Cyclad est une entreprise spécialisée dans le recrutement de profils qualifiés dans le domaine de l’informatique. Nous sommes présents en France, en Pologne et au Maroc. Nous misons sur la transparence et la proximité avec les experts qui nous rejoignent.
Key Responsibilities
2.1 Security Governance & ISMS
• ISO/IEC 27001 stewardship – drive the implementation, maintenance and continuous improvement of the Information Security Management System (ISMS) and support certification and surveillance audits.
• Policies & standards – define, formalise and keep up to date security policies, standards, procedures and baselines, ensuring their declination across entities and services.
• Control framework – design and operate the permanent control plan, monitor control effectiveness and lead the related reporting.
• Awareness – design and run security awareness campaigns and targeted enablement for technical and business stakeholders.
• Management reporting – define, produce and present security KPIs, dashboards and maturity indicators to the Head of Cybersecurity and senior management.
2.2 Risk Management
• Risk assessments – conduct business and project risk analyses using recognised methodologies (EBIOS RM, ISO 27005), and maintain detailed risk documentation.
• Risk mapping – build and maintain the information-system risk register and cartography, including operational and third-party risks.
• Security by design – integrate security into projects from the design phase, formulate recommendations and follow associated action plans through to closure.
• Treatment & follow-up – define risk-treatment plans, track residual risk and escalate exceptions through the appropriate governance bodies.
2.3 Vulnerability Management & the Mythos Program
• End-to-end lifecycle – operate the full vulnerability management lifecycle: discovery, asset and exposure context, prioritisation, remediation orchestration and verification.
• Mythos service operation – run and continuously improve the Mythos vulnerability management / remediation-acceleration service, positioning it as a measurable, SLA-driven service for the X perimeter.
• Prioritisation – risk-rank vulnerabilities using severity, exploitability, asset criticality and threat-intelligence context, rather than raw CVSS alone.
• Remediation acceleration – coordinate with IT, infrastructure, application and entity teams to close findings within agreed SLAs, removing blockers and tracking remediation velocity.
• Penetration testing & coverage – contribute to the planning and coverage of penetration tests, consolidate findings and integrate them into the remediation pipeline.
• Credential & exposure monitoring – leverage exposure and credential-detection capabilities to surface and remediate leaked or at-risk assets.
• Metrics – define and report vulnerability KPIs (exposure, mean time to remediate, SLA adherence, backlog ageing) to demonstrate risk reduction over time.
2.4 Compliance & Data Protection
• Regulatory compliance – ensure alignment with applicable regulations and frameworks (DORA, NIS2, GDPR) and support related assessments and remediation.
• Audit & assurance – lead and support security audits, manage findings and drive Management Action Plans (MAP) to resolution.
• Third-party security – define supplier security requirements, review security annexes and validate contractual security clauses.
• Data protection – map and bring processes and systems handling personal data into compliance.
2.5 Incident & Stakeholder Coordination
• Incident support – contribute to the coordination of security incidents and remediation plans, ensuring lessons learned feed back into risk and vulnerability processes.
• Cross-functional engagement – act as a trusted advisor to entities, IT and project teams, fostering a shift from execution to proactive, standardised security practices.
• Industrialisation – contribute to the industrialisation and standardisation of GRC and vulnerability processes, tooling and reporting across the perimeter.
Candidate Profile
3.1 Education
• Master’s degree or Engineering degree (Bac+5) in Information Systems Security, Computer Science or a related field.
3.2 Certifications
• ISO 27001 Lead Auditor and/or Lead Implementer.
• EBIOS Risk Manager (EBIOS RM).
• ISO 27005 Risk Manager.
• Network/security foundations (e.g. CCNA) and any vulnerability-management or cloud-security certification are an asset.
3.3 Experience
• Minimum 8 years in information security, including significant experience in GRC and/or vulnerability management, ideally within large or regulated organisations (insurance, financial services, energy).
• Proven track record running an ISMS, risk assessments and remediation programs at scale.
• Hands-on experience operating vulnerability management tooling and coordinating remediation across multiple technical teams.
3.4 Technical & Functional Skills
• ISMS governance, security policy design and permanent control frameworks.
• Risk analysis methodologies (EBIOS RM, ISO 27005) and risk-mapping practices.
• Vulnerability management lifecycle, prioritisation models and remediation orchestration (Mythos-type service).
• Penetration-testing coverage, exposure and credential-detection concepts.
• Regulatory frameworks: DORA, NIS2, GDPR.
• Cloud security fundamentals (e.g. AWS, GCP) and PAM/secrets-management concepts are valued.
3.5 Behavioural Competencies
• Ability to engage and report to senior management with clarity and structure.
• Strong methodological rigour and an audit-ready, evidence-based mindset.
• Autonomy, ownership and a proactive, build-oriented posture.
• Excellent communication and stakeholder-management skills across technical and business audiences.
• Fluent professional English; French is an asset given the local and group context.
4. Success Indicators (first 12 months)
• ISMS controls operating effectively, with audit findings tracked and closed on plan.
• Risk register maintained and up to date, with treatment plans actively followed.
• Mythos vulnerability service delivering measurable reduction in exposure and improved mean-time-to-remediate against agreed SLAs.
• Clear, recurring management reporting on security posture, risk and remediation velocity.
• Demonstrable progress on compliance readiness (DORA, NIS2, GDPR) across the perimeter.