Fintech wants hybrid GRC/SOC hires

A Lagos fintech job post is asking one person to do the work of two security teams at once. The role is titled “Information Security Officer (GRC & Security Operations),” and the description combines policy writing, risk reviews, security monitoring, incident response, and audit support in a single seat. (glassdoor.com) That title matters because governance, risk, and compliance usually lives on one side of a security department, while security operations usually lives on another. Governance, risk, and compliance is the part that writes rules, maps controls to standards, and prepares for audits; security operations is the part that watches alerts, investigates suspicious activity, and responds when something goes wrong. (glassdoor.com) The Lagos listing wants both. It asks for experience with International Organization for Standardization 27001 and National Institute of Standards and Technology frameworks, plus risk assessment, vulnerability management, incident response, access control, and Security Information and Event Management tools such as Splunk. (glassdoor.com) In plain English, that means the company wants someone who can write the rulebook and also work the control room. International Organization for Standardization 27001 is a widely used security management standard, while the National Institute of Standards and Technology publishes security frameworks that companies use to organize controls and assess risk; Splunk is a log-analysis platform that helps security teams spot unusual behavior across systems. (glassdoor.com) The experience bar is not entry-level either. The posting asks for 3 or more years of relevant experience, which suggests the company is not looking for a pure compliance analyst to learn operations later or a pure analyst from a security operations center to pick up audit language on the job. (glassdoor.com) The employer appears to be The Concept Group, a Lagos-based company whose website says it operates across financial services and technology through businesses including Rosabon Financial Services, Concept Nova, and Percy Atkins. That matters because firms that handle money, software, and regulated workflows tend to need both evidence for auditors and fast responses to live threats. (conceptgroup-ng.com) This is not an isolated pattern in Nigerian fintech hiring. Moniepoint, which says it helps 10 million businesses and individuals, calls itself Nigeria’s largest merchant acquirer, and says it processes $22 billion monthly, is also hiring into roles that blend security assurance with operational risk measurement, business impact analysis, audit evidence, and cross-functional remediation. (moniepoint.com) Its “Security & Technology Risk Analyst” role is framed as part of an Information Security Assurance Team, but the work goes beyond checklist compliance. The job includes risk assessments across cloud, network, infrastructure, product, endpoint, and third-party environments, plus business impact analysis, risk register maintenance, treatment-plan tracking, and real-time dashboard reporting for leadership. (moniepoint.com) Put those postings together and a hiring signal starts to emerge. Companies are rewarding people who can move between audit evidence and day-to-day security operations, because modern security programs break down when the policy team writes controls that the monitoring team cannot run, or when the monitoring team fights fires without a framework that auditors and regulators recognize. (glassdoor.com) (moniepoint.com) There is also a budget story hiding inside these job descriptions. A fast-growing company can fill two separate roles, one for governance, risk, and compliance and one for security operations, or it can look for one mid-career hire who understands both and can connect paper controls to live systems. The Lagos postings point to the second model. (glassdoor.com) (moniepoint.com) That changes what “qualified” looks like for security professionals. A candidate who used to be seen as “too audit-heavy” may now stand out if they can interpret alerts, tune monitoring, and help with incident response; a candidate from a security operations center may become much more valuable if they can map controls to International Organization for Standardization 27001, explain risk treatment, and produce evidence an auditor can follow. (glassdoor.com) (moniepoint.com) The practical takeaway is simple. If you work in fintech security, the market is increasingly favoring people who can translate between the spreadsheet and the dashboard, between the policy binder and the alert queue, and between the audit meeting and the incident bridge. These Lagos job posts show that blend is no longer a nice extra skill. It is becoming the job itself. (glassdoor.com) (moniepoint.com)