Job Title: – Lead Specialist, Information Security
Role Overview
Cybersecurity Governance, Risk & Compliance function sits within the Chief Information Security Office as part of the Digital and Technology organisation that consists of a wide range of shared services reporting to the Chief Information Officer at Pearson.
We are seeking a Cybersecurity GRC professional with strong experience in reviewing supplier and customer contracts, supporting customer security questionnaires and contractual security clauses, and helping to scale GRC processes through automation and tooling.
This role sits at the intersection of cybersecurity, risk, and legal, partnering closely with Data Privacy, Legal, Technology Procurement, and Technology teams to ensure security requirements are assessed, negotiated, and managed efficiently without slowing the business.
A legal, compliance, or contract-focused background (formal or practical) is highly desirable.
Key Responsibilities
Contract Review & Negotiation (Customer & Supplier)
Review customer and supplier contracts for cybersecurity, data protection, privacy, and risk-related clauses.
Assess contractual requirements against internal security controls, policies, and certifications (e.g. ISO 27001, SOC 2, Cyber Essentials).
Support Legal and Commercial teams during contract negotiations, advising on acceptable security positions, deviations, and risk trade-offs.
Identify and document non-standard security obligations and ensure appropriate risk acceptance or remediation plans are in place.
Maintain and improve security contract clause libraries and standard positions.
Support Sales, Legal, and Procurement teams by providing clear, pragmatic security positions that minimise unnecessary negotiation and friction.
Ensure customer security questionnaires and contract reviews are completed in a way that protects the organisation while supporting rapid deal closure.
Customer Assurance & Sales Enablement
Respond to customer security questionnaires, due diligence requests, and contractual security queries.
Act as a subject matter expert for customer-facing security discussions, supporting Sales and Customer Success teams.
Ensure responses are accurate, consistent, scalable, and reusable.
GRC Automation & Tooling
Help design, implement, and optimise GRC tooling and automation (e.g. contract review workflows, questionnaire automation, evidence repositories).
Identify opportunities to reduce manual effort through:
Automated questionnaire responses
Clause mapping and standardised positions
Workflow tooling and dashboards
Partner with Legal, Procurement, and IT to embed GRC processes into business-as-usual tooling.
Identify and eliminate unnecessary complexity in security requirements, documentation, and workflows.
Continuously improve turnaround times for:
Customer security reviews
Contractual security assessments
Supplier risk evaluations
Measure and track improvements in time-to-market and operational efficiency as part of GRC process maturity.
Governance, Risk & Compliance
Policy Maintenance and Updating
Maintain and update cybersecurity policies and standards in line with the evolving threat and compliance landscape, including frameworks such as NIST.
Ensure all policies are current, comprehensive, and in compliance with industry standards and regulatory requirements.
Collaborate with stakeholders to review and implement policy changes as necessary.
Support the maintenance of security policies, standards, and control mappings.
Contribute to internal and external audits where contractual obligations are in scope.
Help mature the organisation’s risk management posture.
Collaborate closely with leaders and teams across Digital and Technology organisation to align portfolio initiatives with the cybersecurity strategy and business objectives
Extend the portfolio management role to include overseeing the governance function, ensuring compliance with applicable laws, regulations, and industry standards, as well as internal policies and procedures
Establish and maintain strong relationships with key stakeholders, including business leaders, technology teams, and external partners, to ensure effective communication, collaboration, and support for portfolio initiatives
Identify and assess risks associated with portfolio initiatives, develop risk mitigation strategies, and implement appropriate controls to minimize cybersecurity-related risks
Required Skills & Experience
Essential
Experience in a cybersecurity GRC, risk, compliance, or assurance role.
Hands-on experience reviewing or responding to security clauses in customer and/or supplier contracts.
Strong understanding of:
Information security principles
Third-party risk
Experience responding to customer security questionnaires (e.g. SIG, CAIQ, bespoke).
Ability to clearly communicate risk to data privacy, legal, commercial, and non-technical stakeholders.
Strong written skills with attention to detail.
Desirable
Legal, contracts, or compliance background (e.g. law degree, paralegal experience, in-house legal exposure, or equivalent practical experience).
Experience working closely with Legal, Procurement, or Commercial teams.
Familiarity with security frameworks and certifications (ISO 27001, SOC 2, NIST, Cyber Essentials).
Experience implementing or improving GRC tooling or automation (e.g. IronClad, GRC tools).
Experience in SaaS, technology, or regulated environments.
What Success Looks Like
Faster, more consistent responses to customer security and contract requests.
Reduced friction between Sales, Legal, and Security.
Clear, repeatable contract security positions with documented risk decisions.
Scalable GRC processes enabled by automation and tooling.
Improved visibility of contractual security obligations and associated risks.
Security and contract reviews that enable faster sales cycles and supplier onboarding.
Clear, simple, and repeatable security positions that reduce back-and-forth with customers.
Measurable reductions in response times for customer security questionnaires and contract reviews.
GRC processes that are seen internally as enablers of the business, not blockers.
Why Join Us
Opportunity to shape and scale a modern, automation-first GRC function.
High exposure widely across Pearson including across Data Privacy, Legal, Sales, Procurement, and Technology.
Real influence on how the business manages contractual cybersecurity risk.
Supportive environment for professional development