GRC Manager

Description

Leboncoin is progressively building an autonomous cybersecurity function while remaining part of the Adevinta group. As part of this transformation, we are establishing a local Cybersecurity Risk & GRC function to own leboncoin-specific cyber risks, support executive decision-making, and ensure alignment with group-level governance frameworks.

The Cybersecurity Risk & GRC Lead’s mission is to make cyber risk understandable, actionable, and decision-ready for both technical teams and executive leadership, without slowing down innovation or delivery.

This role is not a pure compliance role. It is a hands-on, strategic position at the intersection of security, product, engineering, legal, and top management.

Exigences du poste

• 7+ years of experience in cybersecurity, risk management, GRC or equivalent security roles
• Strong technical and functional understanding of:
• modern application and cloud architectures
• operational security and incident response realities
• regulatory environments relevant to digital platforms (GDPR, NIS2, etc.)
• Proven experience engaging with:
• engineering teams
• legal / compliance functions
• senior leadership

Mindset & skills

• Ability to translate technical risk into business language
• Comfortable operating in evolving, build-mode environments
• Pragmatic, outcome-oriented approach
• Strong communication and facilitation skills
• Ability to challenge constructively (upwards and laterally)

Nice to have

• Experience in marketplace or digital platform environments
• Exposure to group / multi-entity governance models
• Incident response or CSIRT background
• Knowledge of risk frameworks (ISO 27005, NIST RMF), without dogmatism

Responsabilités liées au poste

• Cyber risk management (core mission)
• Own and maintain the leboncoin cyber risk register
• Identify, assess, prioritise and track cyber risks related to:
• marketplace activities
• products and platforms
• data flows
• critical systems, infrastructures and services
• third-party and partner ecosystem
• Translate technical security issues into business-impact-oriented risk statements
• Support executive decision-making on:
• risk mitigation
• risk acceptance
• risk transfer
• Track the implementation of risk treatment plans, identify gaps and escalate delays or weaknesses to the appropriate governance bodies
• Act as the local point of contact for Adevinta’s cybersecurity governance
• Adapt group security principles, policies and risk frameworks to leboncoin’s context
• Prepare and deliver cyber risk reporting to:
• leboncoin executive management
• Adevinta Group CISO and governance committees
• Ensure traceability of risk decisions, including acceptance, mitigation and transfer
• Clarify and formalise responsibilities between central and local security teams
• Own the local cybersecurity policy and standards framework
• Ensure policies are:
• aligned with group requirements
• proportionate to actual risks
• understandable and usable by teams
• Assess the adequacy and effectiveness of security controls against identified risks
• Coordinate internal security control activities (without acting as an audit function)
• Contribute to security by design initiatives with Product & Architecture Security
• Third-party & supply chain risk
• Own cybersecurity risk management for leboncoin vendors, partners and suppliers
• Define risk-based security requirements for third parties
• Support procurement, legal, product and tech teams during vendor or any third party onboarding and integration with providing security technical review, security contract review and adjustment
• Ensure ongoing tracking of third-party cyber risks and related treatment plans
• Provide a business risk perspective during security incidents:
• impact assessment
• regulatory, contractual and reputational considerations
• Support executive-level crisis communication preparation and decision-making
• Ensure post-incident lessons learned are reflected in the risk register and governance
• Regulatory compliance & cross-functional coordination
• Contribute to cybersecurity regulatory obligations (e.g. NIS2) through a risk-based governance approach
• Work closely with the DPO, without replacing their legal responsibilities
• Contribute to data protection risk assessments (e.g. DPIAs) on cybersecurity aspects
• Identify and track cyber risks related to AI-based systems, in coordination with product, legal and compliance teams
• Help product, tech and business teams understand their cyber risk ownership
• Contribute to security awareness and training initiatives
• Promote shared accountability for cyber risk across the organisation

What this role is not

• Not a SOC analyst role
• Not an audit role
• Not a technical control implementation role
• Not a blocker for product or engineering teams

This role exists to enable informed decisions and clear accountability, not to say “no by default”.

Avantages du poste

• Pleasant working conditions
• Attractive remuneration
• Opportunities for rapid, tailored professional development
• A meal voucher card
• Effective and competitive health insurance and pension coverage