IT Governance, Risk, and Compliance Manager

This is a fully remote position, open to applicants in Bulgaria.

📋 Description

• Develop and uphold the information security strategy, standards, and roadmap, ensuring alignment with relevant regulations, guidelines, and security best practices.

• Guide the security architecture within a cloud-native environment, establishing secure-by-design patterns for microservices, APIs, and shared platform services.

• Create and manage secure software development lifecycle (secure SDLC) practices, integrating automated security controls into CI/CD pipelines.

• Define and promote the adoption of cloud security guardrails, including identity management, network segmentation, encryption, secrets management, and configuration baselines.

• Establish and manage security monitoring, logging, and threat detection across cloud, infrastructure, and application layers.

• Oversee the security incident response lifecycle—including preparation, detection, containment, eradication, recovery, and post-incident review—and serve as the incident commander for security events.

• Manage vulnerability and threat management processes, including scanning, risk-based prioritization, remediation tracking, and reporting across infrastructure, containers, and application code.

• Organize and coordinate penetration testing and offensive-security exercises (whether in-house or co-sourced) and ensure findings are resolved.

• Administer identity and access management, privileged access, and least-privilege principles across cloud and corporate systems.

• Define and supervise data protection controls, including encryption, key management, data classification, and loss prevention, specifically for sensitive and cardholder data.

• Secure corporate IT and office infrastructure, covering endpoints, networks, and productivity and collaboration platforms.

• Collaborate with Engineering and DevOps teams to streamline security practices, offering tools, standards, threat modeling, and design reviews.

• Provide security insights for architectural and change decisions, particularly regarding the adoption of new technologies and third-party services.

• Conduct security awareness and phishing-resilience initiatives for both technical and non-technical personnel.

• Implement and validate the technical security controls necessary for PCI DSS, ISO 27001, and SOC audits.

• Stay informed about the evolving threat landscape and emerging security technologies.

• Serve as a vital member of the internal security center of excellence and contribute to interdisciplinary security working groups.

• Build, lead, and mentor a small security team.

• Report on security posture, key risks, and relevant metrics.

⛳️ Requirements

• Bachelor’s or master’s degree in computer science, information security, or a related field, or equivalent practical experience.

• A minimum of 10 years of experience in information/cyber security, including at least 2-3 years in a leadership position, with hands-on experience in securing cloud-native environments at scale.

• Extensive, practical knowledge of public-cloud security (AWS preferred), encompassing identity, networking, encryption, logging, and configuration management.

• Strong background in securing DevOps/CI/CD pipelines and modern microservices architectures, including containers, APIs, and infrastructure-as-code.

• Working knowledge of application security and secure SDLC practices across contemporary programming languages and web frameworks.

• Hands-on experience with security operations, incident response, and vulnerability management.

• Solid grasp of relevant security frameworks and compliance standards related to payments, including ISO 27001, PCI DSS, SOC 2, and NIST CSF.

• Familiarity with AI security, with practical experience using AI-assisted security tools (e.g., GenAI coding assistants, AI-augmented SAST/DAST, and SIEM/SOC analytics), and a working understanding of securing AI/LLM and agentic applications, including AWS AI services such as Amazon Bedrock and the OWASP Top 10 risks for LLMs (e.g., prompt injection and data leakage).

• Strong analytical and problem-solving skills, demonstrating high integrity and sound judgment.

• Exceptional verbal and written communication skills, fluent in English, with the ability to influence engineers through data, logic, and best practices.

🏝️ Benefits

• Fast-growing payment company;

• Excellent working conditions, a casual atmosphere, and state-of-the-art hardware;

• Modern, challenging, and continuously evolving business;

• Professional development opportunities, including books, training, certifications, etc.;

• Team-building events and enjoyable activities;

• 25 days of paid holiday, and an additional day for every 2 years of service;

• Fully distributed and remote work environment.