Head of Risk and Compliance

Contract Type Location Apply
Permanent London, Paris, Valencia or Munich here
The Role

As the Head of Risk and Compliance, you will work alongside the Group Security management team and act as an ambassador for PhotoBox Group’s compliance culture and standards, enabling the highest standards of compliance with GDPR and PCI. You will advise the company on the impact of regulation on all aspects of the business, while creating a modern risk culture powered by real-time risk visualisation and monitoring.

What will you do?
  • Take overall responsibility for managing and developing PhotoBox Group’s risk and compliance systems
  • Advise in the creation and implementation of risk and compliance policies, regularly presenting issues and recommendations
  • Ensure compliance with GDPR and PCI, and be the key point-of-contact for the four main EU Supervisory Authorities (UK, France, Spain and Germany)
  • Take responsibility for all risk and compliance policies and complete annual reviews, proposing improvements to better manage risk
  • Manage the further development of PhotoBox Group’s risk assessment system, ensuring that each matter is managed and monitored by the appropriate system and that the various risk controls are populated
  • Support investigations into any breaches -- or potential breaches -- and report on possible violations of, or legal jeopardy posed by, all regulations and statutes covering Photobox Group
Who are you?
  • Well versed in the range of risk management frameworks, including but not limited to operational, financial, data protection, and information security
  • Strong understanding of emerging UK and European legislation, such as IDD and GDPR, codes of practice and industry guidelines potentially affecting the Photobox Group
  • Able to form close working relationships and influence senior stakeholders
  • Able to operate effectively within a fast-paced organisation.
  • Educated to degree level (or equivalent)
Tech Stack
  • GRC, ISMS, GDPR, PCI, ISO 27001
  • Security Policies, Risk Management
  • Risk Visualisation
  • Python, R (language)

Challenges (required)

#1: Setup GitHub and Jekyll

In order to respond to the challenges in a scalable and collaborative way, we ask candidates to use a Jekyll based website. which will be setup for you.

  1. clone the repo https://github.com/project-cx/pbx-candidate-answers
    • if you are happy for your answers to be publicly available, you can just fork it
    • note that GitHub charges for private repos, but BitBucket doesn’t
  2. set-up dev/test environment (optional, but will help when writing content or modifying the template)
    • if you are running locally, setup Jekyll to run the build (either on your host or using docker).
    • if you are running from GitHub, in your repo settings, set the master brach to host the GitHub pages site
  3. add your answers as an entry to _posts folder (see examples)
  4. push your changes to your repo
  5. send us an email to project-cx@photobox.com with a link to your repo
  6. we will reply with more details and a link to an Slack organisation

Note that depending on your CV and how you rate against other candidates, we will ask you do submit a couple more challenges

Important: Don’t wait until you have all the answers to ping us (step #5). Part of the evaluation is to see how your work evolve and how we collaborate together

#2: Develop and Attract Talent
Describe a time when you had to give constructive feedback to a direct report that was not well received. How did you handle the situation?
Describe the steps you have taken to foster a positive team environment that encouraged your direct reports to do their best.
Describe a time when you transformed a struggling team member into a major contributor.
#3: Programming Experience

How much programming experience do you have?

  • What languages can you program in?
  • What is your favorite language and why?
  • How do you use those skills in real-work (business) situations
#4: Inspirational Leaders

Describe three inspirational leaders who you’d like to work for. They must be alive today.

  • Tell us why you’d like to work for them
  • Create a graph showing how you could get a job offer to work for them
#5: PII Data Breach

By the nature of the business, our servers host our customers images and personal information i.e. name, address, email address, etc.

The following are two possible scenarios:

  • Photobox has discovered a data breach that has allowed millions of our customers images to be exposed online. These images were not available in the public domain and may contain photographs of children, elderly relatives and residential property
  • Photobox has discovered a data breach that has allowed millions of our customers name, address, password and email address to be exposed online. There is no credit card or financial information within the data breach

Of these two scenarios, which do you deem to be the most serious and why?

Key Questions

  • Which of the above constitutes PII data?
  • Which of the above would you report to the ICO or relevant body?
  • Would you contact the customers affected in both scenarios?

Define your involvement with PCI/DSS;

  • Have you been involved in a PCI/DSS certification process
  • What are your views of this standard?
    • Current version vs original versions
    • What is new/interesting in the latest version?
  • Where does PCI/DSS work?
    • Where doesn’t it work?
    • What would you do better?
  • Should PCI/DSS be a company wide standard for websites that handle customer data?

Challenges (optional)

#1: Role Model
Describe a time when you set a positive example that had a significant impact on peers or direct reports.
Describe a time when you motivated others through your commitment to delivering results.
Describe a time when you demonstrated to others the importance of taking accountability for business outcomes.
#2: Open Source vs Proprietary Software

Write a business, technical and moral case:

  • for open source vs proprietary software
  • for proprietary software vs open source
#3: JIRA Workflows

Photobox Group Security uses JIRA for risk management and acceptance.

Our team, outputs and philosophy is based around graphs and workflows.

Below is a risk acceptance workflow, critique this workflow and tell us what you would do differently.

#4: Risk Management and Acceptance

Photobox Group Security uses JIRA for risk management and acceptance.

  • Which tools have you used to manage this process?
    • Was this your decision or a business led choice?
  • What barriers have you faced in using this tool?
  • Given a choice, what would be your preferred method/tool for risk management and acceptance and why?
  • What do you think of using JIRA for managing risks (and risk decisions)?

Why else should you be interested?

Quite simply, you don’t like standing still. You are passionate about working on different and ambitious projects from Day 1 - otherwise you’d be bored! You thrive on working with people from different nationalities, different cultures and languages. You want to work within a successful and recognised company, but you also want the freedom to bring forward your own solutions and to make your own impact. You want to work somewhere where people really do know each other by name and where they genuinely want to help and challenge each other to learn, be better and more innovative every day. Most importantly, you want to work in a business where spreading joy is the mission and where we all have fun making it happen.

Photobox Group Security mission and principles

Our mission is to secure the magic moments created by our customers, across all our brands. Our operating principles define what we focus on and how we make decisions. We hold ourselves accountable against these principles.

  1. We are enablers for the organisation, not blockers
  2. We drive transparency and accountability in risk management
  3. We minimise vulnerabilities
  4. We hack ourselves first
  5. We educate and empower our internal stakeholders and developers
  6. We contribute to adding financial value

Why join Photobox Group Security?

PhotoBox Group Security is a trusted, high-energy, empowered, and proactive team. If you are looking for a place to make a difference, learn a lot, be part of a highly productive team, and are able to work collaboratively with all parts of the business, this is the place for you.

We have a great culture, with a very horizonal structure. We expect you to be knowledgeable, trustworthy, empowered, friendly, focused, and responsible.

How to apply

In order to provide a fair and objective recruitment process, before we invite you for face-to-face interviews, we ask you to submit your answers to theoretical and practical challenges. This helps us to identify your suitability and experience level.

Each challenge should take no longer than 10 - 15 minutes to complete, however, in order to highlight your key skills, you may take longer than the suggested time if you wish.

Please see below SOME OF THE CHALLENGES we might ask you to do (we customise these based on your experience and CV)

About us

Photobox Group is Europe’s leading digital consumer service for personalised products and gifts and parent of the Photobox, Moonpig, Hofmann and posterXXL brands.

Creative Commons License

© 2018, Photobox Group Security. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


Photobox Group Security
Unit 7, Metal Box Factory
30 Great Guildford Street