IT and Cyber Governance Risk and Compliance Expert

This is a consultancy mission at a client site, where you will represent Keystone Solutions as an IT and Cyber Governance Risk and Compliance Expert. As a Keystone Solutions consultant, you will be hired to work on client projects, bringing your expertise to dynamic environments and contributing to the success of our clients.

Our client’s Governance, Risk and Compliance (GRC) team supports IT and Business Units in developing robust solutions for operational IT and Cyber risk management. As a Keystone Solutions consultant, you will:

• Identify IT and Cyber risks across assets, applications, projects, and third-party relationships.
• Advise, monitor, and report on risk mitigation strategies to optimize cost-efficiency while reducing exposure.
• Elaborate and manage the implementation of a Group-aligned GRC strategy to reduce IT and Cyber risks in accordance with IT and Information Security policies and local regulations.

As part of the GRC team, you will be responsible for daily maintenance activities as well as enhancing the maturity of GRC processes and tools, ensuring alignment with strategic objectives while balancing operational excellence and regulatory compliance. Responsibilities include:

• Engaging with internal customers to determine expectations, preferences, and aversions.
• Ensuring clear understanding of GRC processes and tools among all stakeholders in Run and Change contexts.
• Taking on roles in strategy, delivery, design, analysis, management of priorities and objectives, communication, planning, organization, animation, and coordination.
• Driving quality by bringing changes to GRC processes and tools into production, with a focus on ICT Controls and Third-Party Technology Risk Management.

• →Reinforce the GRC team on operational activities such as ICT control execution and Third-Party Technology Risk Management (deliver assessments, ensure quality of assessments, negotiate ICT contractual clauses, organize on-site audits, monitor suppliers’ ICT posture).
• →Continuously monitor and improve GRC processes and tools.
• →Understand internal and group GRC requirements to propose efficient implementation methods.
• →Analyze and document GRC problem statements with concrete solutions for both technical and non-technical Senior Management audiences.
• →Simplify GRC processes while maintaining relevant interconnections.

• In-depth knowledge of business strategies, Governance, Risk, Control, Vulnerability management processes, products, systems, culture, and organization. Strategic thinking is essential.
• Knowledge of applicable regulations.
• Ability to evaluate IT and Cyber posture of assets, shadow situations, and third-party cloud solutions with a focus on security, data protection, and resilience.
• Ability to review and understand vulnerabilities and penetration testing reports, validate findings from external audits, and determine risks based on such reports.
• Hands-on approach with the ability to deliver concrete outcomes independently.

• Collaborate with internal clients involved in GRC activities across the organization, including Contract Owners, Procurement, Legal, Business and IT Continuity Teams, Data Privacy teams, and suppliers.
• Manage relationships with internal supervisory lines.

• Dutch: Fluent (optional)
• French: Fluent (mandatory)
• English: Fluent (mandatory)

• Master’s degree or equivalent by experience.

• Optional: Security certifications such as CISSP, CISM, CIPP, CCSK, CISA.

• Expectation: 50% on site and 50% homeworking.

• Professional experience in GRC practice (8+ years).
• Experience in project management, process design, business analysis, and process improvement.
• Experience in third-party IT and security assessments.
• Experience in IT and Cyber Risk Management.
• Experience delivering presentations and training.

• Mandatory: 10+ years of professional experience in IT & Cyber Risk Management, with a strong focus on third-party risk assessments and cloud security (SaaS, IaaS, PaaS).
• Experience with application security, vulnerability management, penetration testing, and audit methodologies (ISO 27001, SOC 2, NIST, OWASP).
• Preferable: Knowledge of control frameworks and audit methodologies, experience in Service Now GRC.

• Mandatory: Proficiency in Information Security and Risk Management frameworks (ISO27001, SOC, NIST, OWASP, etc.), regulations (e.g. EBA guidelines, GDPR, DORA), and market standards (e.g. PCI-DSS).
• Professional experience in Financial Services, particularly in large corporate environments.
• Experience in reviewing and amending IT and Cyber Third-Party clauses in contracts.
• Process design and business analysis in IT and security risk management.
• Delivery of presentations and training to stakeholders on risk-related topics.
• Strong IT background with exposure to operational and security risk management.
• Preferable: Experience with Agile development methodologies.

• Strong analytical and synthesis skills – ability to distill complex technical risks into clear, actionable insights for management.
• Excellent communication and influencing skills – capable of engaging with technical experts, business stakeholders, and external suppliers.
• Autonomous, proactive, and results-driven with a structured and methodical approach.
• Ability to manage multiple priorities in a dynamic, multicultural environment.
• Excellent communication and interpersonal skills, with the ability to influence, negotiate, and work effectively with stakeholders at all levels.
• Ability to capture and adapt to stakeholder expectations while respecting processes in place.
• Excellent English writing skills.
• Ability to mentor and coach people.