Director, Information Security - GRC

AVEVA is creating software trusted by over 90% of leading industrial companies.

The Director, Information Security GRC leads AVEVA’s Governance, Risk and Compliance (GRC) function within the central Digital Security organization. This second-line leadership role is accountable for the policies, standards, and governance frameworks that protect AVEVA’s digital estate and products, as well as for the risk assurances required by AVEVA leadership and Schneider Electric. The role requires a blend of broad security experience and deep GRC expertise, with a focus on data-driven, scalable approaches to security and risk management.

Key Responsibilities

• Operate as the central second-line function: set standards that federated teams execute against, retain independent oversight and audit rights, and provide joined-up risk governance reporting to the CISO, AVEVA Executive Leadership Team (ELT), and Schneider Electric Group Security.
• Define and maintain AVEVA’s security policy framework aligned to ISO27001, NIS2, IEC62443, and contractual obligations; manage the full policy lifecycle.
• Own the enterprise security risk register and operate governance processes, reporting regularly to the AVEVA Executive Team and Schneider Electric Group Security; engage business owners in risk treatment decisions and deliver transparent, defensible risk reporting.
• Lead the Third-Party Risk Management (TPRM) programme: assess suppliers, SaaS platforms, and technology partners’ security posture, integrate risk gates into procurement decisions, and drive automation to scale the programme efficiently.
• Lead the Security Program Management Office (PMO) to coordinate investment and improvement initiatives, advance programme maturity, and maintain a transparent security roadmap; identify opportunities to automate GRC workflows to increase team capacity and strategic value.
• Own AVEVA’s compliance posture across applicable regulatory frameworks; manage external audits and certifications (ISO27001, SOC2) and monitor regulatory change including NIS2, CRA, and IEC62443.
• Build and develop a high-performing GRC team, set clear objectives, invest in professional development, and act as an advocate for the GRC function across AVEVA and Schneider Electric; drive strategic alignment, output, and a people-first culture.

Skills and Experience

• 10+ years in information security with at least 5 years in a senior role focused on building capability.
• Deep expertise in GRC frameworks: ISO27001, NIST CSF, NIS2, IEC62443, SOC2.
• Strong understanding of security policy lifecycle management, control framework design, and risk register governance.
• Experience operating in regulated markets and reporting security risk to executive leadership.
• Proven track record of building and leading teams in international, multi-stakeholder environments.
• Experience driving automation and tooling improvements in GRC workflows to improve program scalability.
• Execution bias with demonstrated ability to act tactically while innovating next-generation solutions.
• Rational empathy, natural collaboration, data literacy, and operational fluency.
• Excellent risk communication skills, commercial acumen, and working knowledge of cloud security, DevSecOps, and Agile delivery practices.
• Professional certifications such as CISSP, CISM, CRISC, or ISO27001 Lead Implementer/Lead Auditor are preferred.

Benefits

• Competitive package with attractive bonus incentive plan.
• Above-norm paid vacation, contributions to retirement investment plans or pensions, insurances, and various memberships and perks designed to enhance workplace experience, health, and wellbeing.
• Flexible benefits fund.
• Emergency leave days, adoption leave.
• 28 days annual leave (plus bank holidays).
• Pension.
• Life cover.
• Private medical insurance.
• Parental leave.
• Education assistance program.

Equal Opportunity Statement

AVEVA is an Equal Opportunity Employer. We are committed to recruiting and retaining people with disabilities and provide reasonable accommodation to applicants where appropriate. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex (including pregnancy, gender identity, and sexual orientation), national origin, age, disability, protected veteran status, or any other basis protected by law.

Background Check

Successful applicants will be required to undergo and pass a drug screening and comprehensive background check in accordance with local laws. This may include verification of educational attainment, employment history, work authorization, criminal records, identity verification, and credit check.