Senior Software Security Engineer, Detection & Response Engineering
Grafana Labs
CloudGoGrafanaKubernetesPythonReactTypeScript
First-Line Security Risk Manager
CFC
full-time
Posted on:
Location: 🇬🇧 United Kingdom
Visit company websiteJob Level
Mid-LevelSenior
About the role
- Lead and maintain the first line Information Security Risk Management function across the organisation.
- Serve as first line of defence for security risk management: ensure security governance, policy compliance, and operational risk ownership across business functions.
- Report directly to the Group CISO and work closely with business units, IT, compliance, and audit.
- Conduct and document security risk assessments across systems, projects, and processes.
- Own and manage the Group security risk register, ensuring timely updates, mitigation tracking, and escalation where required.
- Work closely with the 2nd line to manage security risks across the group.
- Support the Group CISO in risk reporting to executive stakeholders.
- Manage the exception to security policy process, including risk-based reviews, documentation, approvals, and renewals.
- Liaise with business stakeholders to assess and document residual risk where security standards cannot be met.
- Support the creation, maintenance, and review of security policies and procedures to ensure alignment with regulatory, industry, and business requirements.
- Map security policies to procedures and controls to ensure clear operational accountability.
- Facilitate awareness and compliance of security policies across business units.
Requirements
- Hands-on experience managing risk assessments, policy exceptions, and governance processes.
- Proven experience (minimum 5+ years) in security risk management, essential that this is within financial services or a regulated industry.
- Strong understanding of information security principles, standards (e.g., ISO 27001, NIST), and regulatory requirements (e.g., NYDFS, GDPR).
- Experience with risk and control frameworks (e.g., IRAM2, FAIR, COBIT) essential.
- Working knowledge of global regulations: GDPR, DORA, APRA CPS 234, CCPA, etc.
- Strong familiarity with UK and international regulatory frameworks in the US, Europe and Australia.
- Adept at translating complex regulatory or technical requirements into practical business-aligned risk management principles.
- Collaborative, adaptable, and capable of operating across time zones and cultures.
- Comfortable working with audit and compliance stakeholders during assessments, certifications, or investigations.
