Head of Cyber, Risk & Assurance in London

Head of Cyber, Risk & Assurance in London

London Full-Time No working from home possible
I

About Us

We are part of International Airlines Group (IAG), one of the world’s leading airline groups and owner of some of the biggest brands in the sky.

IAG Transform provides creative and innovative solutions to drive sustainable transformation by delivering procurement and airline services, as well as group-wide systems across IAG. Each operating company benefits from the Transform centralised model, driving efficiencies, automation, and economies of scale.

Purpose of the role

The Head of Cyber Governance and Assurance is accountable for establishing and leading the Group-wide cyber governance, risk and assurance function across the International Airlines Group (British Airways, Iberia, Vueling, Aer Lingus, LEVEL, IAG Cargo, IAG Loyalty, and IAG Transform).
This role builds a risk‑led, threat‑informed and resilience‑focused assurance programme, integrating:
- Cloud and IT Resilience / Disaster Recovery assurance (including Third Parties)
- Continuous KPI monitoring
- Vulnerability remediation assurance
- Business continuity and Crisis response readiness assurance
The Head of Cyber, Risk & Assurance is a senior leadership role within IAG Group Cyber Security & Technology, accountable for building and running a rigorous, independent function that provides the IAG and the Group CISO with accurate, evidence based assurance over the Group's cyber security and technology risk posture.

Your responsibilities

Strategy & Operating Model Leadership

  • Define and maintain the Group Cyber, Risk & Assurance Strategy, aligning IAG’s risk appetite, regulatory requirements, threat landscape, and business priorities.

  • Establish a cohesive assurance operating model within the Group

  • Integrate IT Resilience and DR assurance, ensuring the right capabilities and processes are in place to achieve the required maturity and provide reliable confidence.

  • Strengthen KPI monitoring by establishing ongoing measurements that highlight resilience gaps and emerging risks.

Group-Level Cyber Risk Management

This function is the authoritative second line of defence for cyber and technology risk across the Group. The postholder will:

  • Own and maintain the IAG Group Cyber Risk Register, ensuring it accurately reflects the aggregated risk landscape across all OpCos, is grounded in threat intelligence, and is aligned to IAG's enterprise risk framework.

  • Define, maintain, and periodically review the Group Cyber Risk Appetite Statement in collaboration with the Group CISO, ensuring it is quantified, measurable, and linked to business impact.

  • Conduct regular structured risk assessments at Group level, incorporating cross OpCo systemic risks, shared dependencies (e.g. shared platforms, IAG Connect network, Avios loyalty infrastructure), and third-party supply chain risks.

  • Develop and maintain a cyber risk taxonomy that enables consistent risk identification, classification, and escalation across all OpCos.

  • Ensure that Group-level risks are escalated in a timely and structured manner, with clear risk owners, mitigating actions, and residual risk assessments.

  • Engage with OpCo risk functions to understand local risk profiles and ensure material risks are surfaced to Group level — without duplicating OpCo accountabilities.

  • Drive quantification of cyber risk in business and financial terms (e.g. operational disruption cost, regulatory fine exposure, reputational impact), enabling risk-informed investment decisions by the IAG Executive Committee.

  • Resilience, Crisis Readiness & Recovery Assurance

  • Provide Group-level assurance over IT/Cloud Resilience, backup/recovery capabilities, and disaster recovery test execution.

  • Ensure resilience controls are measurable, tested routinely, and aligned with IAG's operational needs (airline operations, airports, ground operations, cargo, loyalty services).

  • Drive the evolution from periodic testing to continuous assurance, improving coverage and reducing manual effort.

  • Oversee assurance of cyber crisis response readiness, simulation testing, and crisis playbook validation

Policy Assurance

While the ownership for the creation and maintenance of IT and Cyber Security Policies sits elsewhere, this function is responsible for assuring compliance:

  • Maintain an ongoing program of policy compliance assurance across all OpCos, verifying that entities have implemented and embedded Group policies within their local control environments.

  • Work closely with the Head of CTO to ensure assurance activity is aligned to policy maturity stages and identifies deviations in a structured manner.

  • Report on OpCo policy compliance status, tracking formal exceptions, waivers, and remediation plans.

  • Ensure Group minimum standards are consistently interpreted and applied across OpCos.

Oversight, Governance & Quality Assurance

The postholder will establish and operate a structured, independent assurance capability that actively validates the accuracy and completeness of information reported by OpCos to Group:

  • Design and own the IAG Group Cyber Assurance Framework, defining assurance levels, methodologies, evidence standards, and sampling approaches — aligned to the risk-tiered assurance levels used across the Group (self-certified through to full IAG / External Assurance review).

  • Establish and manage an annual Assurance Plan that prioritises OpCo assessments based on risk profile, historical compliance performance, threat landscape, and regulatory obligations.

  • Conduct active assurance reviews of OpCo-submitted compliance data, KPIs, and control attestations — not merely accepting self-certified evidence but independently validating it through structured testing, evidence sampling, interviews, and technical review.

  • Maintain and operate a Data Accuracy and Validation Framework: implement systematic checks to verify that metrics and compliance positions reported by OpCos to the Group are consistent, accurate, and not subject to selective or misleading reporting.

  • Identify and escalate instances where OpCo-reported data is inaccurate, incomplete, or inconsistent with independently obtained evidence — maintaining a clear escalation path to the Group CISO.

  • Operate the Group's risk-tiered Assurance Level model, ensuring the appropriate level is applied proportionate to risk.

  • Develop a continuous assurance monitoring capability, using automated data feeds, telemetry, and tooling to maintain an up-to-date view of control effectiveness between formal assurance cycles.

  • Maintain a consolidated Findings and Remediation Tracker — tracking all identified control gaps, assigned risk owners, target remediation dates, and evidence of closure across all OpCos.

  • Provide structured feedback loops to OpCo CISOs and security leads, ensuring findings are understood, accepted, and actioned within agreed timescales.

Reporting & Executive Engagement

  • Provide clear, aggregated Group-level reporting on assurance effectiveness and remediation progress.

  • Prepare executive-level dashboards and assurance summaries.

  • Present assurance outcomes to the Group CISO, OpCo CISOs, senior technology executives, and, when needed, Audit & Risk Committees.

  • Engage with Internal Audit to ensure cyber related audit activities are aligned with the assurance programme and avoid duplication or blind spots.

Regulatory & External Engagement

  • Ensure the assurance programme satisfies regulatory requirements (e.g. NIS/NIS2, aviation regulatory requirements or external customer due diligence needs).

  • Remediation Prioritisation & Risk Reduction

  • Partner with OpCo stakeholder areas to drive effective remediation.

  • Identify cross‑OpCo systemic weaknesses and propose Group-wide corrective programs.

Your skills, experience and qualifications

  • 10+ years of cyber assurance leadership experience, with strong exposure to global, complex, regulated, federated organisations.

  • Demonstrated experience leading cyber assurance, IT audit, or second‑line risk functions.

  • Proven experience in resilience assurance—crisis readiness, BCP/DR, cloud / IT resilience, and recovery validation.

  • Proven track record of designing and delivering independent assurance programs — including evidence validation, structured testing, and assurance reporting — in a complex, regulated environment.

  • Direct experience of cyber risk management at enterprise or Group level, including risk register ownership, risk appetite setting, and Board/Committee reporting.

  • Demonstrable experience challenging and independently validating data submitted by operating entities, identifying inaccuracies, and managing escalations professionally.

  • Familiarity with regulatory frameworks (e.g. NIST CSF, ISO 27001/2, PCI DSS, GDPR, NIS/NIS2/UK NIS)

  • Strategic, analytical, and able to define long‑term transformational assurance roadmaps.

  • Strong business acumen with the ability to connect control failures to operational risk impacts (e.g., airline operations, airport disruptions).

  • Excellent storyteller with data—able to translate metrics and complex control evidence into actionable insights.

  • Strong leadership, influencing and stakeholder management skills across federated and multicultural organisations.

  • Advocates “no surprises” assurance culture, independence, and transparency.

What we offer

  • The chance to enjoy a challenging career in an exciting, fast-moving environment in a dynamic industry.

  • The opportunity to work in a multi-cultural environment with great offices in many locations. We support our people in maintaining work/life balance, as well as providing the many benefits one would expect from a global organisation, including health insurance, pension and performance bonuses.

We are an equal opportunities employer and all qualified applicants will receive consideration for employment without regard to race, colour, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law

Head of Cyber, Risk & Assurance in London employer: IAG Transform UK

IAG Transform UK is an exceptional employer that fosters a collaborative and innovative work culture, where your expertise in enterprise architecture will be valued and nurtured. With a strong focus on employee growth, we offer numerous opportunities for professional development and career advancement, all while working in a dynamic environment that aligns with our Group's strategic vision. Join us in a location that not only supports your career aspirations but also promotes a healthy work-life balance.

I

Contact Details:

IAG Transform UK Recruitment Team