Director, Information Security - Assurance in Cambridge

Location: Cambridge, UK

Employment Type: Full‑time, regular

Previous Experience: 10+ years in information security with at least 5 years in a senior role focused on building audit/assurance capability; proven track record of leading assurance or audit teams in complex, international, multi‑stakeholder environments; experience designing and operating controls assurance programmes across IT, cloud, and product security domains with exposure to external audit and certification processes (ISO 27001, SOC 2).

Key Responsibilities:

• Controls Assurance Programme: Design and lead a continuous controls assurance programme that independently tests whether security controls across all federated teams operate effectively against policy objectives and centrally defined standards. Drive automation to shift from periodic point‑in‑time reviews to ongoing, evidence‑based control monitoring.
• Independent Testing & Technical Review: Commission and oversee in‑depth technical assurance activities including penetration testing, configuration reviews, and control effectiveness assessments. Provide objective, evidence‑based findings across the AVEVA digital estate – covering IT, cloud, product, and R&D environments.
• Audit & Compliance Readiness: Own the security evidence library and lead coordination of external audit and certification processes (ISO 27001, SOC 2). Leverage proactive assurance activity to build continuous audit readiness rather than reactive preparation, reusing assurance evidence to reduce duplication of effort.
• Control Weakness & Remediation: Identify control weaknesses and coverage gaps across the AVEVA estate, including areas where controls are under‑deployed, misconfigured, or ineffective against the threat landscape. Drive remediation tracking through the GRC risk register and report progress to the CISO and leadership.
• Assurance Reporting: Provide high‑quality, evidence‑based assurance reporting to the CISO, AVEVA Executive Team, and Schneider Electric Group Security. Translate technical findings into clear, actionable risk insight that directly informs governance decisions and the enterprise risk register.
• People and Functional Leadership: Build and develop a high‑performing Assurance team with a culture of rigor, intellectual curiosity, and continuous improvement. Set clear objectives, invest in professional development, and act as a visible advocate for the Assurance function across AVEVA and Schneider Electric. Lead a direct and indirect reporting structure to drive strategic alignment and output as a member of the Digital Security Senior Leadership Team. Navigate ambiguity and make tough decisions—ranging from structural reorganisations and budgetary choices to talent optimisation—while maintaining team morale, transparency, and a people‑first culture in accordance with AVEVA’s values.

Skills and Experience:

• 10+ years in information security with at least 5 years in a senior role focused on building audit/assurance capability.
• Deep expertise in control testing methodologies, assurance frameworks, and security audit practices across ISO 27001, SOC 2, NIST CSF, NIS2, and IEC 62443.
• Strong technical breadth across IT security, cloud security, and application security sufficient to design and oversee effective control testing across a diverse and distributed estate.
• Experience designing and operating controls assurance programmes in complex, multi‑stakeholder environments ideally spanning IT, cloud, and product security domains.
• Proven track record of building and leading assurance or audit teams in complex, international, and multi‑stakeholder environments; experience leading leaders is advantageous.
• Experience owning or leading external audit and certification processes (ISO 27001, SOC 2) including evidence gathering, auditor management, and remediation tracking.
• Reporting assurance findings and control weaknesses to executive leadership and parent company governance structures.
• Driving automation in assurance testing and evidence gathering workflows to improve programme scalability.
• Experience operating in regulated markets with direct exposure to compliance frameworks (ISO 27001, NIS2, IEC 62443, SOC 2).
• Execution bias; demonstrated ability to act tactically while innovating next‑generation solutions.
• Rational empathy; demonstrated experience in aligning security imperatives with the goals and values of the organisation.
• Natural collaborator; demonstrated experience delivering joined‑up solutions across security disciplines and with federated partners.
• Data literate, automation biased, operationally fluent.
• Excellent assurance reporting skills; able to translate technical findings into clear, evidence‑based risk narratives for executive, audit, and regulatory audiences.

Desired/Preferred:

• Industrial software, OT/ICS security, or technology companies serving critical infrastructure or highly regulated industries.
• Working within a large enterprise group security governance structure as a subsidiary security leader.
• Experience with AI and machine learning applications in security assurance and automated control testing.
• Professional certifications: CISSP, CISA, CISM, or ISO 27001 Lead Auditor.
• Commercial acumen and working knowledge of cloud security, DevSecOps, and Agile delivery practices.
• Experience in a federated, matrixed, or multi‑subsidiary structure.

Competencies:

• Adaptive and resilient: thrives in dynamic environments; maintains strategic focus through regulatory change and organisational evolution.
• Practical and logical: structured thinking with a bias toward pragmatic, implementable solutions.
• Self‑motivated and decisive: comfortable making and owning decisions in ambiguous situations.
• Collaborative and influential: earns influence through credibility and expertise; builds trusted relationships across federated teams and leadership.
• Transparent and courageous: surfaces difficult assurance findings and brings problems to leadership without softening the message.
• Curious and growth‑oriented: continuously learning about emerging threats, evolving control landscapes, and improvements in assurance automation and tooling.

Benefits:

• Flexible benefits fund
• Emergency leave days
• Adoption leave
• 28 days annual leave