Security Governance, Risk & Compliance (GRC) Analyst at Credit Direct Limited

Credit Direct LimitedLagos, Nigeria Cybersecurity

Full Time

Credit Direct Limited is a non-bank finance company with its Head-Quarters in Lagos, Nigeria. The company was established in 2006 and is focused on providing Payroll based consumer loans to eligible individuals. The Company currently operates in 25 states in Nigeria including the Federal Capital Territoryâ€“ Abuja. With a staff strength of over 1000 employees and an active customer base in excess of 300,000, Credit Direct Limited is positioning itself to become the dominant market leader in the unsecured micro-lending (payroll lending) space in Nigeria and indeed Sub-Saharan Africa.

Job Summary

To protect Credit Direct Limited's information assets, technology infrastructure, and customer data by implementing and sustaining a robust security compliance framework. The role is responsible for continuous security monitoring, compliance testing, proactive threat modelling, and coordinating incident response, ensuring the organisation remains resilient against evolving cyber threats and fully aligned with applicable regulatory obligations including the CBN Cybersecurity Framework, NDPR/NDPA, PCI-DSS, and ISO 27001.

Security Compliance Monitoring

Design, implement, and manage a continuous security compliance monitoring programme covering network, application, endpoint, and cloud environments.
Monitor compliance with the CBN Cybersecurity Framework, NDPR/NDPA, ISO 27001, PCI-DSS, and other applicable standards.
Develop and maintain compliance dashboards and real-time alerting mechanisms for security control deviations.
Conduct periodic compliance assessments against regulatory baselines and internal security policies.
Track remediation of identified compliance gaps and report status to the Head of Systems Audit & Security Compliance.
Maintain an up-to-date register of all applicable security regulations, frameworks, and control obligations.
Liaise with regulators, external auditors, and certification bodies on compliance reviews and audit exercises.

Security Testing

Plan, coordinate, and execute regular security testing activities including vulnerability assessments, penetration testing, and red team exercises.
Conduct application security testing (SAST/DAST) on Credit Direct's digital platforms, APIs, and mobile applications.
Perform configuration reviews of network devices, servers, cloud infrastructure, and identity management systems.
Validate security controls effectiveness through structured control testing and evidence-based assurance.
Manage relationships with third-party penetration testing vendors and review their deliverables for quality and completeness.
Track, prioritise, and drive remediation of vulnerabilities identified through testing activities.
Produce detailed security testing reports with risk-rated findings and actionable recommendations.

Threat Modelling

Develop and maintain a structured threat modelling programme using industry frameworks (STRIDE, MITRE ATT&CK, PASTA).
Conduct threat modelling exercises for new products, platforms, system changes, and third-party integrations prior to deployment.
Identify attack vectors, threat actors, and potential impact scenarios relevant to Credit Direct's business model and technology stack.
Produce threat landscape reports and advisories for consumption by IT, Product, and Senior Management.
Map identified threats to existing controls and identify control gaps requiring remediation.
Maintain and update the organisation's threat register in alignment with the evolving Nigerian and global cyber threat environment.
Collaborate with IT Architecture and Product Development teams to embed security-by-design principles.

Incident Response & Reporting

Develop, maintain, and test Credit Direct's Incident Response Plan (IRP) in alignment with CBN and NDPC requirements.
Serve as a key responder in the identification, containment, eradication, and recovery phases of security incidents.
Lead or support digital forensic investigations in collaboration with IT, Legal, and where applicable, law enforcement agencies.
Ensure timely regulatory notification of security incidents to the CBN, NITDA/NDPC, and other bodies as required by law.
Produce post-incident analysis reports including root cause analysis, lessons learned, and corrective action plans.
Coordinate tabletop exercises and incident simulation drills to test organisational readiness.
Maintain an incident register and track the closure of all incident-related remediation actions.
Report incident trends, key risk indicators, and security metrics to Management and Board-level committees as required.

Other Support

Ensure compliance with relevant laws, regulations, and internal policies related to information security and data protection.
Maintain up-to-date knowledge of regulatory changes, emerging threats, and industry best practices.
Support security awareness training and communicate compliance obligations to staff across the organisation.
Other general administrative duties and responsibilities as assigned by the Head of Unit/Department.

Job Requirements:

Education/ Professional Qualification:

B.Sc. in STEM, Management Sciences or a related field.
Recognized industry certifications in cybersecurity and information security (e.g., CISSP, CISM, CEH, CompTIA Security+, OSCP, ISO 27001 Lead Implementer/Auditor, CISA).
Additional certifications in incident response or threat intelligence (e.g., GCIH, GCFE, CTIA) are an advantage.

Experience:

Minimum 3 years of relevant experience in cybersecurity, information security compliance, or a related function.
Demonstrable hands-on experience in at least two of the four core areas: security monitoring, security testing, threat modelling, or incident response.
Experience in financial services, fintech, or digital lending is strongly preferred.
Familiarity with the CBN Cybersecurity Framework, NDPR/NDPA, and PCI-DSS is required