Lead Specialist, Information Security

Job Title: – Lead Specialist, Information Security **Role Overview** Cybersecurity Governance, Risk & Compliance function sits within the Chief Information Security Office as part of the Digital and Technology organisation that consists of a wide range of shared services reporting to the Chief Information Officer at Pearson. We are seeking a Cybersecurity GRC professional with strong experience in reviewing supplier and customer contracts, supporting customer security questionnaires and contractual security clauses, and helping to scale GRC processes through automation and tooling. This role sits at the intersection of cybersecurity, risk, and legal, partnering closely with Data Privacy, Legal, Technology Procurement, and Technology teams to ensure security requirements are assessed, negotiated, and managed efficiently without slowing the business. A legal, compliance, or contract-focused background (formal or practical) is highly desirable. **Key Responsibilities** **Contract Review & Negotiation (Customer & Supplier)** + Review customer and supplier contracts for cybersecurity, data protection, privacy, and risk-related clauses. + Assess contractual requirements against internal security controls, policies, and certifications (e.g. ISO 27001, SOC 2, Cyber Essentials). + Support Legal and Commercial teams during contract negotiations, advising on acceptable security positions, deviations, and risk trade-offs. + Identify and document non-standard security obligations and ensure appropriate risk acceptance or remediation plans are in place. + Maintain and improve security contract clause libraries and standard positions. + Support Sales, Legal, and Procurement teams by providing clear, pragmatic security positions that minimise unnecessary negotiation and friction. + Ensure customer security questionnaires and contract reviews are completed in a way that protects the organisation while supporting rapid deal closure. **Customer Assurance & Sales Enablement** + Respond to customer security questionnaires, due diligence requests, and contractual security queries. + Act as a subject matter expert for customer-facing security discussions, supporting Sales and Customer Success teams. + Ensure responses are accurate, consistent, scalable, and reusable. **GRC Automation & Tooling** + Help design, implement, and optimise GRC tooling and automation (e.g. contract review workflows, questionnaire automation, evidence repositories). + Identify opportunities to reduce manual effort through: + Automated questionnaire responses + Clause mapping and standardised positions + Workflow tooling and dashboards + Partner with Legal, Procurement, and IT to embed GRC processes into business-as-usual tooling. + Identify and eliminate unnecessary complexity in security requirements, documentation, and workflows. + Continuously improve turnaround times for: + Customer security reviews + Contractual security assessments + Supplier risk evaluations + Measure and track improvements in time-to-market and operational efficiency as part of GRC process maturity. **Governance, Risk & Compliance** + Policy Maintenance and Updating + Maintain and update cybersecurity policies and standards in line with the evolving threat and compliance landscape, including frameworks such as NIST. + Ensure all policies are current, comprehensive, and in compliance with industry standards and regulatory requirements. + Collaborate with stakeholders to review and implement policy changes as necessary. + Support the maintenance of security policies, standards, and control mappings. + Contribute to internal and external audits where contractual obligations are in scope. + Help mature the organisation’s risk management posture. + Collaborate closely with leaders and teams across Digital and Technology organisation to align portfolio initiatives with the cybersecurity strategy and business objectives + Extend the portfolio management role to include overseeing the governance function, ensuring compliance with applicable laws, regulations, and industry standards, as well as internal policies and procedures + Establish and maintain strong relationships with key stakeholders, including business leaders, technology teams, and external partners, to ensure effective communication, collaboration, and support for portfolio initiatives + Identify and assess risks associated with portfolio initiatives, develop risk mitigation strategies, and implement appropriate controls to minimize cybersecurity-related risks **Required Skills & Experience** **Essential** + Experience in a cybersecurity GRC, risk, compliance, or assurance role. + Hands-on experience reviewing or responding to security clauses in customer and/or supplier contracts. + Strong understanding of: + Information security principles + Third-party risk + Experience responding to customer security questionnaires (e.g. SIG, CAIQ, bespoke). + Ability to clearly communicate risk to data privacy, legal, commercial, and non-technical stakeholders. + Strong written skills with attention to detail. **Desirable** + Legal, contracts, or compliance background (e.g. law degree, paralegal experience, in-house legal exposure, or equivalent practical experience). + Experience working closely with Legal, Procurement, or Commercial teams. + Familiarity with security frameworks and certifications (ISO 27001, SOC 2, NIST, Cyber Essentials). + Experience implementing or improving GRC tooling or automation (e.g. IronClad, GRC tools). + Experience in SaaS, technology, or regulated environments. **What Success Looks Like** + Faster, more consistent responses to customer security and contract requests. + Reduced friction between Sales, Legal, and Security. + Clear, repeatable contract security positions with documented risk decisions. + Scalable GRC processes enabled by automation and tooling. + Improved visibility of contractual security obligations and associated risks. + Security and contract reviews that enable faster sales cycles and supplier onboarding. + Clear, simple, and repeatable security positions that reduce back-and-forth with customers. + Measurable reductions in response times for customer security questionnaires and contract reviews. + GRC processes that are seen internally as enablers of the business, not blockers. **Why Join Us** + Opportunity to shape and scale a modern, automation-first GRC function. + High exposure widely across Pearson including across Data Privacy, Legal, Sales, Procurement, and Technology. + Real influence on how the business manages contractual cybersecurity risk. + Supportive environment for professional development **Who we are:** At Pearson, our purpose is simple: to help people realize the life they imagine through learning. We believe that every learning opportunity is a chance for a personal breakthrough. We are the world's lifelong learning company. For us, learning isn't just what we do. It's who we are. To learn more: We are Pearson. Pearson is an Equal Opportunity Employer and a member of E-Verify. Employment decisions are based on qualifications, merit and business need. Qualified applicants will receive consideration for employment without regard to race, ethnicity, color, religion, sex, sexual orientation, gender identity, gender expression, age, national origin, protected veteran status, disability status or any other group protected by law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act. If you are an individual with a disability and are unable or limited in your ability to use or access our career site as a result of your disability, you may request reasonable accommodations by emailing TalentExperienceGlobalTeam@grp.pearson.com. **Job:** Security **Job Family:** TECHNOLOGY **Organization:** Corporate Strategy & Technology **Schedule:** FULL\_TIME **Workplace Type:** Hybrid **Req ID:** 22519