Head of Security Governance — Deputy CISO — GRC lead (x/f/m)

Alan operates at the intersection of health insurance, prevention, and regulated data. The person in this role owns the security governance and risk posture of a company that handles sensitive health data for 1M+ members, operates under DORA and HDS certification requirements, and is regulated by the ACPR. They work in close partnership with Legal, Internal Audit, and the broader Risk function — this is a collaborative role, not a siloed one.

Your mission — Governance, risk & compliance

• Own and operate the ISO 27001 ISMS. You are the accountable owner of the Information Security Management System—scope definition, Statement of Applicability, internal audit programme, and management review. You've led at least one full certification or recertification cycle.
• Be the security expert in the room on regulatory and privacy matters—translate regulatory requirements into controls, flag implementation gaps, and ensure the security programme withstands regulatory negotiations.
• Run risk as a living programme, in partnership with the broader risk function—lead security risk cartography using EBIOS RM, facilitate risk workshops, produce treatment plans, and bring the security lens to all risk forums.
• Own the controls framework, but distribute ownership of controls themselves—define the framework and standards, track coverage, and work closely with Infrastructure, Platform, and Engineering to embed security into building blocks.
• Run audit cycles with rigor, in close partnership with Internal Audit—manage the security audit programme, coordinate with certification bodies, and align scopes to avoid duplication.
• Manage third‑party risk with real teeth—run vendor security assessments, define contractual security requirements, and partner with the Risk team.
• Bring the health sector context—understand ANS framework, CERT Sante requirements, and provide technical guidance to Legal.
• Own incident governance and support DORA reporting—classify and escalated ICT incidents, own BCP and DRP governance, and deliver security substance for DORA incident reports.

What you’ll build and who you’ll work with

• Next‑Gen Compliance Framework: ISO 27001, DORA, HDS, NIS2—build a coherent governance backbone that scales with the company.
• Automated Audit & Evidence Engine—replace manual evidence collection with scripted pipelines plugged into engineering systems.
• Living Risk Cartography—treat risk as an operational signal, feeding into business and engineering decisions.

You’ll work closely with Legal, DPO, Internal Audit, and the broader Risk function, and partner day‑to‑day with Infrastructure, Platform, Engineering, Product, and Operations.

Why this role is special

• Direct Impact—own the trust foundation that lets Alan handle health data for 1M+ members.
• Complex Problems—4 regulators across 4 countries, sensitive health data, and a shifting regulatory landscape (DORA, NIS2, AI Act).
• Ownership & Growth—board and executive exposure, real influence on company‑wide risk decisions, and autonomy to shape Alan’s security culture.

Technical enablement

• Automate compliance work wherever possible—script evidence collection, automate control testing, and integrate GRC tooling with engineering pipelines.
• Configure and own GRC tooling—administer platforms like CISO Assistant, ServiceNow GRC, or Archer to build useful workflows and dashboards.
• Speak cloud governance fluently—understand shared responsibility in HDS‑qualified environments, assess CSPM tools, and reason about policy‑as‑code.
• Read architecture well enough to challenge it—review proposed solutions, identify control gaps, and push back credibly in engineering rooms.
• Interpret vulnerability data and drive prioritisation—use scan outputs, collaborate with engineering to prioritise remediation by business risk, and track resolution KPIs.

Qualifications — Mindset and Soft Skills

• Translate risk into business language—brief board or audit committee in clear, actionable terms.
• Influence without authority—align cross‑functional teams on security requirements without creating blockers.
• Manage programmes with audit‑grade rigor—run structured, traceable roadmaps and manage dependencies proactively.
• Build security culture, not compliance theatre—deliver relevant awareness programmes and foster risk ownership across the company.
• Think in principles when frameworks shift—adapt to regulatory changes without waiting for direction.

Location

Paris‑based, hybrid. We value in‑person collaboration and expect in‑office presence part of the week.

We hire people, not checklists. If you’re excited by this scope but don’t check every box, we’d still love to hear from you.