Job Application for GRC & Cybersecurity Lead at Paidy Inc/Paidy合同会社

New

About Paidy Inc.

Paidy is Japan's pioneer and leading BNPL service company. At Paidy we believe in creating simple, instant experiences to take the hassle out of shopping with a touch of magic.

Paidy offers instant, monthly-consolidated credit to consumers by removing hassles from payment and purchase experiences. Paidy uses proprietary models and machine learning to underwrite transactions in seconds and guarantee payments to merchants. Paidy increases revenue for merchants by reducing the number of incomplete transactions, increasing conversion rates, boosting average order values, and facilitating repeat purchases from consumers.

Paidy has reached an agreement to join PayPal, the global payments company. Paidy will continue to operate its existing business, maintain its brand and support a wide variety of consumer wallets and marketplaces by providing convenient and innovative services.

Paidy continues to innovate to make shopping easier and more fun both online and offline. For more information, please visit http://www.paidy.com.

About the Team & Position

Cybersecurity is everyone’s responsibility, but our security team leads the charge on solving some of the most challenging and consequential problems facing our organization and industry. As a fintech company operating within a larger corporate group, we navigate a dynamic regulatory landscape while integrating our security program with our parent company’s broader initiatives.

The GRC & Cybersecurity Lead is responsible for developing, implementing, and managing governance, risk, and compliance programs that ensure Paidy meets its regulatory, security, and business requirements. This role plays a critical part in aligning cybersecurity initiatives with business objectives, managing IT risk, driving audit readiness, and advancing GRC engineering and automation capabilities. The successful candidate will work closely with stakeholders across IT, Legal, Risk, Compliance, and executive leadership, as well as external auditors, regulatory bodies, and our parent company’s security teams.

Key Role and Responsibilities

Governance & Risk Management:

Lead the organization’s IT governance, risk, and compliance (GRC) framework in alignment with corporate strategy, regulatory requirements, and industry best practices
Identify, assess, and monitor IT risks across Cloud, Application, Software, Hardware, and Networking environments
Maintain and enhance the IT risk register, performing periodic reviews and updates to reflect changes in the threat and technology landscape
Support enterprise risk management initiatives by providing risk insights and recommendations to senior leadership
Manage third-party and vendor security risk, including security assessments, ongoing monitoring, and contract review support

Compliance & Audit:

Ensure adherence to relevant security and privacy frameworks and regulations, including SOC 2 (Type 1 and Type 2), SOC 1 (Type 1 and Type 2), ISO 27001, NIST CSF, APPI, and the Japan Installment Sales Act (割賦販売法)
Own audit preparation, evidence collection, and remediation tracking for internal and external audits; drive the roadmap toward Type 2 attestations
Develop and maintain security policies, standards, and procedures in collaboration with key stakeholders
Deliver compliance reporting to management, executive leadership, the board, and regulatory authorities as required
Conduct IT audits and manage audit tooling to ensure continuous audit readiness

GRC Engineering & Automation:

Implement, configure, and mature GRC tooling including RSA Archer and Vanta
Build and maintain automation using scripting, workflow tools (e.g., n8n), and AI tools including Claude Code to reduce manual compliance burden and accelerate audit evidence collection
Integrate GRC workflows with Atlassian Jira, Confluence, and Slack to embed compliance into engineering and operational processes
Develop security metrics, dashboards, and reporting pipelines that provide visibility into risk posture and compliance status

Cybersecurity Leadership:

Oversee the design and implementation of cybersecurity controls, tools, and processes to mitigate IT risks
Collaborate with IT operations and engineering teams to embed security into technology design and operations, leading through influence rather than direct authority
Lead incident response planning, tabletop exercises, and post-incident reviews
Communicate clearly with executives and board-level stakeholders on security posture, risk trends, and compliance status
Promote a security-aware culture across the organization through training, enablement, and ongoing engagement

Parent Company Integration & Stakeholder Engagement:

Support the CISO in managing the security relationship with parent company security and compliance teams; translate parent company requirements into local policy and implementation
Partner with business units to ensure GRC and cybersecurity considerations are integrated into projects and daily operations
Deliver security awareness and compliance training programs for employees
Act as a key liaison for cybersecurity-related matters with internal stakeholders, external auditors, vendors, and regulators

Skills and Requirements

Required Qualifications & Experiences

7+ years of experience in IT risk management, GRC, information security, or IT audit
Demonstrated experience with SOC 2, SOC 1, ISO 27001, NIST CSF, and Japanese regulatory requirements (APPI, Installment Sales Act)
Hands-on experience with GRC tools (RSA Archer and/or Vanta strongly preferred)
Strong IT knowledge across Cloud (AWS required), Application, Software, Hardware, and Networking technologies
Experience conducting IT audits and working with audit management tooling
Demonstrated ability to build automation using scripting languages, workflow tools (e.g., n8n), or AI
Experience working with Atlassian Jira and Confluence in a compliance or security context
Ability to lead and influence cross-functional teams without direct authority
Business-level Japanese (spoken and written) required
Business-level English required
B.S. in Information Security, Computer Science, or a related field, or equivalent practical experience

Desired Certifications

CISSP
CRISC
CISA
CISM

Desired Qualifications

JLPT N1 or equivalent Japanese language proficiency
Experience working within a corporate group or parent-subsidiary security structure
Familiarity with the Japanese financial services regulatory environment
Experience communicating security and risk topics to executive or board-level audiences

The Paidy team will ask about your user experiences with Paidy Apps during the interview. Please download the Paidy App and try it out!

iOS: https://apps.apple.com/jp/app/paidy/id1220373112
Android: https://play.google.com/store/apps/details?id=com.paidy.paidy&hl=en&gl=US

For those who are not able to download Paidy App, due to the regional restrictions, please be advised that you download the similar App, such as Klarna, Afterpay, Affirm and so forth, and come up with your opinions on these applications and services.

Please note that you must be eligible to work in Japan.

What We Offer You

Diversified team with 230+ colleagues from 35+ countries
Exciting work opportunities in a rapid-growing organization
Cross-functional collaboration
Flexible remote work options available
Competitive salary and benefits

Paidy Values

Be a winner / 勝ちにこだわる

Always seek to beat expectations. / 期待値を超える為に常に努力する。
Display surprising speed and resourcefulness. / 人をスピードと機知で驚かす。
Overcome weaknesses by leveraging the strength and help of others to win. / 仲間の強みを活かしたり協力を得ることで、自身の弱みや足りない点を克服する。

Own it and deliver, together / 共に結果を出す

Fully support the final decision even if at times you may disagree. / たとえ意見が対立することがあったとしても、最終決定を全面的に受け入れ支持する。
Acknowledge and gather the power of others, by communicating and collaborating with them. / 仲間の力を認めて活用し、積極的にコミュニケーションをとり、協力する。
Show a will to own actions and go the extra mile without being asked. / 行動について強いオーナーシップを持ち、言われずとも業務を遂行しきる覚悟を持つ。

Be a valuable team member / 価値を認められるメンバーになる

Strive to play an integral role. / 替えの効かない役割を果たす。
Embrace and bridge differences in perspective, language, and culture. / 異なる意見・考え方、言語と文化の架け橋になる。
Don’t compromise - raise the bar for yourself and others. / スタンダードを上げ続けることに妥協しない。

Create a Job Alert

Interested in building your career at Paidy Inc/Paidy合同会社? Get future opportunities sent straight to your email.

First Name

Last Name

Country

Phone

Location (City)

Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

School

Select...

Degree

Select...

Discipline

Select...

Start date month

Select...

Start date year

End date month

Select...

End date year

Current Base Salary in JPY (Yearly)

Enter number in the following format: xx,xxx,xxx

Current Bonus in JPY (Yearly)

Enter number in the following format: xx,xxx,xxx

Other incentive such as RSUs, housing, allowances, etc. in JPY (Yearly)

Enter number in the following format: xx,xxx,xxx

Total Desired Salary in JPY (Yearly)

The answer can be refined in later interview stages. Please input a ballpark figure in the following format: xx,xxx,xxx

Expected offer date

Please describe when you need to get an offer by?

Please let us know about your other ongoing interview processes (list of companies, interview stage and date, name of company or industry).

i.e.

1st interview on yyyy/mm/dd with xxx company for xxx position

2nd interview on yyyy/mm/dd with xxx company for xxx position

Final interview on yyyy/mm/dd with xxx company for xxx position

Have you been referred from someone at Paidy,Inc?

Have you applied to Paidy, Inc. in the past? If yes, please indicate the details.

Let us know the date(s), agencies used if any, and positions you've applied to.

i.e.

1st application on yyyy/mm/dd through xxx agency for xxx position

2nd application on yyyy/mm/dd through Paidy's website for xxx position

3rd application on yyyy/mm/dd through Linkedin for xxx position

LinkedIn Profile

In which country are you currently located?

This and the following questions help us understand working rights and visa processes that the HR side may have to prepare for.

If you are based in Japan, what is your visa status? (visa type and date of expiration)

採用応募者に対する個人情報の取扱いに関する同意/Letter of Consent for the Handling of Personal Information from Recruitment Applicants

Select...

株式会社Paidy

1.取得および利用目的 (English will follow)

株式会社Paidy(以下「弊社」という)は、弊社への採用をご希望される皆様の氏名、住所、電話番号、メールアドレス等の個人を識別できる情報を取得します。取得の目的は、採用活動(書類審査、面接、評価、応募者への連絡等)のためとし、それ以外の目的での利用はいたしません。

2.個人情報の第三者への提供

弊社は、法令で定める場合を除き、応募者の個人情報について、当該個人の同意を得ずに、業務を委託する場合を除き第三者に提供することはありません。

2.業務の委託

弊社は、ご提供いただいた個人情報を外部の業者に委託し、採用活動等を行なう場合があります。この場合、委託する業者と契約を締結し、個人情報を適正に管理できるようにいたします。

4.安全管理

弊社は、個人情報へのアクセスまたは個人情報の紛失、破壊、改ざん、漏えい等の危険に対して、必要な安全対策を継続的に講じるよう努めます。

5.応募書類の返却・廃棄

採用に至らなかった場合、お預かりした履歴書をはじめとする選考に使用したその他応募書類は、一定期間保管後、弊社で責任を持って廃棄いたします。返却はいたしませんので予めご承知おきください。

6.個人情報提供の任意性

応募者の個人情報の弊社への提供は、応募者の同意に基づく任意ですが、弊社の採用選考に必要な情報が提供されない場合、採用の選考を辞退されたものとみなす場合もありうることを予めご承知おきください。

7.個人情報の開示等の請求に応じる手続き

ご提供いただいた個人情報については、利用目的の通知、開示、内容の訂正、追加又は削除、利用の停止、消去、第三者への提供の停止の請求を弊社問合せ窓口に申し出ることができます。その際、弊社は、ご本人であることを確認したうえで、合理的な期間、法令等に定められた範囲内で対応します。また、一部のご請求については有料となります。手続の詳細は、弊社HP上の「個人情報保護に関する基本方針」(https://terms.paidy.com/privacy) をご確認いただくか、下記あてにお問い合わせください。

8.個人情報管理責任者およびお問い合わせ先

弊社では、個人情報を適切に保護するための管理者を下記の者が担当いたしております。また、個人情報管理に関する問い合わせや開示、訂正または削除のご依頼は下記までご連絡ください。

<個人情報保護管理者>

株式会社Paidy セキュリティ部　情報セキュリティマネジャー

privacy@paidy.com

<個人情報に関するお問い合わせ窓口>

個人情報相談窓口

〒107-6212 東京都港区赤坂9-7-1 ミッドタウン・タワー12階

privacy@paidy.com

--------------------------English--------------------------

Paidy Inc.

Acquisition and Purpose of Use

Paidy Inc. (hereinafter the “Company”) acquires from those who desire to apply for employment opportunities of the Company the information capable of identifying the particular individual, such as name, address, telephone number, and e-mail address. Such acquisition is for the purpose of use in recruitment activities (such as pre-interview screening process, interviews, assessment, and communication with the applicant), and the Company will not use such information for any other purpose.

Third-Party Provision of Personal Information

Unless otherwise authorized under the applicable law, the Company will not provide any personal information from any applicant to any third party other than the suppliers engaged by the Company for services without the consent of the applicant.

Engagement of Suppliers

The Company may engage third-party suppliers for the provision of services for recruitment activities or whatsoever and provide such suppliers with the acquired personal information. In such event, the Company will enter into a contract with the engaged suppliers and secure the proper management of the personal information.

Security Control

The Company will continuously endeavor to implement the security measures as are necessary to protect the personal information from the risks of unauthorized access, loss, destruction, alteration, leakage, and the like.

Return and Disposal of Application Documents

In connection with any applicant whose submission of an application has not resulted in employment by the Company, the Company will store the submitted resume and all other application documents in use for the screening for the time being and will later responsibly dispose of the same. It is hereby acknowledged and agreed in advance that none of such application documents will be returned to the applicants.

Voluntary Submission of Personal Information

The submission of any personal information to the Company by any applicant shall be made on a voluntary basis with the consent of the applicant. However, it is hereby acknowledged and agreed in advance that if any applicant fails to submit the information necessary for the recruitment screening of the Company, such applicant may be deemed as having withdrawn from the recruitment screening process.

Procedures for Responding to Requests for Disclosure of Personal Information

In connection with any submitted personal information, the applicant may make a request to the point of contact at the Company for a notice of the use purpose, disclosure, correction, addition or deletion of the content, termination of use, deletion, or suspension of any third-party provision. At the time of such request, the Company will confirm the identity of the requester and respond to such request within a reasonable term to the scope stipulated under the applicable law or other regulations. Some of the requests require the payment of fees. For the details of such procedures, please check the “Basic Policy for Personal Information Protection” on the Company’s website (https://terms.paidy.com/privacy), or inquire at the following point of contact.

Personal Information Control Manager and Point of Contact

On behalf of the Company, the following personnel serve as the manager for properly managing the personal information. Please address any inquiry for personal information management or any request for disclosure, correction, or deletion to the following.

Information Security Manager, Security Department, Paidy Inc.

privacy@paidy.com

Point of Contact for Personal Information

12th Floor, Midtown Tower, 9-7-1 Akasaka, Minato-ku, Tokyo 107-6212

privacy@paidy.com

GRC & Cybersecurity Lead

Apply for this job