Cyber Advisory Services Manager

Location: London or Peterborough with potential travel to divisional sites as required by advisory engagements (hybrid working arrangements in place).

Working Pattern: 37.5 hours per week, Monday – Friday.

Salary: £84,000 - £100,000

Benefits: Car allowance, Bupa, Matched pension contributions.

Group Cyber Security Overview

The Group Cyber Security (GCS) team is responsible for managing cyber risk appropriately across the Group and has recently refreshed its cyber strategy, with a renewed focus on embedding cyber security as part of the culture and DNA. The Group operates a highly federated business model spanning 11 divisions and over 50 countries, and the cyber strategy has been designed to build materially improved security capabilities whilst working with a divisional focus. It is an exciting time to join GCS. We are in a period of significant investment, with a multi‑year transformation programme under way to build new security capabilities at pace. GCS is responsible for setting the Group cyber standard, measuring compliance against it across all the businesses, and delivering a portfolio of centrally managed security services that divisions can rely on.

Role Summary

Reporting to the Deputy Group CISO, the Cyber Advisory Services Manager leads the GCS consulting and advisory capability – the function that turns Group cyber standards and expertise into practical, tailored support for all the divisions. This is a role for a confident, credible cyber security generalist with strong consulting instincts: someone who is equally comfortable advising a divisional CIO on strategic security posture, reviewing a firewall ruleset for technical debt, or scoping the cyber workstream of a merger integration programme. The role provides a broad portfolio of advisory services to the Group and its divisions, including:

• Technical standards advice and interpretation;
• Security configuration, rule base assessment and policy change support;
• Input to non‑functional security requirements for Group and divisional programmes;
• Cyber security input to mergers, acquisitions, and divestiture activity;
• The deployment of specialist consulting resource into divisions that need temporary uplift in cyber capability.

The Cyber Advisory Services Manager acts as an important feedback loop into GCS: gathering intelligence from divisional engagements that informs the evolution of Group standards, identifies emerging needs, and ensures that GCS remains relevant and responsive to the businesses it serves. The role works in close partnership with the Cyber Architecture Manager, the Head of Cyber Assurance, and the Security Platform Engineering Manager to ensure that advisory activity is consistent with and supportive of the broader GCS strategy.

Technical Standards Advisory & Interpretation

Provide authoritative advice to divisions, business units, and Group functions on the interpretation and practical application of the Group cyber technical standards and security policies; acting as the primary advisory interface between GCS and the divisions on matters of standards compliance, technology and implementation. Help divisions translate Group cyber standards into their specific operational context – providing pragmatic, risk‑proportionate guidance on what good looks like in their environment, and a credible path from current state to compliant state. Feed intelligence from divisional advisory engagements back into the standards development process; identify where standards are unclear, impractical, or creating unintended barriers, and work with the Cyber Architecture Manager and Head of Cyber Assurance to drive improvements.

Rule Base Assessment & Security Policy Change

Lead and deliver security configuration and rule base reviews and security policy assessments for Group and divisional environments; identify technical debt, overly permissive rules, obsolete entries, and configuration drift, and provide clear, prioritised remediation recommendations. Provide technical review and advisory support for security policy change requests from divisions, assessing proposed changes against Group standards and architectural principles, and providing a clear recommendation with appropriate justification. Develop and maintain a structured approach to rule base and policy review across the Group, including tooling, methodology, scheduling, and output standards, ensuring consistent and repeatable assessment quality across different divisional environments.

Non‑Functional Security Requirements

Provide security input to non‑functional requirements (NFRs) for Group and divisional programmes and projects; define the security properties that technology solutions must meet – covering areas such as authentication, authorisation, encryption, logging, resilience, and data classification – in a form that is actionable by project and engineering teams. Maintain and evolve a Group‑standard NFR library derived from the Group cyber technical standards, enabling consistent security requirements to be applied across the programme portfolio without reinventing them for each project; work with the Cyber Architecture Manager to ensure NFRs remain aligned to the enterprise architecture. Engage with divisional and Group programme teams at the point where security NFRs are being defined, ensuring security is embedded by design rather than added retrospectively; provide advisory support through the project lifecycle where security design decisions need to be revisited or refined.

Mergers, Acquisitions & Strategic Project Support

Lead the GCS advisory contribution to mergers, acquisitions, and divestiture activity; scope and deliver the cyber workstream in M&A programmes, covering pre‑deal due diligence support, integration planning, and the transition of acquired entities onto the Group cyber standard. Provide cyber advisory resource and expertise to other significant Group and divisional strategic programmes – including major technology transformations, ERP deployments, cloud migrations, and site openings or closures – ensuring security considerations are addressed at the right point in the programme lifecycle. Maintain a forward view of the M&A and strategic programme pipeline in collaboration with Group corporate development and divisional leadership, enabling advisory resource to be planned and mobilised proactively rather than reactively.

Divisional Resource Augmentation & Flexible Resourcing Pool

Manage the GCS flexible resourcing pool as an advisory and consulting resource, deploying cyber consultants and specialist advisors into divisions that require temporary uplift in security capability – whether to support a programme, fill a capability gap, or accelerate compliance with Group standards. Work with divisional BISOs, CIOs, and IT security leads to understand their advisory and resource needs; define the scope and objectives of each deployment clearly, brief and onboard resources appropriately, and ensure that the output of each engagement meets the division’s needs and GCS quality standards. Manage the demand pipeline for advisory and flexible resource deployments; prioritise requests in line with Group risk priorities, balance supply against demand, and ensure that resourcing decisions are transparent and agreed with the Deputy CISO and relevant divisional stakeholders. Ensure that flexible resources deployed into divisions are competent, well‑briefed on standards and culture, and set up to add genuine value from day one; maintain quality standards across the pool and build a pipeline of trusted specialists who understand the environment.

Divisional Engagement & GCS Intelligence Loop

Build and sustain trusted relationships with divisional BISOs, security leads, CIOs, and IT directors across all 11 divisions; position the Cyber Advisory Services function as a valued, accessible, and practical source of cyber expertise – not a bureaucratic overhead. Use divisional advisory engagements as an active intelligence‑gathering mechanism; identify common themes, recurring challenges, emerging risks, and capability gaps across the estate, and bring these insights back to the GCS Leadership Team to inform strategy, standards development, and investment priorities. Champion the GCS advisory model as a two‑way relationship; ensure divisions feel heard and that their feedback genuinely influences how GCS operates, while maintaining the Group standards and non‑negotiables that the advisory function exists to support.

Team Leadership, Quality & Continuous Improvement

Lead and develop the permanent Cyber Advisory Services team; set clear standards of advisory quality, professional conduct, and output, and foster a culture where consultants take personal pride in the value they add to the divisions they support. Develop and maintain a service catalogue for the Cyber Advisory Services function that clearly articulates what the function offers, how to engage it, what divisions can expect, and how outcomes will be measured; make the function easy to access and straightforward to work with. Work in close partnership with the Cyber Architecture Manager, Head of Cyber Assurance, and Security Platform Engineering Manager to ensure advisory activity is consistent with the GCS strategy, avoids duplication of effort, and is integrated into the broader GCS operating model.

Experience, Knowledge, Skills & Attributes - Essential

Experience

• 10+ years in cyber security, with a significant portion in advisory, consulting, or technical leadership roles requiring breadth across multiple security domains.
• Demonstrable track record of delivering cyber security advisory services in a complex, multi‑entity, or federated environment – either in‑house within a large group organisation or as an external consultant serving large enterprise clients.
• Hands‑on experience conducting security configuration rule base reviews and security policy assessments, including use of relevant tooling and production of structured, risk‑prioritised findings reports.
• Experience defining and reviewing non‑functional security requirements for enterprise technology programmes, and the ability to translate Group security standards into specific, measurable, project‑level requirements.
• Experience providing cyber security input to mergers, acquisitions, or divestiture programmes, including due diligence support and post‑acquisition integration planning.
• Experience managing or coordinating a flexible or contract resourcing model for a technical function, including defining briefs, onboarding specialists, and maintaining quality of output across a pool of consultants.
• Experience leading or managing a small team of security consultants or advisors, with accountability for the quality and impact of advisory outputs.

Knowledge & Skills

• Broad technical knowledge spanning the key cyber security domains – network security, identity and access management, endpoint protection, cloud security, application security, and data protection – sufficient to advise credibly and independently across all of them.
• Excellent consulting and communication skills: the ability to listen carefully, understand context, form a well‑reasoned view, and communicate it clearly and persuasively – whether in a written advisory report, a divisional workshop, or a conversation with a CIO.
• Ability to translate Group‑level technical standards into practical, context‑sensitive guidance that makes sense in a specific divisional environment – maintaining the intent and integrity of the standard while acknowledging legitimate operational constraints.
• Strong stakeholder management skills; able to build trust and credibility with senior divisional stakeholders, navigate organisational complexity with sensitivity, and influence without direct authority.
• Comfortable operating as a generalist at senior level: able to switch fluently between strategic advisory conversations and hands‑on technical review, and to calibrate the depth of engagement to what each situation requires.

Qualifications

• Degree‑level education, or equivalent professional experience in a relevant technical or business discipline.
• Professional certification in cyber security: CISSP, CISM, or equivalent demonstrating both technical breadth and professional credibility.

Desirable Experience

• Experience within a Big Four, boutique cyber consultancy, or in‑house advisory function of a large FTSE‑listed or equivalent organisation, with demonstrable experience of structured advisory engagement delivery at pace.
• Experience in a large FMCG, food and beverage, retail, or manufacturing organisation, with an appreciation of the operational technology, supply chain, and consumer data considerations that shape security advisory in this sector.
• Direct experience leading the cyber workstream of a full M&A transaction lifecycle, from initial due diligence through to post‑completion integration and standard adoption.
• Experience designing and operating a cyber advisory service catalogue, including definition of service offerings, engagement processes, SLAs, and satisfaction measurement.
• Experience working across multiple regulatory jurisdictions simultaneously, providing advisory guidance on how Group standards interact with local legal and regulatory requirements.

Knowledge & Skills

• Familiarity with the security technology estate – including Microsoft E5 / Defender suite, Zscaler, Qualys, Abnormal Security, Claroty, and Axonius – sufficient to provide informed advisory guidance on standards compliance and configuration questions without requiring specialist platform engineering support for routine queries.
• Understanding of OT/ICS security considerations relevant to food and beverage manufacturing, distribution, and supply‑chain environments.
• Knowledge of firewall policy review tooling (e.g. Tufin, AlgoSec, FireMon) and structured approaches to rule base analysis and optimisation.
• Strong written communication skills; able to produce advisory reports, briefing papers, and engagement outputs to a consistently high standard that would reflect well on GCS in front of divisional leadership.

Qualifications

• Additional qualifications in security architecture (SABSA, CISSP‑ISSAP) or risk (CRISC) that demonstrate depth alongside advisory breadth.
• ISO/IEC 27001 Lead Auditor or Implementer, demonstrating working familiarity with the standards framework that underpins the Group ISMS programme.
• Membership of a recognised professional body (CIISec, ISACA, (ISC)², BCS) is welcome.