Information Security & Compliance Manager

Blue Matter is a rapidly growing strategic consulting firm serving clients in the life sciences industry. We partner with our clients to help them achieve commercial success across the lifecycle of their products, portfolios and organisations. Our project types include new product planning, launch strategy & planning, brand & life cycle planning and corporate & portfolio strategy, across a variety of specialty therapeutic areas.

We have a unique entrepreneurial culture and invest in building Blue Matter to be one of the best places to work. We have a strong global presence with offices in the US (San Francisco, New York, Boston), Europe (London, Zurich, Netherlands), and India (Mumbai, Gurgaon, Pune). Why this role exists Our clients are among the most security- and privacy-conscious organizations in the world, and they trust us with highly sensitive commercial and scientific information.

At the same time, our internal AI platform, BlueCortex , is becoming central to how we serve them — which raises both the stakes and the opportunity around how we govern data and technology. As we grow, we need a dedicated owner for information security and compliance. This role sits in our Technology & Operations team and is based in the UK or EU — giving us strong coverage of GDPR and UK GDPR obligations, alignment with European clients and subsidiaries, and time-zone support for our global team.

This is a hands-on, high-ownership role — not a tick-box function. You’ll build and run the firm’s security and compliance program end-to-end, and you’ll be the trusted point of contact when clients ask how we protect their data. It’s ideal for someone who wants to shape a program in a fast-moving, AI-forward consultancy rather than maintain one that already exists.

What you’ll do

Security governance and strategy Own and run Blue Matter’s information security program end-to-end, including for BlueCortex. Define, maintain, and operationalize security policies, standards, and procedures, and keep them current as the firm scales. Maintain the risk register, run regular risk assessments, and drive remediation to closure. Report on security and compliance posture to leadership in clear, business-oriented terms.

, ISO 27001 and/or SOC 2): design and maintain the control framework, own the documentation and evidence, and lead internal and external audits. Build a sustainable, “always-audit-ready” approach rather than a once-a-year scramble. Track relevant regulatory and framework developments and translate them into practical action. Data protection and privacy Lead data protection under GDPR and UK GDPR; act as, or closely support, our Data Protection function.

Maintain records of processing (RoPA), conduct Data Protection Impact Assessments (DPIAs), and own data-handling, retention, and minimization policies. Manage data subject requests and any personal-data incidents, including regulator and individual notifications where required. Oversee data transfer mechanisms and data residency considerations across our global footprint and subsidiaries.

Client security assurance Own the response to client security due-diligence: complete security questionnaires and assessments from biopharma and medtech clients accurately and on time. , DPAs). Maintain a library of reusable security documentation, certifications, and answers to accelerate client reviews. Microsoft 365 security operations Secure and govern our Microsoft 365 environment — Entra ID, Microsoft Defender, Microsoft Purview, and Intune.

Own identity and access management: conditional access, MFA, privileged access, joiner/mover/leaver processes, and least-privilege enforcement. Implement and tune data loss prevention (DLP), information protection/labelling, and device compliance. Partner with IT on secure configuration, patching, and endpoint hardening. Third-party and vendor risk Run third-party and vendor risk management across our supply chain, including security review of new tools and AI/SaaS vendors.

Maintain an inventory of vendors and their data access, and reassess risk on a regular cadence. Incident response and investigations Own the incident response plan; lead detection, triage, investigation, containment, and post-incident review. Investigate security events (for example, analysing Entra ID sign-in and audit logs), and produce clear, actionable incident reports. Run tabletop exercises so the firm is prepared before an incident happens.

Security awareness and culture Build and deliver security awareness training and phishing simulations. Make security approachable and practical so the whole firm becomes a partner in protecting client data. What success looks like First 90 days: You’ve assessed our current posture, identified the highest-priority risks and gaps, and built a clear, prioritized roadmap. You’re already the point person for client security questionnaires.

First 6 months: Core policies are in place and adopted, the M365 security stack is meaningfully hardened, vendor risk and incident response processes are operating, and certification/attestation work is underway with a credible plan. First year: The firm has a mature, sustainable security and compliance program; a defensible data-protection posture under GDPR/UK GDPR; and a smoother, faster client security-review process.

What you’ll bring Required 5+ years of experience in information security and/or GRC, ideally in an environment that handles sensitive client data (regulated industries, professional services, SaaS, or similar). Strong, practical knowledge of GDPR and UK GDPR and day-to-day data protection. Hands-on experience with ISO 27001 and/or SOC 2 implementation and audits. Working familiarity with the Microsoft security stack (Entra ID, Defender, Purview, Intune).

Experience responding to client/customer security assessments and questionnaires. One or more relevant certifications — for example CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer/Auditor, CIPP/E, or CIPM — or equivalent demonstrable experience. Based in the UK with the right to work, and comfortable supporting a globally distributed team across time zones. Excellent written and verbal communication: you can translate security and risk into plain business language for leadership, clients, and colleagues.

Strongly preferred Experience standing up or maturing a security/compliance program (not only operating an established one). Familiarity with EU and UK regulatory developments such as NIS2 and DORA. Experience managing third-party/vendor risk for SaaS and AI tooling. , HIPAA for US-facing work). Experience establishing data-protection or data-risk practices. Experience supporting M&A or subsidiary integration from a security and compliance perspective.

Who thrives here Builders who want to own a program and shape it, not just keep the lights on. Pragmatic risk managers who right-size controls to the business instead of defaulting to maximum friction. Clear communicators who can earn trust with clients, leadership, and engineers alike. People genuinely interested in the security and governance challenges of a modern, AI-forward firm. How we work A small, capable Technology & Operations team with real ownership and direct access to leadership.

You’ll have the autonomy to build the program the right way — and the visibility that comes with being the firm’s security and compliance lead. This is a remote/hybrid role based in the UK or EU, with occasional travel for team collaboration. Equal opportunity Blue Matter is an equal opportunity employer. We are committed to building a diverse team and an inclusive workplace, and we welcome applicants of all backgrounds. We do not discriminate on any legally protected basis.

If you need a reasonable accommodation during the hiring process, please let us know. ATS provider: Jazzhr.