Cybersecurity Governance Risk & Compliance Lead (Madrid - Hybrid)

Our customer is a technology-based startup with solid funding that is in the midst of expansion. The selected candidate will be hired as an internal and permanent employee, based in Madrid, and will provide services to their global organization. We’re looking for a Governance Risk & Compliance Lead for its global operations in Madrid.

The role reports to the Head of Information Security and will play a critical part in enabling company growth by ensuring regulatory readiness, managing risk, and embedding security and compliance into business and product operations.

• Compliance Programme Development: Lead the implementation of GDPR, ISO 27001, SOC 2, and NIS 2 compliance programmes, with a roadmap aligned to business priorities and client expectations.
• Develop and maintain policies, procedures, and controls that support certification and audit readiness.
• Coordinate with external auditors, consultants, and vendors to streamline evidence collection and reporting.
• Risk Management: Operationalize the NIST Cybersecurity Framework across the corporate, product and operational domains.
• Conduct regular risk assessments and maintain a centralized risk register.
• Collaborate with IT, Product and Legal teams to ensure risk mitigation strategies are prioritized correctly.
• Governance & Policy Enforcement: Establish governance structures for security and compliance decision-making, run regular risk committees and track related actions.
• Maintain and enforce policies such as password management, access control, and vendor risk.
• Reporting & Communication: Provide regular updates to executive leadership on compliance progress, risk posture, and audit outcomes.
• Develop dashboards and visualizations to communicate timelines and milestones to stakeholders.
• Act as the primary liaison for compliance-related queries from clients, partners, and regulators.

• Working Experience: 5+ years of proven experience in the cybersecurity landscape within cloud-first or SaaS organizations.
• At least 2+ years in GRC roles.
• Working experience of GDPR, ISO 27001, SOC 2, NIS 2, and NIST CSF.
• Familiarity with compliance automation platforms (e.g., Vanta, OneTrust).
• Preferred: Lead on ISO 27001, SOC2 or GDPR compliance implementation.
• In-depth knowledge of the NIS2 directive.
• Working knowledge of Azure cloud environments.
• Working knowledge of OT security.

• Excellent communication and stakeholder management skills.
• International work experience with international teams.

• Education: Bachelor’s Degree or vocational training qualification in information technology or a related field.
• Certifications: Not mandatory but preferred CISA, CRISC, or ISO 27001 Lead Implementer.
• Languages: Spanish — very good business Spanish required; English — very good business English required. B2/C1 level for both.

• Job location: Tres Cantos (Madrid).
• Citizenship/Work authorization: European Union nationality or Spain work permit required.
• Employment Type: Permanent Full Time, internal employee.
• Salary: Depending on qualification and experience.
• Work from home: Hybrid model including up to 70% remote work, subject to project and client needs.

If you are interested, please apply here or send an email to grc@montarelo.com with the subject: Governance Risk & Compliance Lead and your English CV.