← Back to list
Job · Lead

Security Governance / GRC Lead

Security Engineer • Lead • On-site • Full-time • 📍 Paris +6

Alan operates at the intersection of health insurance, prevention, and regulated data, serving 1M+ members under DORA and HDS certification requirements and ACPR regulation. This Security Governance / GRC Lead owns the company's security governance and risk posture, working in close partnership with Legal, Internal Audit, and the broader Risk function. It is a Paris-based, hybrid, collaborative role, not a siloed one.

Stack

Responsibilities

  • Own and operate the ISO 27001 ISMS: scope definition, Statement of Applicability, internal audit programme, and management review
  • Bring technical and operational security substance to regulatory and privacy matters (DORA, HDS, RGPD, PGSSI-S), where Legal leads
  • Run security risk as a living programme using EBIOS RM, feeding into the company-wide risk framework
  • Define the controls framework and standards while distributing control ownership to the teams that build and run them
  • Run audit cycles in close partnership with Internal Audit and coordinate with certification bodies
  • Manage third-party risk: vendor security assessments and contractual security requirements (security annexes, DPAs)
  • Own incident governance and support DORA reporting, including BCP and DRP governance
  • Automate compliance work: script evidence collection, automate control testing, and connect GRC tooling to engineering pipelines

Requirements

  • Accountable ownership of an Information Security Management System, having led at least one full certification or recertification cycle
  • Ability to translate regulatory requirements into controls and flag implementation gaps
  • Experience leading security risk cartography with EBIOS RM and running risk workshops
  • Ability to configure and administer GRC tooling (e.g., CISO Assistant, ServiceNow GRC, or Archer), not just use it
  • Cloud governance fluency: shared responsibility in HDS-qualified environments, CSPM tools, and policy-as-code (OPA, SCP)
  • Ability to read architecture and identify control gaps in identity, network segmentation, encryption, and logging
  • Ability to interpret vulnerability data and drive remediation prioritisation by business risk
  • Python (or similar) scripting to reduce the manual lift of an audit cycle
  • Understanding of the health sector context: ANS framework, CERT Santé requirements, and handling sensitive health data operationally

Nice to have

  • Experience coordinating across multiple regulators and countries (ISO 27001, DORA, HDS, NIS2)
  • Experience with automated audit and evidence pipelines

Soft skills

Translates risk into business language for boards and audit committeesInfluences without authority across Legal, DPO, Risk, Engineering, Product, and OperationsManages programmes with audit-grade rigor and proactive escalationBuilds security culture rather than compliance theatreReasons from first principles when the regulatory landscape shifts

What we offer

  • Board and executive exposure with real influence on company-wide risk decisions
  • Autonomy to shape Alan's security culture across 800+ people
  • Paris-based hybrid work with a value on in-person collaboration

About the company

Alan is building a new standard in prevention insurance, integrating insurance, prevention, and care into a single acclaimed user experience. It partners with 40K+ companies, serves more than 1M members, has reached over 800M euros in ARR, and employs 800+ people across France, Spain, Belgium, and Canada. It handles sensitive health data under DORA and HDS certification requirements and is regulated by the ACPR.

Languages: Angol; a szabályozói ismeretek (DORA, HDS, RGPD, PGSSI-S) és a francia egészségügyi kontextus alapján francia nyelvtudás előny