Lead Information Security Analyst, GRC at cirrus

For over four decades, Cirrus Logic has been propelled by the top engineers in mixed-signal processing. Our rockstar team thrives on solving complex challenges with innovative end-user solutions for the world's top consumer brands. Cirrus Logic is also known for its award-winning culture, built on a foundation of inclusion and fairness, meaningful community engagement, and delivering enjoyable employee experiences at every turn. But we couldn’t do it without our extraordinary workforce – and that’s where you come in. Join our team and help us continue to make Cirrus Logic an exceptional place to grow your career!  We are seeking a highly motivated, experienced professional to join the Cirrus Logic Information Security team as a Lead Information Security Analyst - Governance, Risk Management, & Compliance (GRC).  You will be responsible for designing, operating, and continually improving our ISO 27001–aligned governance, risk, and compliance program, with a strong focus on Integrated Risk Management, Third Party Risk Management, and security control effectiveness. You will also help define, refine, and operationalise the responsible use of AI technologies and services (including GenAI and Agentic AI) across the enterprise from a security and risk perspective. This role is highly collaborative and supports business strategy in a dynamic, engineering driven environment. Key Responsibilities: • GRC Program & ISO 27001: Lead day‑to‑day operation and continuous improvement of our ISO 27001–aligned Information Security Management System (ISMS), including policies, standards, and control procedures across the organization. • Policy, Standards, and Exception Management: Develop, maintain, and socialise information security policies, standards, and guidelines; manage exceptions, ensuring decisions are risk‑based, documented, and periodically reviewed. • Integrated Risk Management: Lead security risk and control assessments for new systems, services, and business initiatives, partnering with Security, IT, and business owners to identify threats, evaluate the design and operating effectiveness of controls, and document and track risk treatment plans. This includes evaluating AI/ML use cases (internal builds and third-party services) for security, data protection, and misuse risks. • Third‑Party Risk Management: Plan and execute third‑party risk assessments for suppliers and service providers, including review of third-party security questionnaires, trust documents, and remediation plans to ensure third-party security meets Cirrus Logic’s requirements. • Risk Analysis & Reporting: Analyze risks across technologies and business processes, prioritize remediation efforts based on business impact and likelihood, and prepare clear risk and control status reports for security leadership and key stakeholders. • GRC Tooling & Automation: Configure, administer, and optimize GRC tooling, such as ServiceNow GRC or OneTrust GRC, to support risk registers, control libraries, assessments, exceptions, and third-party workflows, including integration with IT and security platforms where appropriate. • Audit & Assessment Support: Coordinate and provide evidence for internal and external audits, customer security assessments, and certifications (e.g., ISO 27001, SOC‑related reviews), ensuring consistent, high‑quality responses. • Privacy & Regulatory Support: Partner with Legal, HR, and other stakeholders to identify and manage security‑related privacy and regulatory obligations; support privacy risk assessments and data protection controls as needed. Work with these stakeholders to assess privacy and data protection implications of AI/ML solutions, including data ingestion, training, and model outputs. • AI Risk & Governance: Define and maintain security and risk guardrails for the use of AI/ML technologies, including acceptable-use guidelines, control requirements, and review processes for new AI use cases and vendors. • Collaboration & Enablement: Act as a trusted advisor to the team members, IT, and business teams, helping translate security and risk requirements into practical, implementable solutions that align with engineering and operational realities. Partner closely with IT, engineering, and business teams to embed security, risk, and governance requirements into AI solution design and operations. Work effectively with a globally dispersed team across various time zones that Cirrus operates in. • Communication, Executive Presence & Awareness: Strong executive presence with outstanding written, verbal, and presentation skills. Ability to communicate complex risk, control, compliance, and program matters clearly and credibly to technical teams, business stakeholders, and executive leadership. Proven capability to develop high-quality executive-ready content, including presentations, briefings, and status updates that drive informed decision-making. Support and contribute to GRC awareness, communications, and training initiatives, including targeted awareness on the secure and responsible use of authorised AI tools. Required Skills and Qualifications: • Proven experience in Information Security with a strong focus on GRC, risk management, and/or security compliance in a global environment. • Bachelor’s degree in cybersecurity, information systems, or a related field, or demonstrated equivalent experience as a security professional in a globally dispersed enterprise. • Hands‑on experience with ISO/IEC 27001 (ISMS lifecycle, Annex A controls, risk assessment and treatment) and related security control frameworks (e.g., NIST CSF, ISO 27000, TISAX, etc.). • Demonstrated experience with Integration Risk Management (project/solution risk assessments) and Third‑Party Risk Management (vendor due diligence, ongoing monitoring, and remediation). • Technical fluency across core IT and security domains (e.g., network, endpoint, identity, cloud/SaaS, logging/monitoring) and experience working with Security Engineering, Security Operations, and IT teams. • Experience configuring and maintaining an enterprise-grade GRC platform, preferably ServiceNow GRC, for risk, control, assessment, and exception workflows. • Strong analytical and problem‑solving skills, with the ability to balance security, compliance, and business objectives in a practical way. • Effective communication and interpersonal skills, with the ability to clearly convey risk and technical issues to both technical and non‑technical stakeholders, including senior leaders. • Proven ability to drive work independently, manage multiple concurrent initiatives, and follow through to completion in a fast‑paced environment. • Experience working in high‑tech, engineering, or semiconductor environments is beneficial. • Relevant certifications (e.g., ISO 27001 Lead Implementer/Lead Auditor, CISSP, CISM, CISA, CRISC) are preferred but not required. This position is based in our Edinburgh office. It is a hybrid role (minimum 2+ days onsite) with the flexibility to work from home, depending on business needs. Candidates must live within a commutable distance or be willing to relocate.      #LI-PD1 #LI-Hybrid Export control restrictions based upon applicable laws and regulations would prohibit candidates who are nationals of certain embargoed countries from working in this position without Cirrus Logic first obtaining an export license.  Candidates for this role must be able to access technical data without a requirement for an export license. We are unable to sponsor or obtain export licenses for this role. At Cirrus Logic, we believe that diversity drives innovation, and we are committed to encouraging an open and collaborative culture where different approaches, ideas, and points of view are respected and valued. We aim to promote a workplace where everyone can contribute irrespective of race, colour, national origin, religion or belief, gender or gender identity, sexual orientation, age, marital status, pregnancy status, or disability.