Job Description

Leboncoin is progressively building an autonomous cybersecurity function while remaining part of the Adevinta group. As part of this transformation, we are establishing a local Cybersecurity Risk & GRC function to own leboncoin-specific cyber risks, support executive decision-making, and ensure alignment with group-level governance frameworks.

The Cybersecurity Risk & GRC Lead’s mission is to make cyber risk understandable, actionable, and decision-ready for both technical teams and executive leadership, without slowing down innovation or delivery.

This role is not a pure compliance role. It is a hands-on, strategic position at the intersection of security, product, engineering, legal, and top management.

Job Requirements

• 7+ years of experience in cybersecurity, risk management, GRC or equivalent security roles

• Strong technical and functional understanding of:

  • modern application and cloud architectures

  • operational security and incident response realities

  • regulatory environments relevant to digital platforms (GDPR, NIS2, etc.)

• Proven experience engaging with:

  • engineering teams

  • legal / compliance functions

  • senior leadership

Mindset & skills

• Ability to translate technical risk into business language

• Comfortable operating in evolving, build-mode environments

• Pragmatic, outcome-oriented approach

• Strong communication and facilitation skills

• Ability to challenge constructively (upwards and laterally)

Nice to have

• Experience in marketplace or digital platform environments

• Exposure to group / multi-entity governance models

• Incident response or CSIRT background

• Knowledge of risk frameworks (ISO 27005, NIST RMF), without dogmatism

Job Responsibilities

1. Cyber risk management (core mission)- Own and maintain the leboncoin cyber risk register

• Identify, assess, prioritise and track cyber risks related to:

  • marketplace activities

  • products and platforms

  • data flows

  • critical systems, infrastructures and services

  • third-party and partner ecosystem

• Translate technical security issues into business-impact-oriented risk statements

• Support executive decision-making on:

  • risk mitigation

  • risk acceptance

  • risk transfer

• Track the implementation of risk treatment plans, identify gaps and escalate delays or weaknesses to the appropriate governance bodies

1. Governance, traceability & group alignment- Act as the local point of contact for Adevinta’s cybersecurity governance

• Adapt group security principles, policies and risk frameworks to leboncoin’s context

• Prepare and deliver cyber risk reporting to:

  • leboncoin executive management

  • Adevinta Group CISO and governance committees

• Ensure traceability of risk decisions, including acceptance, mitigation and transfer

• Clarify and formalise responsibilities between central and local security teams

1. Policies, standards & risk control oversight (pragmatic approach)- Own the local cybersecurity policy and standards framework

• Ensure policies are:

  • aligned with group requirements

  • proportionate to actual risks

  • understandable and usable by teams

• Assess the adequacy and effectiveness of security controls against identified risks

• Coordinate internal security control activities (without acting as an audit function)

• Contribute to security by design initiatives with Product & Architecture Security

1. Third-party & supply chain risk- Own cybersecurity risk management for leboncoin vendors, partners and suppliers

• Define risk-based security requirements for third parties

• Support procurement, legal, product and tech teams during vendor or any third party onboarding and integration with providing security technical review, security contract review and adjustment

• Ensure ongoing tracking of third-party cyber risks and related treatment plans

1. Incident & crisis contribution- Provide a business risk perspective during security incidents:

   • impact assessment

   • regulatory, contractual and reputational considerations

• Support executive-level crisis communication preparation and decision-making

• Ensure post-incident lessons learned are reflected in the risk register and governance

1. Regulatory compliance & cross-functional coordination- Contribute to cybersecurity regulatory obligations (e.g. NIS2) through a risk-based governance approach

• Work closely with the DPO, without replacing their legal responsibilities

• Contribute to data protection risk assessments (e.g. DPIAs) on cybersecurity aspects

• Identify and track cyber risks related to AI-based systems, in coordination with product, legal and compliance teams

1. Security culture & enablement- Help product, tech and business teams understand their cyber risk ownership

• Contribute to security awareness and training initiatives

• Promote shared accountability for cyber risk across the organisation

What this role is not- Not a SOC analyst role

• Not an audit role

• Not a technical control implementation role

• Not a blocker for product or engineering teams

This role exists to enable informed decisions and clear accountability, not to say “no by default”.

Job Benefits

• Pleasant working conditions
• Attractive remuneration
• Opportunities for rapid, tailored professional development
• A meal voucher card
• Effective and competitive health insurance and pension coverage