Group IT Security & Data Protection Lead

Harmony is on a mission to be the best life safety partner to work with and for. Rated an ‘Outstanding Employer’ by Best Companies in 2025, we are only getting bigger and stronger — and we’re looking for A-players to help us get there. We are passionate about making a difference and obsessed with quality. Our goal is to build a world where every resident can sleep safely at night, knowing their home is 100% safe.

This is a security-first leadership role. You will own cyber security and data protection across the Harmony group (Harmony Fire, Solidcor, Auro Technology) end-to-end — strategy, delivery and BAU — acting as the most senior security voice in the business below the Group IT Director. Cyber Essentials Plus, IASME Cyber Assurance and ISO 27001 sit with you. UK GDPR compliance sits with you as the group’s Data Protection Lead (a non-statutory role distinct from a formal DPO appointment). The group’s security posture, risk register, incident response and audit defensibility all sit with you. If something has a security or data protection dimension, it lands on your desk first.

Security cannot exist in isolation, so you will also run the day-to-day IT function — line-managing the IT Technician, overseeing the helpdesk, vendor stack and infrastructure resilience for around 250 users across three trading entities. Operations exist to deliver a secure platform, not the other way around. IT Project Managers will deliver new systems into the group; you will accept those handovers and operationalise them into BAU only once they meet your security bar. Reporting to the Group IT Director, you will be the security leader the group trusts to keep its people productive, its data protected and its certifications intact through ~30% year-on-year growth. This is more than an IT role. It is about bringing the right energy, accountability and resilience to our mission of saving lives through fire and height safety.

Key Responsibilities

• Own the group’s cyber security strategy, posture and risk register — the most senior security accountability in the business below the Group IT Director.
• Lead all formal security certifications end-to-end: Cyber Essentials Plus annual recertification, IASME Cyber Assurance alignment and ISO 27001 ISMS — scoping, risk treatment, Statement of Applicability, internal audits, management review and external audit defence.
• Apply additional frameworks where they strengthen the group’s posture — NIST CSF, CIS Controls, NCSC Cyber Assessment Framework — and embed them into operational practice.
• Act as the group’s Data Protection Lead (not a statutory DPO under UK GDPR Article 37) — own UK GDPR and DPA 2018 compliance, ROPA, DPIAs, retention schedules, DSARs, breach notification, processor agreements and supplier due diligence.
• Run security operations day-to-day — endpoint protection (Bitdefender GravityZone), conditional access, MFA, identity governance, vulnerability management, and security awareness and phishing simulation programmes via KnowBe4.
• Lead incident response — triage, containment, recovery, post-incident review and reporting, with playbooks kept current and tested.
• Oversee security across Auro Technology’s software stack — IoT device firmware, cloud platforms, mobile and web applications — partnering with the Auro engineering team on secure SDLC, code review, dependency management, secrets handling and product security posture.
• Act as the security gatekeeper for IT project handovers — accept newly delivered systems from IT Project Managers into BAU only once documentation, monitoring, support runbooks and security controls meet the group’s bar.
• Run vendor and licensing relationships across the IT and security stack — renewals, commercial negotiation and security due diligence on every new supplier before they are onboarded.
• Run the day-to-day IT function in service of the security mission — line-manage the IT Technician, oversee the Atera helpdesk, own SLAs and personally take the hardest tickets when they have a security dimension.
• Maintain infrastructure resilience — backups, disaster recovery, business continuity, identity, network and connectivity — owned, documented and tested.
• Run secure onboarding and offboarding at scale, keeping identity hygiene and asset control airtight as the group grows.

Skills, Knowledge and Expertise

• An A-player mindset — high standards, extreme ownership and the drive to do things properly, the first time.
• A security professional first and foremost — your career identity is cyber security and information assurance, not IT generalism that happens to include security.
• Proven track record leading Cyber Essentials Plus and ISO 27001 (or actively driving towards certification) in a real organisation — not a tabletop exercise.
• Strong working knowledge of UK GDPR and the Data Protection Act 2018, with hands‑on experience of DSARs, DPIAs, breach response and supplier DPAs.
• Deep, hands‑on Microsoft 365 and Entra ID security experience — conditional access, Intune, identity governance, the Defender stack and security baselines.
• Demonstrable security operations experience — EDR/XDR, vulnerability management, incident response and security awareness programmes.
• Pragmatic, hands‑on operator — comfortable running a helpdesk and line‑managing an IT Technician alongside the security and compliance remit.
• Confident commercial mindset — budget ownership, vendor negotiation and the ability to challenge supplier security claims with evidence.
• Excellent written and verbal communication, able to translate technical risk plainly for non‑technical leadership and field staff.
• Right to work in the UK and able to travel between London, Yeovil, Chesterfield, Edinburgh and other group sites as required.
• Recognised certification — CISSP, CISM, ISO 27001 Lead Implementer or Lead Auditor, Microsoft SC‑100 / SC‑200 / SC‑300.
• IASME Cyber Assurance experience.
• Formal Data Protection Officer training or qualification (e.g. PC.dp, BCS Practitioner Certificate in Data Protection).
• Experience in fire safety, construction, manufacturing or field‑engineering environments.
• Familiarity with our wider stack — Salesforce, SimPRO, Unleashed, Supabase, Cloudflare, Microsoft Fabric.
• Hands‑on experience with KnowBe4 (or equivalent security awareness and phishing simulation platforms).
• NIST CSF, CIS Controls or NCSC CAF practical experience.

Benefits

This is a chance to own cyber security and data protection end-to-end for a three‑entity group at one of the UK’s fastest‑growing safety specialists — with the autonomy to set the security bar, hold certifications and shape the group’s posture as we grow ~30% year-on-year. At Harmony, we ask a lot — and we give a lot back. The hours are real, the standards are high and the work is demanding, but for those who show up, deliver and go the extra mile, the rewards follow. A-players here enjoy a competitive salary, a performance bonus tied to successful, on‑time delivery against roadmap milestones and delivery KPIs, a Personal Development Plan with ongoing training and leadership mentoring, unlimited holiday, private medical insurance, enhanced maternity and paternity, lunch, snacks and refreshments on us every day (fresh fruit and Takeaway Fridays included), a team social budget, cycle to work, an auto‑enrolment pension, two major company events a year and our Reward and Recognition scheme — including European mini‑breaks for those who go above and beyond. It is a collaborative, high‑energy environment focused on doing things the right way — technically, ethically and practically — and none of it is a perk for showing up; it’s what we share with the people pulling the business forward. Harmony is an equal opportunity employer. We consider all applicants for employment regardless of age, disability, sexual orientation, gender identity, family or parental status, race, colour, nationality, ethnic or national origin, religion or belief. We want everyone who works with us to feel valued and to make a difference.