# IT Governance, Risk, and Compliance Manager

> emerchantpay · Sofia, Bulgaria (Remote) · — · Posted 2026-06-29

**Workplace:** remote

**Department:** IT/GRC

## Description

emerchantpay is a leading global payment service provider and acquirer for online, mobile, in-store and over the phone payments. Our global payments solution is available through a simple integration, offering a diverse range of features, including global acquiring, global and local payment methods, advanced fraud management and performance optimisation. We empower businesses to design seamless and engaging payment experiences for their consumers.

We are looking for an **IT Governance, Risk, and Compliance Manager** to provide oversight of our **ICT and information security risk profile**, ensuring those risks are identified, managed, and reported within the company's risk appetite, and that governance, risk management, compliance, and resilience are embedded into the way the company operates and grows.

The role owns the integrated control framework, multi-standard certifications (ISO 27001, PCI DSS, and SOC), enterprise and third-party risk, business continuity, and key regulatory readiness programs - including the RBI licensing application in India, NIS 2, and the EU AI Act for AI governance and compliance - while acting as a trusted advisor to the Leadership Team.

The role sits within the IT function and is part of the Risk Management and Oversight Committee. It works closely with Engineering, IT, Legal, Finance, and the wider business.

**Responsibilities**

-   Define and maintain the information security strategy, standards, and roadmap, aligned to applicable regulations, rules, and security best practices.
-   Steer security architecture across a cloud-native environment, defining secure-by-design patterns for microservices, APIs, and shared platform services.
-   Establish and govern secure software development lifecycle (secure SDLC) practices, embedding automated security controls into CI/CD pipelines.
-   Define and drive adoption of cloud security guardrails - identity, network segmentation, encryption, secrets management, and configuration baselines.
-   Build and run security monitoring, logging, and threat detection across cloud, infrastructure, and application layers.
-   Lead the security incident response lifecycle - preparation, detection, containment, eradication, recovery, and post-incident review - and act as incident commander for security events.
-   Own vulnerability and threat management: scanning, risk-based prioritization, remediation tracking, and reporting across infrastructure, containers, and application code.
-   Plan and coordinate penetration testing and offensive-security exercises (in-house or co-sourced) and drive findings to closure.
-   Govern identity and access management, privileged access, and least-privilege principles across cloud and corporate systems.
-   Define and oversee data protection controls - encryption, key management, data classification, and loss prevention - for sensitive and cardholder data.
-   Secure corporate IT and office infrastructure, including endpoints, networks, and productivity and collaboration platforms.
-   Partner with Engineering and DevOps teams to make the secure path the easy path, providing tooling, standards, threat modelling, and design reviews.
-   Provide security input into architecture and change decisions, including the adoption of new technologies and third-party services.
-   Run security awareness and phishing-resilience programs for technical and non-technical staff.
-   Implement and evidence the technical security controls underpinning PCI DSS, ISO 27001, and SOC audits.
-   Monitor the evolving threat landscape and emerging security technologies.
-   Act as a key member of the internal security center of excellence and contribute to cross-functional security working groups.
-   Build, lead, and mentor a small security team.
-   Report security posture, key risks, and metrics.

**Requirements**

-   Bachelor’s or master’s degree in computer science, information security, or a related field, or equivalent practical experience.
-   **At least 10 years in information / cyber security, including a minimum of 2-3 years in a leadership role, with hands-on experience securing cloud-native environments at scale.**
-   Deep, practical public-cloud security knowledge (AWS strongly preferred): identity, networking, encryption, logging, and configuration management.
-   Strong experience securing DevOps / CI/CD pipelines and modern microservices architectures - containers, APIs, and infrastructure-as-code.
-   Working knowledge of application security and secure SDLC across modern programming languages and web frameworks.
-   Hands-on experience with security operations, incident response, and vulnerability management.
-   Solid understanding of security frameworks and compliance standards relevant to payments: ISO 27001, PCI DSS, SOC 2, and NIST CSF.
-   Working AI security literacy, with hands-on use of AI-assisted security tooling (e.g., GenAI coding assistants, AI-augmented SAST/DAST and SIEM/SOC analytics) and a practical understanding of securing AI/LLM and agentic applications, including AWS AI services such as Amazon Bedrock and the OWASP Top 10 risks for LLMs (e.g., prompt injection and data leakage).
-   Strong analytical and problem-solving ability, with high integrity and sound judgement.
-   Excellent verbal and written communication skills, fluent English, and the ability to influence engineers with data, logic, and best practices.

**Considered as an Advantage**

-   Professional certification such as CISSP, CCSP, OSCP, AWS Security Specialty, or CISM.
-   Experience in a payments, fintech, banking, or other regulated environment.
-   Familiarity with operational-resilience expectations (e.g. DORA-style requirements).
-   Experience standing up a security function.

**Benefits**

-   Fast-growing payment company;
-   Excellent working conditions, casual atmosphere, and state-of-the-art hardware;
-   Modern, challenging, constantly growing business;
-   Professional development - books, trainings, certifications, etc.;
-   Team buildings and fun activities;
-   25 days paid holiday, 1 day for every 2 years with us;
-   Fully distributed and remote.

**If you are interested, please apply with your CV in English only. Only short-listed candidates will be contacted.**

Personal data of the applicants will be processed in strict confidentiality by emerchantpay ltd. UIC 175117520 solely for the purposes of selection and recruitment and will not be transferred to other data controllers unless required by law. Applicants provide their personal data on a voluntary basis and will have the right to access and correct their personal data within a reasonable time upon filing a written request.

emerchantpay is an equal opportunity employer. We appreciate people with different backgrounds and mindsets, and we honor diversity and inclusion.

## Apply

[Apply at emerchantpay](https://apply.workable.com/emerchantpay/j/9FF3CACC86/apply)

---
Powered by [Workable](https://www.workable.com)