Title: Cyber Advisory Lead
Reference No: 2162
Company: FTSE 100
Reports to Cyber Advisory Services Manager
Location: London
Working Pattern 37.5 hours per week, Monday – Friday. Location: London/Peterborough, with potential travel to divisional sites as required by advisory engagements (hybrid working arrangements in place).
Salary: £59,000 - £72,000
Benefits Bupa, Matched pension contributions.
The Role
Group Cyber Security Overview
The Group Cyber Security (GCS) team is responsible for managing cyber risk appropriately across the Group and has recently refreshed its cyber strategy, with a renewed focus on embedding cyber security as part of the culture and DNA. The Group operates a highly federated business model spanning 11 divisions and over 50 countries, and the cyber strategy has been designed to build materially improved security capabilities whilst working with a divisional focus.
It is an exciting time to join GCS. We are in a period of significant investment, with a multi-year transformation programme under way to build new security capabilities at pace. GCS sets the Group cyber standard, measures compliance against it across all the businesses, and delivers a portfolio of centrally managed security services that divisions can rely on.
The Cyber Advisory Services function is the critical bridge between Group standards and divisional reality – translating GCS expertise into practical, context-sensitive support that helps divisions understand, adopt, and embed the Group cyber standard in their specific environments.
Role Summary
Reporting to the Cyber Advisory Services Manager, the Cyber Advisory Lead is a senior individual contributor and the primary delivery resource within the advisory function. The role provides expert cyber security advice and guidance directly to the divisions, business units, and Group functions – operating as a trusted consultant who helps translate Group cyber standards into practical action on the ground. The Cyber Advisory Lead is the person divisions call when they need a credible, knowledgeable partner to work through a cyber security challenge with them: someone who understands both the Group standard and the operational reality of divisional environments.
The role delivers a wide range of advisory services including technical standards interpretation and guidance, firewall rule base and security policy review, security input to non-functional requirements for Group and divisional programmes, and advisory support to merger, acquisition, and divestiture activity. The Cyber Advisory Lead also plays a key role in managing and briefing flexible resources drawn from the GCS resourcing pool, ensuring they are deployed effectively and maintain the quality standards expected of the advisory function. This is a hands-on role that demands breadth, consulting confidence, and the ability to calibrate advice to the needs and maturity of each divisional audience.
Role Responsibilities / Accountabilities
Technical Standards Advisory & Interpretation
• Act as the primary advisory point of contact for divisions and business units seeking guidance on the interpretation and application of Group cyber technical standards; provide clear, practical, and risk-proportionate advice that helps divisions understand what compliance looks like in their specific environment.
• Translate Group technical standards into actionable divisional guidance; develop worked examples, implementation notes, and practical toolkits that make standards easier for divisional IT and security teams to adopt without losing the intent of the underlying requirement.
• Capture intelligence from advisory engagements – recurring questions, implementation blockers, divisional gaps – and feed it back to the Cyber Advisory Services Manager to inform improvements to standards, guidance materials, and the advisory service offering.
Rule Base Assessment & Security Policy Review
• Plan and conduct firewall rule base reviews and security policy assessments for Group and divisional environments; identify technical debt, overly permissive rules, obsolete entries, and configuration drift, and produce clear, risk-prioritised findings reports with actionable remediation guidance.
• Review and assess security policy change requests from divisions, evaluating proposed changes against Group standards and architectural principles and providing a clear recommendation with supporting rationale; act as a constructive challenge function rather than a bureaucratic gate.
• Support divisional teams in understanding and implementing remediation actions following rule base and policy reviews; track agreed actions to closure and provide follow-up assurance that improvements have been embedded sustainably.
Non-Functional Security Requirements
• Engage with Group and divisional programme teams to define and validate non-functional security requirements (NFRs); ensure that security properties – covering authentication, authorisation, encryption, logging, resilience, and data classification – are specified clearly and in a form that project and engineering teams can act on.
• Apply the Group NFR library to programme and project engagements, tailoring standard requirements to the specific technology context; identify where project proposals deviate from Group security expectations and work with project teams to find compliant or risk-accepted alternatives.
• Contribute to the ongoing development and maintenance of the Group NFR library; identify gaps, outdated requirements, and emerging security considerations that should be reflected in standard NFR content.
M&A, Project & Programme Advisory Support
• Provide cyber security advisory input to merger, acquisition, and divestiture activity, supporting the Cyber Advisory Services Manager in delivering the GCS M&A workstream; conduct cyber due diligence assessments, identify security risks associated with target entities, and develop recommendations for integration or separation.
• Support the delivery of cyber advisory input to Group and divisional strategic programmes – including technology transformations, cloud migrations, and ERP deployments – ensuring security considerations are raised and addressed at the right stage of each programme lifecycle.
• Produce high-quality advisory outputs – reports, briefing notes, findings summaries, and recommendations – that reflect well on GCS and provide divisional stakeholders with clear, actionable intelligence.
Flexible Resource Management & Divisional Engagement
• Support the Cyber Advisory Services Manager in managing the GCS flexible resourcing pool; brief and onboard flexible resources ahead of divisional deployments, maintain quality standards throughout engagements, and provide day-to-day direction to consultants and contractors working within the advisory function.
• Build and maintain trusted working relationships with divisional security leads, IT directors, and BISOs; position yourself as an accessible, credible, and practically-minded partner who divisions want to engage with rather than a compliance overhead.
• Act as an active intelligence gatherer during divisional engagements; identify common challenges, recurring themes, and emerging risks across the estate, and feed structured insight back to the Cyber Advisory Services Manager and the wider GCS Leadership Team.
Experience, Knowledge, Skills & Attributes Essential
Experience
• 6+ years in cyber security, with a significant portion in advisory, consulting, or technical security roles requiring breadth across multiple domains.
• Demonstrable experience delivering cyber security advisory services to business units or divisions within a large organisation, or to enterprise clients as an external consultant.
• Hands-on experience conducting firewall rule base reviews and security policy assessments, producing structured findings reports with risk-prioritised recommendations.
• Experience defining or reviewing non-functional security requirements for technology programmes, and the ability to translate security standards into specific, measurable project requirements.
• Experience providing cyber security input to M&A or other major business change programmes, including due diligence support and integration planning.
Knowledge & Skills
• Broad technical knowledge spanning the core cyber security domains – network security, identity and access management, endpoint protection, cloud security, application security, and data protection – sufficient to advise credibly across all of them.
• Strong consulting and communication skills: able to listen carefully, form a well-reasoned view, and articulate it clearly – whether in a written advisory report, a divisional workshop, or a one-to-one conversation with a BISO or IT director.
• Ability to translate Group technical standards into practical, context-sensitive guidance that maintains the intent of the standard while acknowledging legitimate operational constraints of the division.
• Strong written output skills; able to produce high-quality advisory reports and briefing materials that are accurate, clearly structured, and appropriate for a senior divisional or Group audience.
Qualifications
• Degree-level education in computer science, information security, or a related discipline; or equivalent professional experience.
• Professional certification in cyber security: CISSP, CISM, CompTIA Security+, or equivalent demonstrating technical breadth. Experience
• Experience within a Big Four, specialist cyber consultancy, or in-house advisory function of a large FTSE-listed organisation, delivering structured advisory engagements at pace.
• Experience in an FMCG, food and beverage, retail, or manufacturing environment, with an appreciation of the security challenges of a federated, operationally diverse estate.
• Experience directly supporting or delivering the cyber workstream of an M&A transaction, from initial due diligence through to integration planning.
• Experience directing or providing quality oversight to flexible resourcing or contractor teams within an advisory or consulting context.
Experience, Knowledge, Skills & Attributes Desirable
Experience
• Experience within a Big Four, specialist cyber consultancy, or in-house advisory function of a large FTSE-listed organisation, delivering structured advisory engagements at pace.
• Experience in an FMCG, food and beverage, retail, or manufacturing environment, with an appreciation of the security challenges of a federated, operationally diverse estate.
• Experience directly supporting or delivering the cyber workstream of an M&A transaction, from initial due diligence through to integration planning.
• Experience directing or providing quality oversight to flexible resourcing or contractor teams within an advisory or consulting context.
Knowledge & Skills
• Familiarity with firewall policy review tooling (e.g. Tufin, AlgoSec, FireMon) and structured methodologies for rule base analysis and optimisation.
• Working knowledge of: Microsoft E5/Defender, Zscaler, Qualys, Abnormal Security, Axonius, sufficient to provide advisory guidance without requiring specialist platform engineering support for routine questions.
• Knowledge of ISO/IEC 27001:2022 and NIST CSF 2.0, and how these frameworks underpin the Group technical standards and ISMS programme.
Qualifications
• ISO/IEC 27001 Lead Auditor or Lead Implementer, supporting familiarity with the standards framework underpinning the Group ISMS.
• Membership of a recognised professional body (CIISec, ISACA, (ISC)², BCS) is welcome.