GRC Manager at Leboncoin

Paris, Ile-de-France, France -

Full Time

Start Date

Immediate

Expiry Date

11 Jun, 26

Salary

0.0

Posted On

13 Mar, 26

Experience

5 year(s) or above

Remote Job

Yes

Telecommute

Yes

Sponsor Visa

Skills

Cybersecurity, Risk Management, GRC, Cloud Architectures, Operational Security, Incident Response, GDPR, NIS2, Risk Register, Risk Mitigation, Risk Acceptance, Risk Transfer, Governance, Policy Management, Third-party Risk, Crisis Communication

Industry

Description

Leboncoin is progressively building an autonomous cybersecurity function while remaining part of the Adevinta group. As part of this transformation, we are establishing a local Cybersecurity Risk & GRC function to own leboncoin-specific cyber risks, support executive decision-making, and ensure alignment with group-level governance frameworks. The Cybersecurity Risk & GRC Lead’s mission is to make cyber risk understandable, actionable, and decision-ready for both technical teams and executive leadership, without slowing down innovation or delivery. This role is not a pure compliance role. It is a hands-on, strategic position at the intersection of security, product, engineering, legal, and top management. * 7+ years of experience in cybersecurity, risk management, GRC or equivalent security roles * Strong technical and functional understanding of: * modern application and cloud architectures * operational security and incident response realities * regulatory environments relevant to digital platforms (GDPR, NIS2, etc.) * Proven experience engaging with: * engineering teams * legal / compliance functions * senior leadership Mindset & skills * Ability to translate technical risk into business language * Comfortable operating in evolving, build-mode environments * Pragmatic, outcome-oriented approach * Strong communication and facilitation skills * Ability to challenge constructively (upwards and laterally) Nice to have * Experience in marketplace or digital platform environments * Exposure to group / multi-entity governance models * Incident response or CSIRT background * Knowledge of risk frameworks (ISO 27005, NIST RMF), without dogmatism 1. Cyber risk management (core mission) * Own and maintain the leboncoin cyber risk register * Identify, assess, prioritise and track cyber risks related to: * marketplace activities * products and platforms * data flows * critical systems, infrastructures and services * third-party and partner ecosystem * Translate technical security issues into business-impact-oriented risk statements * Support executive decision-making on: * risk mitigation * risk acceptance * risk transfer * Track the implementation of risk treatment plans, identify gaps and escalate delays or weaknesses to the appropriate governance bodies 2. Governance, traceability & group alignment * Act as the local point of contact for Adevinta’s cybersecurity governance * Adapt group security principles, policies and risk frameworks to leboncoin’s context * Prepare and deliver cyber risk reporting to: * leboncoin executive management * Adevinta Group CISO and governance committees * Ensure traceability of risk decisions, including acceptance, mitigation and transfer * Clarify and formalise responsibilities between central and local security teams 3. Policies, standards & risk control oversight (pragmatic approach) * Own the local cybersecurity policy and standards framework * Ensure policies are: * aligned with group requirements * proportionate to actual risks * understandable and usable by teams * Assess the adequacy and effectiveness of security controls against identified risks * Coordinate internal security control activities (without acting as an audit function) * Contribute to security by design initiatives with Product & Architecture Security 4. Third-party & supply chain risk * Own cybersecurity risk management for leboncoin vendors, partners and suppliers * Define risk-based security requirements for third parties * Support procurement, legal, product and tech teams during vendor or any third party onboarding and integration with providing security technical review, security contract review and adjustment * Ensure ongoing tracking of third-party cyber risks and related treatment plans 5. Incident & crisis contribution * Provide a business risk perspective during security incidents: * impact assessment * regulatory, contractual and reputational considerations * Support executive-level crisis communication preparation and decision-making * Ensure post-incident lessons learned are reflected in the risk register and governance 6. Regulatory compliance & cross-functional coordination * Contribute to cybersecurity regulatory obligations (e.g. NIS2) through a risk-based governance approach * Work closely with the DPO, without replacing their legal responsibilities * Contribute to data protection risk assessments (e.g. DPIAs) on cybersecurity aspects * Identify and track cyber risks related to AI-based systems, in coordination with product, legal and compliance teams 7. Security culture & enablement * Help product, tech and business teams understand their cyber risk ownership * Contribute to security awareness and training initiatives * Promote shared accountability for cyber risk across the organisation What this role is not * Not a SOC analyst role * Not an audit role * Not a technical control implementation role * Not a blocker for product or engineering teams This role exists to enable informed decisions and clear accountability, not to say “no by default”. * Pleasant working conditions * Attractive remuneration * Opportunities for rapid, tailored professional development * A meal voucher card * Effective and competitive health insurance and pension coverage

Responsibilities

The core mission involves owning and maintaining the cyber risk register, identifying, assessing, and tracking risks across marketplace activities, products, and third parties, while supporting executive decision-making on risk treatment. This role also involves acting as the local point of contact for group governance, adapting group frameworks, and preparing risk reporting for executive management and governance committees.