Director, Information Security - GRC in London

Location: Cambridge, UK

Employment type: Full-time regular

Benefits: Competitive package with an attractive bonus incentive plan, regionally specific benefits ranging from above the norm paid vacation, contributions to retirement investment plans or pensions, insurances and many other memberships and perks designed to enhance the workplace experience, your health, and wellbeing.

Previous Experience: 10+ years in information security with at least 5 years in a senior role biased towards building capability not just running it. Proven track record of building and leading teams in complex, international and multi-stakeholder environments, with experience reporting security risk to executive leadership and parent company governance structures. Demonstrated ability to drive automation and tooling improvements in GRC workflows to improve program scalability.

The Director, Information Security GRC leads AVEVA’s Governance, Risk and Compliance function within the central Digital Security organization, a key second-line leadership role in AVEVA’s federated security model. This position is accountable for the policies, standards, and governance frameworks that protect AVEVA’s digital estate and products, and for the risk assurances that AVEVA leadership and Schneider Electric require to make informed business decisions.

AVEVA is a fast-growing software company operating in highly regulated markets and is an independent subsidiary of Schneider Electric. The GRC function must be a genuine enabler of business agility, continuously modernizing through automation and innovation. We are building a highly integrated security practice, where all security disciplines share and act in coordination on risk signal. The successful candidate must combine broad security experience with GRC expertise and deeply understand how they interact to deliver the trust promise of AVEVA. They will possess a collaborative mindset, with a passion for data-driven, scalable approaches to security and risk management.

Operating at a senior level within this specialised field, and as a member of the functional Senior Leadership team, the Director of Security GRC will often be called on to provide consultation to leaders, and counsel to the CISO. They are responsible for generating new theories, concepts, principles, and methodologies and will contribute significantly to the development of policy for the Digital Security function.

As a leader of leaders, and with a global team, this individual must establish a culture of performance excellence, ensuring the team deliver on the demands and expectations of the Security practice, in accordance with our values.

Key Responsibilities

• Operating as the central second-line function, the Director sets the standards all federated teams execute against, retains independent oversight and audit rights, and provides joined-up risk governance reporting to the CISO, AVEVA ELT, and Schneider Electric.
• Security Policy & Standards: Define and maintain AVEVA’s security policy framework aligned to ISO 27001, NIS2, IEC 62443, and contractual obligations. Set centralised standards for control design and assurance testing across all federated teams; manage the full policy lifecycle in response to evolving threats, regulation, and business context.
• Risk Assessment & Governance: Own the enterprise security risk register and operate governance processes, including regular reporting to the AVEVA Executive Team and Schneider Electric Group Security. Engage business owners in risk treatment decisions and deliver transparent, defensible risk reporting that enables leadership to make informed decisions.
• Third Party Risk Management: Lead the TPRM programme — assessing the security posture of suppliers, SaaS platforms, and technology partners. Integrate risk gates into procurement decisions and drive automation to scale the programme efficiently.
• Programme Management & Maturity: Lead the Security PMO, coordinating investment and improvement initiatives to advance programme maturity. Maintain a transparent security roadmap and actively identify opportunities to automate GRC workflows to increase team capacity and strategic value.
• Compliance & Certification: Own AVEVA’s compliance posture across applicable regulatory frameworks. Manage external audits and certifications (ISO 27001, SOC 2). Monitor and anticipate regulatory change including NIS2, CRA, and IEC 62443.
• People and Functional Leadership: Build and develop a high-performing GRC team with a culture of intellectual curiosity and continuous improvement. Set clear objectives, invest in professional development, and act as a visible advocate for the GRC function across AVEVA and Schneider Electric. An assured leader of both direct reports and in-directs to drive strategic alignment and output, setting and maintaining high standards as a member of the Digital Security Senior Leadership Team. Possesses a demonstrated ability to navigate ambiguity and make tough decisions—ranging from structural re-organizations and budgetary choices to talent optimization—while maintaining team morale, transparency, and a people-first culture in accordance with AVEVA’s values.

Skills and Experience

• 10+ years in information security with at least 5 years in a senior role biased towards building capability not just running it.
• Deep expertise in GRC frameworks: ISO 27001, NIST CSF, NIS2, IEC 62443, SOC 2.
• Strong understanding of security policy lifecycle management, control framework design, and risk register governance.
• Experience in operating in regulated markets (ISO 27001, SOC 2, NIS2, IEC 62443).
• Proven track record of building and leading teams in complex, international and multi-stakeholder environments. Experience of leading leaders is advantageous.
• Reporting security risk to executive leadership and parent company governance structures.
• Driving automation and tooling improvements in GRC workflows to improve program scalability.
• Execution bias; demonstrated ability to act tactically while innovating next generation solutions.
• Rational empathy; demonstrated experience in aligning security imperatives with the goals and values of the organization.
• Natural collaborator; demonstrated experience delivering joined up solutions.
• Data literate, automation biased, operationally fluent.
• Excellent risk communication skills.
• Commercial acumen and working knowledge of cloud security, DevSecOps, and Agile delivery practices.

Desired/Preferred

• Industrial software, OT/ICS security, or technology companies serving critical infrastructure or highly regulated industries.
• Working within a large enterprise group security governance structure as a subsidiary security leader.
• Working with AI and machine learning applications in security.
• Professional certifications: CISSP, CISM, CRISC, or ISO 27001 Lead Implementer / Lead Auditor.
• Experience in a federated, matrixed, or multi-subsidiary structure — driving standards across organizational boundaries.

Competencies

• Adaptable and resilient: Thrives in dynamic environments; maintains strategic focus through regulatory change and organisational evolution.
• Practical and logical: Structured thinking with a bias toward pragmatic, implementable solutions.
• Self-motivated and decisive: Comfortable making and owning decisions in ambiguous situations.
• Collaborative and influential: Earns influence through credibility and expertise; builds trusted relationships across federated teams and leadership.
• Transparent and courageous: Surfaces difficult risk findings and brings problems to leadership.
• Curious and growth-oriented: Continuously learning about emerging threats, regulatory change, and improvements in automation and tooling.

Hybrid working

We work in a hybrid way at AVEVA. Most roles are based at a local AVEVA office, with an expectation of being on-site 50% of your working hours to support collaboration and connection. Some positions are fully office-based depending on the nature of the work, and certain roles that support specific customers or markets may be remote. The working arrangement for this position will be confirmed during the hiring process.

UK Benefits include:

• Flexible benefits fund, emergency leave days, adoption leave, 28 days annual leave (plus bank holidays), pension, life cover, private medical insurance, parental leave, education assistance program.

It’s possible we’re hiring for this position in multiple countries, in which case the above benefits apply to the primary location. Specific benefits vary by country, but our packages are similarly comprehensive.

AVEVA requires all successful applicants to undergo and pass a drug screening and comprehensive background check before they start employment. Background checks will be conducted in accordance with local laws and may, subject to those laws, include proof of educational attainment, employment history verification, proof of work authorization, criminal records, identity verification, credit check. Certain positions dealing with sensitive and/or third-party personal data may involve additional background check criteria.

AVEVA is an Equal Opportunity Employer. We are committed to being an exemplary employer with an inclusive culture, developing a workplace environment where all our employees are treated with dignity and respect. We value diversity and the expertise that people from different backgrounds bring to our business. AVEVA provides reasonable accommodation to applicants with disabilities where appropriate. If you need reasonable accommodation for any part of the application and hiring process, please notify your recruiter. Determinations on requests for reasonable accommodation will be made on a case‑by‑case basis.