Security GRC Manager

Boku Inc. (BOKU.L) is the leading global provider of local mobile-first payments solutions. Global brands including Amazon, DAZN, Meta, Google, Microsoft, Netflix, Sony, Spotify, and Tencent rely on Boku to reach millions of new paying consumers who do not use credit cards with our purpose-built payment network of more than 300 local payment methods across 70+ countries. Every year, Boku processes over $10 billion in value for our customers. Incorporated in 2008, Boku is headquartered in London and San Francisco and has employees in over 39 countries around the world.

Role Purpose: We are seeking a highly motivated and detail-oriented Security Governance, Risk, and Compliance (GRC) Manager to drive the maturity of our information security program across governance, risk management, regulatory compliance, and control assurance. This role plays a critical part in safeguarding the firm’s information assets, ensuring ongoing alignment with ISO 27001, SOC 2, PCI DSS, GDPR, and region-specific regulatory frameworks (e.g., RBI, DORA, MAS). You will act as the central point of coordination for risk reporting, policy governance, audit support, and cross-functional control implementation, working closely with internal stakeholders, regulators, and third-party partners.

Key Responsibilities:

• Lead the design, implementation, and continuous improvement of the firm’s Information Security Governance, Risk, and Compliance program.
• Own and maintain information security policies, standards, and procedures aligned to ISO 27001 and other regulatory frameworks.
• Coordinate internal and external audits, including evidence gathering, control walkthroughs, findings management, and follow-up remediation.
• Conduct and manage IT/security risk assessments and support enterprise risk reporting cycles.
• Oversee the implementation and monitoring of key controls across technology, cloud platforms, and business processes.
• Maintain the ISMS and support ongoing ISO 27001 certification and surveillance activities.
• Work with Legal, Engineering, IT, and Compliance teams to support data protection (e.g., GDPR), supplier risk, and contractual security requirements.
• Build and track risk registers, control testing results, and remediation plans.
• Identify suitable GRC tooling to support enterprise activities and work to implement.
• Lead periodic governance forums including Security Council and Risk Review Board meetings.
• Monitor changes in regulations and industry standards to ensure timely updates to internal programs.
• Develop training and awareness programs to foster a security-first culture across the organization.

Qualifications:

• 5+ years of experience in Information Security, GRC, Risk Management, or Compliance roles within a regulated industry (e.g., payments, fintech, healthcare).
• Strong understanding of frameworks such as ISO 27001, SOC 2, PCI DSS, GDPR, and/or NIST CSF.
• Experience managing or supporting external audits, certifications, or regulatory inspections.
• Knowledge of risk assessment methodologies, control design, and assurance testing.
• Ability to interpret complex security requirements and translate them into practical internal controls.
• Familiarity with GRC tools and platforms.
• Excellent project management, stakeholder engagement, and written communication skills.
• Highly organized, self-directed, and able to manage multiple priorities with attention to detail.
• Experience working in regulated entities is essential.