Security and Compliance Analyst

Job Description

SECURITY & COMPLIANCE ANALYST JOB DESCRIPTION

Job Title:
 Security&Compliance Analyst

Department:
 Software Engineering

Reports to:
 Head of Technology

Direct Reports:
 0

Location:
 Nairobi Kenya

Job Purpose

The Security and Compliance Officer is responsible for keeping our systems, applications, and data secure. This person will champion all security-related work-setting up policies, handling incidents, checking for risks, and making sure we follow important standards like PCI DSS, ISO 27001, GDPR, and any other relevant guidelines. They will also train staff, manage access controls, and respond to client and audit requests.

The role is hands-on and requires someone who can take full ownership of security and compliance from the ground up.

Key Roles and Responsibilities

• Establish and manage the company's security processes, including policies, tools, workflows, and documentation.
• Monitor all applications and systems daily to identify and respond to potential threats or unusual activity.
• Monitor, manage, and update the SIEM system to detect and respond to security threats. This includes setting up alerts, reviewing logs, investigating incidents, and ensuring all key systems are sending data to the SIEM.
• Maintain access control mechanisms including user provisioning, de-provisioning, and role-based access
• Handle all reported security issues-investigate, resolve, and ensure proper communication and follow-up within the SLA.
• Develop clear security playbooks and procedures for incident response, access control, and reporting.
• Conduct regular system and application checks to identify vulnerabilities and work with the team to resolve them.
• Identify and mitigate security vulnerabilities in coordination with relevant teams.
• Ensure compliance with relevant standards and regulations, including PCI DSS, ISO 27001, GDPR, CBK guidelines, and others as required.
• Maintain detailed records of incidents, and actions taken, and prepare periodic security reports for management.
• Manage access rights across systems,ensure proper permissions, regular reviews, and timely updates.
• Support the implementation of encryption and secure communication protocols to ensure the security of data in transit.
• Support client and auditor requests related to security by providing clear responses and documentation.
• Train staff on basic security practices and ensure team members follow the company's security policies.
• Actively support employee onboarding by leading training sessions on relevant topics and providing departmental introductions to new hires.
• Stay updated on evolving security threats, tools, and regulatory changes, and ensure internal practices are updated accordingly.
• Support access control management within infrastructure environments, ensuring appropriate permissions are granted and reviewed periodically.
• Participate in daily stand-ups, planning meetings, and retrospectives to learn agile development rhythms.
• Perform any other duties as required to support the business in response to evolving needs, changes, and growth.

Requirements

Qualifications

• Bachelor's or Master's degree in Cybersecurity, Information Technology, Computer Science, or a related field.
• At least 4 years of experience in information security, cybersecurity, or IT risk management.
• Knowledge of firewalls, intrusion detection systems, SIEM, and antivirus software.
• Experience with security frameworks (ISO 27001, NIST, CIS Controls, etc.).
• Familiarity with network security, penetration testing, and incident response.
• Strong understanding of cloud security (AWS, Azure, GCP).
• Certifications such as CISSP, CISM, CEH, or CompTIA Security+ (preferred).
• Excellent problem-solving, analytical, and communication skills.

Preferred Skills

• Experience in application and system security.
• Knowledge of PCI DSS, ISO 27001, GDPR and regulatory guidelines.
• Familiar with common security risks and how to prevent them.
• Strong incident response skills, including investigation and reporting.
• Able to set up and manage security tools (e.g., vulnerability scanners, monitoring tools).
• Clear communicator, able to explain risks and requirements to different teams.
• ​Proficiency in Wazuh management for effective threat detection, log analysis, and compliance reporting.