to embed security into technology design and operations, leading through influence rather than direct authority
• Lead incident response planning, tabletop exercises, and post-incident reviews
• Communicate clearly with executives and board-level stakeholders on security posture, risk trends, and compliance status
• Promote a security-aware culture across the organization through training, enablement, and ongoing engagement

• Support the CISO in managing the security relationship with parent company security and compliance teams; translate parent company requirements into local policy and implementation
• Partner with business units to ensure GRC and cybersecurity considerations are integrated into projects and daily operations
• Deliver security awareness and compliance training programs for employees
• Act as a key liaison for cybersecurity-related matters with internal stakeholders, external auditors, vendors, and regulators

• 7+ years of experience in IT risk management, GRC, information security, or IT audit
• Demonstrated experience with SOC 2, SOC 1, ISO 27001, NIST CSF, and Japanese regulatory requirements (APPI, Installment Sales Act)
• Hands-on experience with GRC tools (RSA Archer and/or Vanta strongly preferred)
• Strong IT knowledge across Cloud (AWS required), Application, Software, Hardware, and Networking technologies
• Experience conducting IT audits and working with audit management tooling
• Demonstrated ability to build automation using scripting languages, workflow tools (e.g., n8n), or AI
• Experience working with Atlassian Jira and Confluence in a compliance or security context
• Ability to lead and influence cross-functional teams without direct authority
• Business-level Japanese (spoken and written) required
• Business-level English required
• B.S. in Information Security, Computer Science, or a related field, or equivalent practical experience

• JLPT N1 or equivalent Japanese language proficiency
• Experience working within a corporate group or parent-subsidiary security structure
• Familiarity with the Japanese financial services regulatory environment
• Experience communicating security and risk topics to executive or board-level audiences

The Paidy team will ask about your user experiences with Paidy Apps during the interview. Please download the Paidy App and try it out!

• iOS: https://apps.apple.com/jp/app/paidy/id1220373112
• Android: https://play.google.com/store/apps/details?id=com.paidy.paidy&hl=en&gl=US

For those who are not able to download Paidy App, due to the regional restrictions, please be advised that you download the similar App, such as Klarna, Afterpay, Affirm and so forth, and come up with your opinions on these applications and services.

Please note that you must be eligible to work in Japan.

• CISSP
• CRISC
• CISA
• CISM

• Always seek to beat expectations. / 期待値を超える為に常に努力する。
• Display surprising speed and resourcefulness. / 人をスピードと機知で驚かす。
• Overcome weaknesses by leveraging the strength and help of others to win. / 仲間の強みを活かしたり協力を得ることで、自身の弱みや足りない点を克服する。

• Fully support the final decision even if at times you may disagree. / たとえ意見が対立することがあったとしても、最終決定を全面的に受け入れ支持する。
• Acknowledge and gather the power of others, by communicating and collaborating with them. / 仲間の力を認めて活用し、積極的にコミュニケーションをとり、協力する。
• Show a will to own actions and go the extra mile without being asked. / 行動について強いオーナーシップを持ち、言われずとも業務を遂行しきる覚悟を持つ。

• Strive to play an integral role. / 替えの効かない役割を果たす。
• Embrace and bridge differences in perspective, language, and culture. / 異なる意見・考え方、言語と文化の架け橋になる。
• Don’t compromise - raise the bar for yourself and others. / スタンダードを上げ続けることに妥協しない。