Senior Security Specialist - Risk & Compliance New London

Your impact

As a Senior InfoSec Specialist, you will be a cornerstone of our Governance Risk and Compliance (GRC) function, with a primary focus on securing our supply chain and third-party ecosystem. Reporting to the InfoSec Risk and Governance Lead, you will ensure that our innovative partnerships - from SaaS providers to Clinical Research Organisations (CROs) - meet our security standards. You will also play a key role in enhancing our ISMS and supporting secure business operations, including our drug discovery and clinical activities. Your work directly protects our organisation and ensures the right balance between business objectives and security is sustained.

What you will do

• Coordinate the third party security risk management lifecycle: execute the end-to-end third-party risk process, including initial intake, technical due diligence, risk-based tiering, ongoing monitoring, secure offboarding, and liaising with Legal and Finance teams.
• Perform detailed vendor assurance activities commensurate with their risk profile, ensuring alignment with legal, regulatory, contractual and policy requirements.
• Continuously develop and refine assessment methodologies to evaluate and audit vendors.
• Promote operational efficiency by building and maintaining third party security risk management dashboards and automating evidence collection to provide real-time visibility into the vendor risk landscape.
• Provide expert guidance to medicinal and ML research colleagues on complex risk topics, translating technical issues into clear business impact statements.
• Support the InfoSec Risk and Governance Lead in improving and maintaining the Isomorphic Labs ISMS and other regulated and contractual data assurance requirements, including internal audit execution and control testing.
• Develop a unified GRC framework able to provide internal and external assurance for all relevant legal, regulatory, contractual and policy requirements.
• Coordinate, author and maintain security policies and processes, ensuring they reflect reality as well as meeting our legal, regulatory, and contractual requirements.
• Support the development of secure, lean pharma and clinical operations with an AI-first approach.

Skills and qualifications

• Capacity to prioritise critical inquiry over rote compliance - you must be able to critically think through risks and issues and provide timely, accurate and enabling advice suitable to the business.
• Ability to excel as an individual contributor with the agility and adaptability to quickly pivot between strategic to operational levels, and between widely differing contexts.
• Strong understanding of risk management with a proven ability to manage the full risk management lifecycle, from technical risk identification and analysis to presenting clear, business-focused mitigation options.
• Robust knowledge of information technology and cybersecurity, including cloud and ML-based environments.
• Experience leading internal and external assurance activities.
• Knowledge of relevant security and compliance standards (e.g. ISO 27001, NIST).
• Experience managing the security threats posed by a complex third-party ecosystem, including cloud providers.
• Demonstrated experience in life sciences, technology, or AI industries.
• Open-minded and innovative approach in meeting regulatory requirements, balancing compliance with the efficiency demands of ML-driven drug discovery.
• A natural ability to build credibility and influence decision-making across scientific, engineering, corporate and leadership functions to drive the security agenda forward.

Nice to have:

• A deep experience of the Pharma Industry and Drug Development process and ecosystem is a plus.
• Experience in threat modelling.
• Interest in / experience of GRC engineering.
• Interest in / experience of Cyber Risk Quantification.
• Familiarity with AI-specific threats and security controls, such as those addressing model inversion, data poisoning, or adversarial attacks.
• Experience automating evidence collection and control monitoring.
• Contribution to open-source security projects or participation in security communities.

It’s hugely important for us to share knowledge and build strong relationships with each other, and we find it easier to do this if we spend time together in person. This is why we follow a hybrid model, and would require you to be able to come into the office 3 days a week (currently Tuesday, Wednesday, and one other day depending on which team you’re in). If you have additional needs that would prevent you from following this hybrid approach, we’d be happy to talk through these if you’re selected for an initial screening call.

We are committed to equal employment opportunities regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy or related condition (including breastfeeding) or any other basis protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know.