Head of Cyber, Risk & Assurance in London

Head of Cyber, Risk & Assurance in London

London Full-Time 70000 - 80000 £ / year (est.) No working from home possible
IAG Transform

At a Glance

  • Tasks: Lead cyber governance and assurance for a major airline group, ensuring robust risk management.
  • Company: Join IAG, a leading global airline group with a focus on innovation and sustainability.
  • Benefits: Enjoy competitive pay, health insurance, pension plans, and performance bonuses.
  • Other info: Work-life balance supported in a fast-paced, exciting industry.
  • Why this job: Make a real impact in cyber security within a dynamic, multicultural environment.
  • Qualifications: 10+ years in cyber assurance leadership with strong analytical and strategic skills.

The predicted salary is between 70000 - 80000 £ per year.

We are part of International Airlines Group (IAG), one of the world’s leading airline groups and owner of some of the biggest brands in the sky.

IAG Transform provides creative and innovative solutions to drive sustainable transformation by delivering procurement and airline services, as well as group-wide systems across IAG.

Each operating company benefits from the Transform centralised model, driving efficiencies, automation, and economies of scale.

Purpose of the role

The Head of Cyber Governance and Assurance is accountable for establishing and leading the Group-wide cyber governance, risk and assurance function across the International Airlines Group (British Airways, Iberia, Vueling, Aer Lingus, LEVEL, IAG Cargo, IAG Loyalty, and IAG Transform).

This role builds a risk‑led, threat‑informed and resilience‑focused assurance programme, integrating:

  • Cloud and IT Resilience / Disaster Recovery assurance (including Third Parties)
  • Vulnerability remediation assurance
  • Business continuity and Crisis response readiness assurance

The Head of Cyber, Risk & Assurance is a senior leadership role within IAG Group Cyber Security & Technology, accountable for building and running a rigorous, independent function that provides the IAG and the Group CISO with accurate, evidence based assurance over the Group's cyber security and technology risk posture.

  • Your responsibilities
  • Define and maintain the Group Cyber, Risk & Assurance Strategy, aligning IAG’s risk appetite, regulatory requirements, threat landscape, and business priorities.
  • Establish a cohesive assurance operating model within the Group
  • Integrate IT Resilience and DR assurance, ensuring the right capabilities and processes are in place to achieve the required maturity and provide reliable confidence.
  • Strengthen KPI monitoring by establishing ongoing measurements that highlight resilience gaps and emerging risks.

This function is the authoritative second line of defence for cyber and technology risk across the Group. The postholder will:

  • Own and maintain the IAG Group Cyber Risk Register, ensuring it accurately reflects the aggregated risk landscape across all Op Cos, is grounded in threat intelligence, and is aligned to IAG's enterprise risk framework.
  • Define, maintain, and periodically review the Group Cyber Risk Appetite Statement in collaboration with the Group CISO, ensuring it is quantified, measurable, and linked to business impact.
  • Conduct regular structured risk assessments at Group level, incorporating cross Op Co systemic risks, shared dependencies (e. g. shared platforms, IAG Connect network, Avios loyalty infrastructure), and third-party supply chain risks.
  • Develop and maintain a cyber risk taxonomy that enables consistent risk identification, classification, and escalation across all Op Cos.
  • Ensure that Group-level risks are escalated in a timely and structured manner, with clear risk owners, mitigating actions, and residual risk assessments.
  • Engage with Op Co risk functions to understand local risk profiles and ensure material risks are surfaced to Group level — without duplicating Op Co accountabilities.
  • Drive quantification of cyber risk in business and financial terms (e. g. operational disruption cost, regulatory fine exposure, reputational impact), enabling risk-informed investment decisions by the IAG Executive Committee.
  • Resilience, Crisis Readiness & Recovery Assurance
  • Provide Group-level assurance over IT/Cloud Resilience, backup/recovery capabilities, and disaster recovery test execution.
  • Ensure resilience controls are measurable, tested routinely, and aligned with IAG's operational needs (airline operations, airports, ground operations, cargo, loyalty services).
  • Drive the evolution from periodic testing to continuous assurance, improving coverage and reducing manual effort.
  • Oversee assurance of cyber crisis response readiness, simulation testing, and crisis playbook validation
  • Policy Assurance

While the ownership for the creation and maintenance of IT and Cyber Security Policies sits elsewhere, this function is responsible for assuring compliance:

  • Maintain an ongoing program of policy compliance assurance across all Op Cos, verifying that entities have implemented and embedded Group policies within their local control environments.
  • Work closely with the Head of CTO to ensure assurance activity is aligned to policy maturity stages and identifies deviations in a structured manner.
  • Report on Op Co policy compliance status, tracking formal exceptions, waivers, and remediation plans.
  • Ensure Group minimum standards are consistently interpreted and applied across Op Cos.
  • Oversight, Governance & Quality Assurance

The postholder will establish and operate a structured, independent assurance capability that actively validates the accuracy and completeness of information reported by Op Cos to

Group

  • Design and own the IAG Group Cyber Assurance Framework, defining assurance levels, methodologies, evidence standards, and sampling approaches — aligned to the risk-tiered assurance levels used across the Group (self-certified through to full IAG / External Assurance review).
  • Establish and manage an annual Assurance Plan that prioritises Op Co assessments based on risk profile, historical compliance performance, threat landscape, and regulatory obligations.
  • Conduct active assurance reviews of Op Co-submitted compliance data, KPIs, and control attestations — not merely accepting self-certified evidence but independently validating it through structured testing, evidence sampling, interviews, and technical review.
  • Maintain and operate a Data Accuracy and
  • Validation

Framework: implement systematic checks to verify that metrics and compliance positions reported by Op Cos to the Group are consistent, accurate, and not subject to selective or misleading reporting.

  • Identify and escalation instances where Op Co-reported data is inaccurate, incomplete, or inconsistent with independently obtained evidence — maintaining a clear escalation path to the Group CISO.
  • Operate the Group's risk-tiered Assurance Level model, ensuring the appropriate level is applied proportionate to risk.
  • Develop a continuous assurance monitoring capability, using automated data feeds, telemetry, and tooling to maintain an up-to-date view of control effectiveness between formal assurance cycles.
  • Maintain a consolidated Findings and Remediation Tracker — tracking all identified control gaps, assigned risk owners, target remediation dates, and evidence of closure across all Op Cos.
  • Provide structured feedback loops to Op Co CISOs and security leads, ensuring findings are understood, accepted, and actioned within agreed timescales.
  • Reporting & Executive Engagement
  • Provide clear, aggregated Group-level reporting on assurance effectiveness and remediation progress.
  • Prepare executive-level dashboards and assurance summaries.
  • Present assurance outcomes to the Group CISO, Op Co CISOs, senior technology executives, and, when needed, Audit & Risk Committees.
  • Engage with Internal Audit to ensure cyber related audit activities are aligned with the assurance programme and avoid duplication or blind spots.
  • Regulatory & External Engagement
  • Ensure the assurance programme satisfies regulatory requirements (e. g. NIS/NIS2, aviation regulatory requirements or external customer due diligence needs).
  • Partner with Op Co stakeholder areas to drive effective remediation.
  • Identify cross‑Op Co systemic weaknesses and propose Group-wide corrective programs.
  • Your skills, experience and qualifications
  • 10+ years of cyber assurance leadership experience, with strong exposure to global, complex, regulated, federated organisations.
  • Demonstrated experience leading cyber assurance, IT audit, or second‑line risk functions.
  • Proven experience in resilience assurance—crisis readiness, BCP/DR, cloud / IT resilience, and recovery validation.
  • Proven track record of designing and delivering independent assurance programs — including evidence validation, structured testing, and assurance reporting — in a complex, regulated environment.
  • Direct experience of cyber risk management at enterprise or Group level, including risk register ownership, risk appetite setting, and Board/Committee reporting.
  • Demonstrable experience challenging and independently validating data submitted by operating entities, identifying inaccuracies, and managing escalations professionally.
  • Familiarity with regulatory frameworks (e. g. NIST CSF, ISO 27001/2, PCI DSS, GDPR, NIS/NIS2/UK NIS)
  • Strategic, analytical, and able to define long‑term transformational assurance roadmaps.
  • Strong business acumen with the ability to connect control failures to operational risk impacts (e. g., airline operations, airport disruptions).
  • Excellent storyteller with data—able to translate metrics and complex control evidence into actionable insights.
  • Strong leadership, influencing and stakeholder management skills across federated and multicultural organisations.
  • Advocates “no surprises” assurance culture, independence, and transparency.

What we offer

  • The chance to enjoy a challenging career in an exciting, fast-moving environment in a dynamic industry.
  • The opportunity to work in a multi-cultural environment with great offices in many locations.

We support our people in maintaining work/life balance, as well as providing the many benefits one would expect from a global organisation, including health insurance, pension and performance bonuses.

We are an equal opportunities employer and all qualified applicants will receive consideration for employment without regard to race, colour, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law.

#J-18808-Ljbffr

Head of Cyber, Risk & Assurance in London employer: IAG Transform

As a Procurement Transformation Lead at IAG Transform, you will be part of a dynamic and innovative team within one of the world's leading airline groups. We offer a vibrant work culture that values collaboration and inclusivity, alongside opportunities for professional growth in a fast-paced environment. With competitive benefits such as health insurance, pension plans, and performance bonuses, we are committed to supporting our employees' work/life balance while driving sustainable transformation across our global operations.

IAG Transform

Contact Details:

IAG Transform Recruitment Team

StudySmarter Expert Advice🤫

We think this is how you could land Head of Cyber, Risk & Assurance in London

Get Involved in the Cybersecurity Community

Diving into the cybersecurity community is key for landing that full-time gig. Join forums like Reddit's r/cybersecurity or attend local meetups to connect with industry veterans and other job seekers. Networking is everything in this field—don’t just be a passive lurker!

Show Off Your Skills with Capture the Flag Competitions

Participate in Capture the Flag (CTF) competitions; these are not just a fun way to boost your skills but also a chance to showcase your talent to potential employers. Many companies, including IAG Transform, love seeing candidates who actively engage in these challenges.

Tailor Your Online Presence

Make sure your LinkedIn and any professional profiles reflect your cybersecurity expertise. Share your projects, whether they’re personal or from a previous role, to catch the eye of hiring managers. This is how they’ll find your passion and commitment to the field!

Apply Directly Through IAG Transform

Don’t forget to head straight to our website and check out any openings for cybersecurity roles at IAG Transform. Applying directly can sometimes give you an edge, especially if you can mention that you've been following our work or engaging in the community.

We think you need these skills to ace Head of Cyber, Risk & Assurance in London

Cyber Assurance Leadership
Risk Management
Crisis Readiness
Business Continuity Planning (BCP)
Disaster Recovery (DR)
Cloud Resilience
Regulatory Compliance

Some tips for your application 🫡

Show off your technical skills:In cybersecurity, it's crucial to highlight your technical prowess. Make sure your CV showcases specific skills like network security, penetration testing, or threat analysis. If you have relevant certifications (like CEH or CISSP), pop those on the front page to grab attention!

Tailor your portfolio for the role:Even for a full-time role, a portfolio can set you apart. If you've worked on any cybersecurity projects—be it CTF challenges, security assessments, or research papers—include these in your application. This demonstrates not just your skills, but also your hands-on experience!

Use real-world examples:When writing your cover letter, don’t just stick to your qualifications. Share real-world examples of how you’ve tackled security issues or vulnerabilities. This gives the hiring team at IAG Transform insight into your practical problem-solving abilities and makes your application memorable.

Demonstrate your passion for cybersecurity:Cybersecurity is an ever-evolving field, so show us that you’re always learning! Mention any recent courses, webinars, or industry events you’ve attended. This not only exhibits your enthusiasm but also signals to IAG Transform that you’re committed to staying ahead in the game.

How to prepare for a job interview at IAG Transform

Sharpen Your Technical Skills

For a role in cybersecurity, it’s essential to be up-to-date with the latest tools and techniques. Brush up on your knowledge of firewalls, intrusion detection systems, and vulnerability assessment tools. Be ready to discuss specific scenarios where you’ve applied these skills, as hands-on experience can really set us apart in interviews.

Prepare for Scenario-Based Questions

Expect the interviewers at IAG Transform to throw in some hypothetical situations to see how you’d handle them. Think about common security breaches or incidents and be prepared to explain how you would respond. This not only shows your problem-solving skills but also your understanding of real-world cybersecurity challenges.

Highlight Your Certifications

Certifications like CompTIA Security+, CISSP, or CEH can give you a significant edge in a full-time role in cybersecurity. Make sure to mention these during your interview and be prepared to discuss what you learned through those certifications and how they relate to the position at IAG Transform.

Show Your Passion for Cybersecurity

Since you’re going for a full-time gig, showing genuine enthusiasm for the field can make all the difference. Share any personal projects, blogs, or communities you’re part of that relate to cybersecurity. This not only showcases your passion but also your commitment to staying engaged in this ever-evolving field.