Senior Information Security Analyst

The Role

This is a new role created because commercial success is driving more security scrutiny than ever, more enterprise deals, more due diligence, more regulatory expectations. We’ve invested heavily in automation (including agentic AI tooling that handles the bulk of RFP responses), we run mature ISO 27001 and SOC 2 programmes, and we’re already underway with ISO 42001 for AI governance. None of this is broken, it needs to go further.

What we need is someone who can handle the last mile: the nuanced security questions that can’t be answered by automation alone, the edge cases that require judgement, the conversations with customers and auditors where clarity and credibility matter. Someone who takes what’s already working and makes it sharper, broader, and more scalable.

This role sits within the Information Security function and works across engineering, SRE, product, and go-to-market teams. You won’t just maintain what exists - you’ll push it forward.

What you'll do

• Security assurance & ISMS governance. You’ll own the continuous improvement of Lucanet’s control environment — maintaining and maturing the ISMS, strengthening ISO 27001 and SOC 2 processes, and ensuring audit-readiness remains a permanent state rather than a periodic effort. The foundations are solid; your job is to raise the bar.
• Customer trust — the last mile. Our agentic RFP tooling handles the bulk of security questionnaire responses at scale. You own what comes after: the complex follow-up questions that need human judgement, the assurance calls where a customer needs to hear a credible voice, and the edge-case scenarios where a templated answer isn’t enough. You’ll also refine the knowledge base that feeds the automation, making each cycle smarter than the last.
• Compliance-as-code — beyond CI/CD. We already have compliance checks integrated into our development pipelines. You’ll expand that philosophy into other areas of the business: continuous audit monitoring, automated evidence collection for certification cycles, real-time compliance reporting, and programmatic control validation across infrastructure and operations. The goal is compliance that runs continuously, not compliance that happens once a year.
• AI security & governance. Lucanet’s AI security playbook exists and is evolving. ISO 42001 certification is underway and needs maturity. You’ll drive that forward — working on data lineage, model risk, prompt injection defences, and alignment with the EU AI Act. This isn’t starting from zero; it’s building from a strong foundation into a best-in-class programme.
• Third-party risk. You’ll own vendor security assessments, evaluating the risk posture of suppliers and partners and ensuring contractual security requirements are met.
• Pragmatic risk management. You’ll assess and communicate security risks in a way that enables decisions, not delays them. That means applying risk frameworks (ISO 27005, NIST RMF, or similar) with commercial awareness — understanding when a risk needs mitigation, when it needs acceptance, and when the business just needs a clear answer fast. We don’t want someone who flags everything as critical; we want someone who helps the organisation take smart, balanced risks.
• Vulnerability management. You’ll collaborate with engineering and SRE to prioritise and track remediation of vulnerabilities, ensuring findings from scanners, pen tests, and bug bounties are closed systematically.

What you bring to the table

Required

• 3+ years in information security with a focus on GRC — we’d rather hire someone eager and proactive with less experience than a senior paper-pusher with more
• Working knowledge of ISO 27001 and at least one of SOC 1, SOC 2, or C5 — you understand the frameworks well enough to have an opinion on how to improve them
• The ability to translate security controls into language that sales teams, customers, and executives can act on — you can hold a customer assurance call and provide clarity on the spot
• Hands-on experience with an ISMS — you’ve contributed meaningfully to maintaining and improving one
• Familiarity with modern development environments: Git, CI/CD, cloud infrastructure (AWS/Azure/GCP). You don’t need to write production code, but you need to understand how software gets built and deployed
• A default towards automation — when you see a repetitive process, your instinct is to eliminate it, not optimise it
• Strong written and spoken English. German is a plus but not required

Strongly Valued

• Experience with compliance-as-code approaches — automated evidence collection, continuous monitoring, control validation via APIs
• Exposure to AI governance, AI risk management, or the emerging regulatory landscape around AI (EU AI Act, ISO 42001, NIST AI RMF)
• Experience with tools in our stack: Vanta, Orca Security, Aikido Security, GitHub Actions
• Track record of reducing manual compliance overhead through tooling, templates, or process redesign
• Experience in a B2B SaaS or financial software environment where customer trust is a sales-critical factor
• Relevant certifications (CISA, CISM, CISSP, ISO 27001 Lead Auditor/Implementer) — though we care more about what you’ve built than what you’ve passed
• Curiosity about AI and a willingness to use it in your own workflows — we provide access to Claude, OpenAI, and Gemini and expect you to leverage them

You Don’t Need to Have

• Done everything on this list — we’d rather hire someone who’s built three of these capabilities brilliantly than someone who’s touched all of them superficially
• Prior experience in financial software — if you understand SaaS security and compliance, you’ll pick up the domain fast
• A traditional GRC background — some of the best people in this space came from engineering, consulting, or product security and learned GRC by doing it