Cyber and IT Risk Manager

The Purpose of the Cyber & IT Risk Manager is to complement and enhance Johnson Matthey’s cyber security and IT/OT risk posture by identifying, assessing, analysing and communicating IT and cyber-security risks, and both the existence and efficacy of controls relating to those risks. The role is responsible for ensuring that the organisation understands, prioritises and appropriately manages its cyber and IT risks, with clear ownership and action plans being defined and progressed.

Your responsibilities:

• Develop, implement, schedule and drive a cyber and IT risk management program which includes regular assessment, prioritisation, and review of remediation and mitigation activities, with clearly defined management ownership.
• Ensure that the risk management program is aligned with business priorities and risk appetite, assessing and clearly communicating those risks in a non-technical, easily digestible manner that ensures all stakeholders can make informed decisions on these risks.
• Ensure that risks are assessed, recorded and communicated at the appropriate level of detail for both the audience and their effective mitigation, including maintaining a clear view of the linkages to enterprise-level (principal) risks and what actions drive a reduction in those risks.
• Ensure a clear risk hierarchy.
• Engage with senior leaders across both IT and business units to drive pragmatic action plans for mitigation, including supporting the development of business cases.
• Developing and maintaining risk management processes, procedures, and tools to ensure timely identification, assessment, and mitigation of risks.
• Own and manage the security impact assessment process, ensuring that JM gains early visibility of potential risks associated with proposed changes.
• Ensure that this process is linked to the wider risk management process, with appropriate visibility provided to relevant stakeholders.
• Own and manage the third-party risk management process, ensuring an effective prioritisation and tiering model is in place to identify and assess third parties that pose the most significant risk to JM.
• Ensure a clear third-party risk reporting capability is in place to enable JM to make appropriate decisions regarding its third-party risk profile.
• Developing, maintaining and operating cyber and IT controls assurance processes, including being responsible for the JM ITGC framework and ensuring system owners understand their responsibilities.
• Conduct thorough assessments of control environments, systems, processes, and practices to identify control gaps, including those associated with audit actions, customer and stakeholder requirements.
• Ensure effective action is taken to resolve any issues and identify root causes and remediations that can be addressed through continual improvement.
• Act as point of contact and co-ordination for cyber and IT-related audits, ensuring accurate information is provided and collating inputs from relevant teams.
• Keep up to date with regulatory and legislative developments relating to cyber and IT, identifying and assessing any changes that are relevant to JM and developing recommendations and action plans, communicating these as necessary to senior management.

Requirements for the role:

• Experience and knowledge of cyber and IT controls and supporting associated audits.
• Technical and/or practical experience of cyber security controls/capabilities and relevant standards e.g. ISO27001.
• IT controls implementation and assurance, including but not limited to IT general controls.
• Enterprise software capabilities and technologies, including but not limited to ERP, CRM, enterprise operating systems (e.g. Windows/Linux).
• Relevant legislation such as NIS2, GDPR and Computer Misuse Act.
• Relevant industry standards such as MITRE and NIST.
• Risk management best practices.
• Demonstrable experience in technology security-related roles, with demonstrable experience of identifying and managing information security risks in complex or critical scenarios.
• IT and/or cyber-security risk management experience.
• Knowledge and experience of writing technical reports, documentation, policies and standards accurately and to designated timescales.
• Understanding of enterprise IT infrastructure and architectures.

How you will be rewarded:

We offer a competitive compensation and benefits package including bonus, excellent pension contributions and 25 days annual leave (varies for shift-based roles). At JM, an inclusive culture is integral to our values and ambitions for the future. We are committed to ensuring that everyone can bring their full self to work and thrive in their career.