Head of Cyber Security Governance, Risk and Compliance

London
4 days ago
Create job alert

The Role
Group Cyber Security Overview
The Group Cyber Security team are responsible for ensuring that the cyber risk is managed appropriately across the Group. The cyber strategy has been updated and there is a renewed focus recognising that cyber security needs to be part of the Groups culture and DNA.
The Group operates a highly federated business model. The cyber strategy has considered the most effective way to build improved cyber capabilities while supporting the effectiveness of this operating model.
It’s an exciting time to join the Group Cyber Security team – a time of significant investment. With the adoption of the new strategy, Group Cyber Security will be responsible for setting the cyber standard and measuring compliance to this standard for all businesses within the Group. A multi-year transformation programme has been established to build improved cyber capabilities. This is a diverse programme touching all areas of cyber security. This permanent role will play a key part in shaping and supporting the delivery of the transformation programme, before assuming responsibility for embedding, operating, and continually improving the new initiatives as they transition into business‑as‑usual
Role Summary
The Head of Cyber Security Governance, Risk & Compliance (GRC) serves as the driving force behind the Groups vision for world-class cyber resilience and is accountable for defining and advancing the enterprise cyber risk and assurance strategy. This role champions a culture of proactive risk management, robust governance, and unwavering compliance, ensuring that the Group not only meets, but sets the standard for information security across a complex, global business landscape.
Through the cultivation of strong partnerships across divisions and leadership, the Head of GRC empowers the organisation to anticipate emerging threats, adapt to regulatory change, and embed security at the core of every decision, enabling the Group to achieve its objectives securely in a rapidly evolving digital world.
Role Responsibilities/Accountabilities
Key Responsibilities:

  1. Governance
    • Define and maintain the cyber security governance framework, policies, and standards.
    • Lead the liaison with divisional GRC roles, supporting the development and maintenance of the GRC operating model and framework.
    • Ensure alignment with the Cyber Standard and global regulatory requirements (e.g., NIS2, GDPR).
    • Provide direction on cyber security tooling relating to governance and assurance objectives.
    • Collaborate with the Technical Assurance team to define and implement metrics and reporting standards for divisions.
    • Chair governance forums and provide regular reporting to senior leadership and audit committees.
    • Plan, coordinate and facilitate Security Working Group (SWG) meetings.
    • Assist in the preparation of board papers and materials for annual reporting and Group level risk management.
  2. Risk Management
    • Develop and implement enterprise-wide cyber risk management processes.
    • Lead risk quantification initiatives by implementing risk quantification methodologies and developing metrics to measure and communicate risk reduction.
    • Provide assurance that cyber risks are identified, assessed, and mitigated across all divisions.
    • Maintain and update risk registers, ensuring Group risks are accurately captured, assessed, and managed.
    • Conduct and oversee risk assessments at Group level in support of all divisions and business units.
    • Track and manage deviations from policy, including the documentation and approval of exceptions.
    • Conduct horizon scanning for regulatory changes and emerging cyber security requirements, ensuring the risk landscape is proactively managed.
  3. Compliance & Assurance
    • Build and lead the non-automated second line assurance capability to monitor compliance to the Groups cyber standard.
    • Oversee readiness for internal audits and external regulatory reviews, liaising with internal audit and external bodies to support audit activities, address findings, and drive remediation.
    • Report monthly on GRC and assurance activities to senior management and divisional stakeholders.
    • Respond to ad-hoc reporting requests from divisions, business units, and senior management.
  4. Third Party Security
    • Develop the strategy for third party cyber security. Deliver a step change in third party security capabilities through the Third Party Management workstream of the cyber transformation programme.
    • Manage cyber security third-party risk and assurance, at point of contract and through ongoing assurance.
    • Deliver a demonstrable and measurable reduction in third party cyber security risk.
  5. Strategic Leadership
    • Lead the Group Cyber Security GRC function, establishing a robust second line of defence and embedding risk-based decision-making.
    • Provide strategic direction on GRC initiatives, ensuring continuous improvement and alignment with business objectives whilst supporting the delivery of the cyber transformation programme.
    • Act as a trusted advisor to the CISO and senior stakeholders on governance and compliance matters.
    • Influence organisational culture to embed security awareness and risk-based thinking.
    • Work in partnership and collaborate across verticals with the GCS Leadership Team.
  6. Stakeholder Engagement
    • Collaborate with divisional GRC functions, BISOs, legal, finance, and operational teams to ensure integrated risk management.
    • Represent the Group in external forums and regulatory engagements.
    • Build and maintain trusted relationships with senior stakeholders, demonstrating a personable and collaborative approach.
    • Ensure positive engagement and communication with all internal and external stakeholders.
    Experience, Knowledge, Skills & Attributes
    Essential
    • 7+ yrs experience in governance, risk, and compliance within a large, complex organisation.
    • Strong knowledge of cyber security frameworks (ISO 27001, NIST, CIS Controls).
    • Expertise in regulatory compliance (GDPR, NIS2, SOX).
    • Excellent leadership, communication, and influencing skills.
    • Professional certifications such as CISSP, CISM, CRISC.
    • Proven experience developing and implementing enterprise-wide cyber risk management processes
    • Excellent collaboration skills with cross-functional teams
    • Strong relationship-building and communication skills, with a personable and credible approach
    Desirable
    • Experience in a federated business model.
    • Familiarity with risk quantification tools and methodologies.
    • Ability to drive cultural change and embed security awareness.
    • Experience building a strong relationship with internal audit.
    • Experience implementing an effective third party security risk management service

Related Jobs

View all jobs

Director of Operational Technology (OT) & Manufacturing Security

Head of Technology Services, Cyber Security and Data Control

Information Security Technical Assurance Lead

Head of Digital Transformation

IT Manager

Head of InfoSec

Subscribe to Future Tech Insights for the latest jobs & insights, direct to your inbox.

By subscribing, you agree to our privacy policy and terms of service.

Industry Insights

Discover insightful articles, industry insights, expert tips, and curated resources.

Jobs

SOC Analyst Jobs UK 2026: Salaries, Skills & How to Get Hired

Cyber security is one of the UK's fastest-growing career paths — and SOC analyst is where most people begin. It's in high demand, genuinely accessible, and you don't need a degree or years of experience to get started. But knowing what UK employers actually want in 2026 — what they pay, which certs matter, and how to stand out — is a different matter. This guide covers all of it.

Careers

How Many Cyber Security Tools Do You Need to Know to Get a Cyber Security Job?

If you are trying to build or move forward in a cyber security career, it can feel like the list of tools you are expected to know never ends. One job advert asks for SIEM platforms, another mentions penetration testing tools, another lists cloud security, threat intelligence platforms, endpoint detection, scripting languages and compliance frameworks. Scroll LinkedIn and it gets worse. Everyone seems to “know” dozens of tools, certifications and platforms. Here is the reality most cyber security hiring managers agree on: they are not hiring you because you know every tool. They are hiring you because you understand risk, can think like an attacker and a defender, follow process, communicate clearly and make good decisions under pressure. Tools matter — but only when they support those outcomes. So how many cyber security tools do you actually need to know to get a job? For most job seekers, the answer is far fewer than you think. This article explains what employers really expect, which tools are essential, which are role-specific and how to focus your learning so you look credible, not overwhelmed.

Jobs

What Hiring Managers Look for First in Cyber Security Job Applications (UK Guide)

If you want to stand out in the highly competitive world of cyber security job applications, you need to understand what hiring managers look for before they even finish reading a CV. Cyber security hiring managers scan applications quickly and with specific priorities in mind. They assess not just your technical ability, but your judgement, professionalism, clarity, risk awareness and evidence of impact. This guide explains what hiring managers look for first in cyber security applications across roles like Security Analyst, Security Engineer, Penetration Tester, Incident Responder, Security Architect, Governance Risk and Compliance specialists and Cloud Security positions. Use this as a practical, step-by-step checklist to sharpen your CV, LinkedIn profile, cover letter and portfolio before you apply on www.cybersecurityjobs.tech .

🍪 We use cookies to enhance your browsing experience on our website. By continuing to use this site, you consent to the use of cookies as described in our Cookie Policy. You can review our Cookie Policy for more information.