Group Head of Information Security

We are seeking a highly skilled and experienced Group Security Officer (GSO) to lead our information security strategy and operations. The GSO will be responsible for safeguarding our firm's digital assets, ensuring compliance with relevant laws and regulations, and mitigating risks associated with cyber threats. This role requires a strategic thinker with strong leadership capabilities and a deep understanding of the legal sector's unique security challenges.

The role holder will be responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, as well as key business risks, while supporting and advancing business objectives. You will also embed knowledge and best practice on risk avoidance and information security and working with the COLP and other relevant post holders, ensure the group is in line with statutory, regulatory and industry compliance standards/guidelines as appropriate. The role will also be responsible for enhancing our governance to include our emerging AI governance frameworks including ISO42001, as well as improving our group approach to resilience.

• Develop and Implement Security Strategy: Create and execute a comprehensive information security strategy that aligns with the firm's business objectives and regulatory requirements. Work closely with other departments, including our brands and group services to ensure security initiatives are integrated into all aspects of the firm's operations.
• Risk Management: Identify, assess, and mitigate information security risks. Conduct regular risk assessments and assurance to ensure the firm's security posture remains robust.
• Policy and Procedure Development: Develop, implement, and maintain security policies, standards, and procedures to protect the firm's digital assets.
• Compliance: Ensure compliance with relevant laws, regulations, and industry standards, including GDPR and other data protection regulations. This will include ensuring ongoing ISO27001 and CE+ accreditation.
• Incident Response: Lead the firm's response to security incidents and breaches, ensuring timely and effective resolution. Develop and maintain incident response plans.
• Security Governance: Review, evolve, and lead the security governance structure across the firm. Implement standard information security metrics and produce security reports.
• Security Assurance: Support and execute an appropriate assurance framework to validate security controls are effective. Facilitate risk assessment and risk management processes to ensure that risk is maintained at appropriate levels.
• Security Architecture: Working with the Security Architect as a Service capability, design and implement the firm's security architecture. Ensure that security controls are integrated into the design and implementation of all systems. Evaluate and recommend security technologies and solutions to protect the firm's digital assets. Collaborate with IT and other departments to ensure that security architecture aligns with business objectives and regulatory requirements.
• Security Operations: Oversee the day-to-day operations of the security team, including monitoring, detection, and response to security incidents. Ensure the implementation and management of security systems and tools.
• Security Awareness and Training: Promote security awareness across the firm. Develop and deliver training programs to educate employees on best practices for information security.
• Data Privacy and Data Protection Officer (DPO): Working with the DPOaaS capability, ensure the firm’s compliance with data privacy laws and regulations, including GDPR. Act as the Data Protection Officer (DPO) and oversee all data protection activities. Develop and implement data privacy policies and procedures. Conduct data protection impact assessments (DPIAs) and ensure that data subjects' rights are upheld. Provide guidance and training on data privacy matters to employees.
• Third-Party Supply Chain Security: Ensure information security assurance across the firm's supply chain, including clients and suppliers. Conduct security assessments of third-party vendors and partners. Develop and enforce security requirements for third-party contracts. Monitor and manage third-party compliance with the firm's security policies and standards.
• Reporting: Provide regular updates to senior management and the board of directors on the status of the firm's information security program and any emerging threats.

What you will need:

• Previously led teams of Information Security professionals.
• Depth of knowledge of Information Security standards, tools and processes.
• Good understanding of GDPR, COBIT, ISO27001, PCI DSS, Cyber Essentials (including Plus) and risk management frameworks.
• Familiarity with industry leading security products and solutions.
• Practical, real-life and hands-on experience of security technologies.
• Knowledge and experience of Business Continuity Management.
• Implemented crisis management processes and led responses to real crisis.
• Member of Institute of Information Security Professionals (M.IISP) or have the qualification, skills and experience to become a member.
• Certification(s) in one or more of CISSP, ISO27001 Lead Auditor, CISM, CISA is expected.
• Organised with a proven ability to prioritise workload, meet deadlines, and utilise time effectively.
• Strong working knowledge of risk management and previous experience working with risk.
• Strong interpersonal and communication skills; able to deal effectively with diverse skill sets and personalities, works effectively as a team player.

We embrace agile working and offer a blended approach to where and how we work. We appreciate that people have different needs and preferences and we’re keen to be flexible, after all, we value what you do, not where you do it. This role will be a blend of home working and working from one of our London or Midlands hubs.

Ampa Group is a committed equal opportunities employer. We seek to attract, develop and retain talented people from a diverse range of backgrounds and cultures. We value and respect individuality and encourage a culture within our business where people can be themselves and be valued for their strengths and experiences. Everyone who either applies to or works for the firm is treated equally, regardless of their gender, age, ethnic origin, nationality, marital status, sexual orientation or religious beliefs.