|
Title:
|
Head of Cyber Security Governance, Risk and Compliance
|
|
Reference No:
|
2154
|
|
Company:
|
FTSE100
|
|
Location:
|
London – 3 days in the office (Tuesday -Thursday) plus if required for specific meetings on other 2 days
|
|
Working pattern:
|
This hybrid role is 37.5 hour week Monday – Friday
|
|
Reports to:
|
Group CISO
|
|
Salary:
|
£110K - £120K
|
The Role
Group Cyber Security Overview
The Group Cyber Security team are responsible for ensuring that the cyber risk is managed appropriately across the Group. The cyber strategy has been updated and there is a renewed focus recognising that cyber security needs to be part of the Groups culture and DNA.
The Group operates a highly federated business model. The cyber strategy has considered the most effective way to build improved cyber capabilities while supporting the effectiveness of this operating model.
It’s an exciting time to join the Group Cyber Security team – a time of significant investment. With the adoption of the new strategy, Group Cyber Security will be responsible for setting the cyber standard and measuring compliance to this standard for all businesses within the Group. A multi-year transformation programme has been established to build improved cyber capabilities. This is a diverse programme touching all areas of cyber security. This permanent role will play a key part in shaping and supporting the delivery of the transformation programme, before assuming responsibility for embedding, operating, and continually improving the new initiatives as they transition into business‑as‑usual
Role Summary
The Head of Cyber Security Governance, Risk & Compliance (GRC) serves as the driving force behind the Groups vision for world-class cyber resilience and is accountable for defining and advancing the enterprise cyber risk and assurance strategy. This role champions a culture of proactive risk management, robust governance, and unwavering compliance, ensuring that the Group not only meets, but sets the standard for information security across a complex, global business landscape.
Through the cultivation of strong partnerships across divisions and leadership, the Head of GRC empowers the organisation to anticipate emerging threats, adapt to regulatory change, and embed security at the core of every decision, enabling the Group to achieve its objectives securely in a rapidly evolving digital world.
Role Responsibilities/Accountabilities
Key Responsibilities:
1. Governance
• Define and maintain the cyber security governance framework, policies, and standards.
• Lead the liaison with divisional GRC roles, supporting the development and maintenance of the GRC operating model and framework.
• Ensure alignment with the Cyber Standard and global regulatory requirements (e.g., NIS2, GDPR).
• Provide direction on cyber security tooling relating to governance and assurance objectives.
• Collaborate with the Technical Assurance team to define and implement metrics and reporting standards for divisions.
• Chair governance forums and provide regular reporting to senior leadership and audit committees.
• Plan, coordinate and facilitate Security Working Group (SWG) meetings.
• Assist in the preparation of board papers and materials for annual reporting and Group level risk management.
2. Risk Management
• Develop and implement enterprise-wide cyber risk management processes.
• Lead risk quantification initiatives by implementing risk quantification methodologies and developing metrics to measure and communicate risk reduction.
• Provide assurance that cyber risks are identified, assessed, and mitigated across all divisions.
• Maintain and update risk registers, ensuring Group risks are accurately captured, assessed, and managed.
• Conduct and oversee risk assessments at Group level in support of all divisions and business units.
• Track and manage deviations from policy, including the documentation and approval of exceptions.
• Conduct horizon scanning for regulatory changes and emerging cyber security requirements, ensuring the risk landscape is proactively managed.
3. Compliance & Assurance
• Build and lead the non-automated second line assurance capability to monitor compliance to the Groups cyber standard.
• Oversee readiness for internal audits and external regulatory reviews, liaising with internal audit and external bodies to support audit activities, address findings, and drive remediation.
• Report monthly on GRC and assurance activities to senior management and divisional stakeholders.
• Respond to ad-hoc reporting requests from divisions, business units, and senior management.
4. Third Party Security
• Develop the strategy for third party cyber security. Deliver a step change in third party security capabilities through the Third Party Management workstream of the cyber transformation programme.
• Manage cyber security third-party risk and assurance, at point of contract and through ongoing assurance.
• Deliver a demonstrable and measurable reduction in third party cyber security risk.
5. Strategic Leadership
• Lead the Group Cyber Security GRC function, establishing a robust second line of defence and embedding risk-based decision-making.
• Provide strategic direction on GRC initiatives, ensuring continuous improvement and alignment with business objectives whilst supporting the delivery of the cyber transformation programme.
• Act as a trusted advisor to the CISO and senior stakeholders on governance and compliance matters.
• Influence organisational culture to embed security awareness and risk-based thinking.
• Work in partnership and collaborate across verticals with the GCS Leadership Team.
6. Stakeholder Engagement
• Collaborate with divisional GRC functions, BISOs, legal, finance, and operational teams to ensure integrated risk management.
• Represent the Group in external forums and regulatory engagements.
• Build and maintain trusted relationships with senior stakeholders, demonstrating a personable and collaborative approach.
• Ensure positive engagement and communication with all internal and external stakeholders.
Experience, Knowledge, Skills & Attributes
Essential
• 7+ yrs experience in governance, risk, and compliance within a large, complex organisation.
• Strong knowledge of cyber security frameworks (ISO 27001, NIST, CIS Controls).
• Expertise in regulatory compliance (GDPR, NIS2, SOX).
• Excellent leadership, communication, and influencing skills.
• Professional certifications such as CISSP, CISM, CRISC.
• Proven experience developing and implementing enterprise-wide cyber risk management processes
• Excellent collaboration skills with cross-functional teams
• Strong relationship-building and communication skills, with a personable and credible approach
Desirable
• Experience in a federated business model.
• Familiarity with risk quantification tools and methodologies.
• Ability to drive cultural change and embed security awareness.
• Experience building a strong relationship with internal audit.
• Experience implementing an effective third party security risk management service.