Lead Specialist, Information Security

Lead Specialist, Information Security at Pearson

The Cybersecurity Governance, Risk & Compliance function at Pearson sits within the Chief Information Security Office, part of the Digital and Technology organisation. This team is integral to ensuring robust security across all shared services.

We are seeking a Cybersecurity GRC professional with significant experience in reviewing supplier and customer contracts, supporting security questionnaires, and enhancing GRC processes through automation and tooling. This role bridges cybersecurity, risk, and legal, collaborating closely with Data Privacy, Legal, Technology Procurement, and Technology teams to efficiently manage security requirements without hindering business operations. A background in legal, compliance, or contracts is highly desirable.

Key Responsibilities

Contract Review & Negotiation (Customer & Supplier)

• Review customer and supplier contracts for cybersecurity, data protection, privacy, and risk-related clauses.
• Assess contractual requirements against internal security controls, policies, and certifications (e.g., ISO 27001, SOC 2, Cyber Essentials).
• Support Legal and Commercial teams during contract negotiations, advising on acceptable security positions, deviations, and risk trade-offs.
• Identify and document non-standard security obligations, ensuring appropriate risk acceptance or remediation plans are in place.
• Maintain and improve security contract clause libraries and standard positions.
• Support Sales, Legal, and Procurement teams by providing clear, pragmatic security positions that minimize unnecessary negotiation.
• Ensure customer security questionnaires and contract reviews are completed to protect the organization while supporting rapid deal closure.

Customer Assurance & Sales Enablement

• Respond to customer security questionnaires, due diligence requests, and contractual security queries.
• Act as a subject matter expert for customer-facing security discussions, supporting Sales and Customer Success teams.
• Ensure responses are accurate, consistent, scalable, and reusable.

GRC Automation & Tooling

• Help design, implement, and optimize GRC tooling and automation (e.g., contract review workflows, questionnaire automation, evidence repositories).
• Identify opportunities to reduce manual effort through automated questionnaire responses, clause mapping, standardized positions, and workflow tooling.
• Partner with Legal, Procurement, and IT to embed GRC processes into business-as-usual tooling.
• Identify and eliminate unnecessary complexity in security requirements, documentation, and workflows.
• Continuously improve turnaround times for customer security reviews, contractual security assessments, and supplier risk evaluations.
• Measure and track improvements in time-to-market and operational efficiency as part of GRC process maturity.

Governance, Risk & Compliance

• Maintain and update cybersecurity policies and standards in line with evolving threats and compliance, including frameworks like NIST.
• Ensure all policies are current, comprehensive, and compliant with industry standards and regulatory requirements.
• Collaborate with stakeholders to review and implement policy changes.
• Support the maintenance of security policies, standards, and control mappings.
• Contribute to internal and external audits where contractual obligations are in scope.
• Help mature the organization’s risk management posture.
• Collaborate closely with leaders across the Digital and Technology organization to align initiatives with the cybersecurity strategy.
• Oversee the governance function, ensuring compliance with applicable laws, regulations, and internal policies.
• Establish strong relationships with key stakeholders to ensure effective communication and support for initiatives.
• Identify and assess risks, develop mitigation strategies, and implement controls to minimize cybersecurity-related risks.

Essential Skills & Experience

• Experience in a cybersecurity GRC, risk, compliance, or assurance role.
• Hands-on experience reviewing or responding to security clauses in customer and/or supplier contracts.
• Strong understanding of information security principles and third-party risk.
• Experience responding to customer security questionnaires (e.g., SIG, CAIQ, bespoke).
• Ability to clearly communicate risk to data privacy, legal, commercial, and non-technical stakeholders.
• Strong written skills with attention to detail.

Desirable Skills & Experience

• Legal, contracts, or compliance background (e.g., law degree, paralegal experience, in-house legal exposure, or equivalent practical experience).
• Experience working closely with Legal, Procurement, or Commercial teams.
• Familiarity with security frameworks and certifications (ISO 27001, SOC 2, NIST, Cyber Essentials).
• Experience implementing or improving GRC tooling or automation (e.g., IronClad, dedicated GRC tools).
• Experience in SaaS, technology, or regulated environments.

What Success Looks Like

• Faster, more consistent responses to customer security and contract requests.
• Reduced friction between Sales, Legal, and Security.
• Clear, repeatable contract security positions with documented risk decisions.
• Scalable GRC processes enabled by automation and tooling.
• Improved visibility of contractual security obligations and associated risks.
• Security and contract reviews that enable faster sales cycles and supplier onboarding.
• Clear, simple, and repeatable security positions that reduce back-and-forth with customers.
• Measurable reductions in response times for customer security questionnaires and contract reviews.
• GRC processes that are seen internally as enablers of the business, not blockers.

Why Join Us

• Opportunity to shape and scale a modern, automation-first GRC function.
• High exposure widely across Pearson, including Data Privacy, Legal, Sales, Procurement, and Technology.
• Real influence on how the business manages contractual cybersecurity risk.
• Supportive environment for professional development.

Who We Are

At Pearson, our purpose is simple: to help people realize the life they imagine through learning. We are the world's lifelong learning company, believing every learning opportunity is a chance for a personal breakthrough. We are Pearson.

Pearson is an Equal Opportunity Employer and a member of E-Verify. Employment decisions are based on qualifications, merit and business need. Qualified applicants will receive consideration for employment without regard to race, ethnicity, color, religion, sex, sexual orientation, gender identity, gender expression, age, national origin, protected veteran status, disability status or any other group protected by law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act.

If you are an individual with a disability and are unable or limited in your ability to use or access our career site as a result of your disability, you may request reasonable accommodations by emailing TalentExperienceGlobalTeam@grp.pearson.com.

Key skills/competency

• Cybersecurity Governance, Risk & Compliance
• Contract Review & Negotiation
• Information Security Principles
• Third-Party Risk Management
• Security Questionnaires (SIG, CAIQ)
• GRC Automation & Tooling
• ISO 27001 / SOC 2 / NIST
• Data Protection & Privacy
• Policy Maintenance
• Stakeholder Collaboration