Head of Cyber Assurance

The Group Cyber Security (GCS) team is responsible for managing cyber risk appropriately across the Group. The cyber strategy has been refreshed, with a renewed focus on embedding cyber security as part of the culture and DNA. The Group is a highly federated business model spanning 10 divisions, 90+ businesses and over 50 countries, and the cyber strategy has been designed to build materially improved security capabilities while working with and through that model.

It is an exciting time to join GCS – we are in a period of significant investment and transformation. GCS is establishing the Group cyber standard, measuring compliance against it across all the businesses, and standing up new capabilities at pace. This permanent role will play a pivotal part in shaping that programme and, as it matures, in owning and continuously improving the assurance, risk, and governance functions at the heart of the Group’s security posture.

Role Summary

Reporting to the Group CISO, the Head of Cyber Assurance leads the second line of defence for cyber security – providing independent, risk‑based oversight across governance, risk management, regulatory compliance, and assurance. The role is the functional owner of everything GRC touches: from information security policy and non‑technical standards, through enterprise cyber risk management and third‑party security, to continuous controls assessment, audit management, and regulatory reporting.

This role oversees continuous controls monitoring, leveraging tooling, to provide real‑time visibility of control coverage and effectiveness, and translates that data into meaningful management information for informed governance decisions. They govern risk acceptance and exceptions, manage regulatory obligations under GDPR, NIS2, and DORA, and act as the primary liaison with legal teams and regulators.

Beyond formal governance, this role drives cyber communications, culture, and awareness across the diverse workforce; leads the Group security hygiene and resilience programme; produces Board, ExCo, and Information Security Committee reporting packs; and coordinates crisis exercising and playbook execution to ensure the organisation is ready to respond to major cyber incidents.

Strategic Leadership & Stakeholder Engagement

• Lead and develop the Group Cyber Assurance function, establishing a high‑performing second line of defence and embedding risk‑based decision‑making as a natural habit across the organisation.
• Act as a trusted adviser to the Group CISO and senior stakeholders on all GRC matters; work in partnership with the GCS Leadership Team across all verticals and represent the Group in external forums and regulatory engagements.
• Collaborate with divisional GRC functions, BISOs, legal, finance, and operational teams to ensure integrated and proportionate risk management; build and sustain trusted relationships with senior stakeholders across a large, federated Group.

Information Security Policy, Standards & Governance

• Own and maintain the Group information security policy framework and all non‑technical standards; ensure they are current, enforceable, written in plain language, and visibly aligned to external regulation and the Group’s risk appetite.
• Govern the risk acceptance and exception process end‑to‑end: ensure all policy deviations are formally assessed, justified, approved at the appropriate level, time‑bounded, and subject to periodic review.
• Plan, chair, and facilitate the Group Security Working Group (SWG) and wider governance forums; produce regular, concise reporting for senior leadership, the ISC, and audit committees.

Cyber Risk Management & Risk Exceptions Governance

• Develop and operate enterprise‑wide cyber risk management processes; maintain the Group cyber risk register and ensure risks are accurately captured, assessed, owned, mitigated, and escalated appropriately across all 11 divisions.
• Lead risk quantification initiatives; implement methodologies and develop metrics that communicate risk reduction in business terms, enabling the CISO and ExCo to make well‑informed investment and prioritisation decisions.
• Conduct horizon scanning for emerging regulatory requirements and threat‑driven risk changes; ensure the Group risk posture is proactively managed rather than reactively patched.

Third‑Party & Supply‑Chain Security Assessment & Management

• Define and deliver the Group third‑party cyber security strategy; drive a step change in third‑party risk capability through the Third‑Party Management workstream of the cyber transformation programme.
• Manage third‑party cyber risk at point of contract and through ongoing assurance; build a proportionate, risk‑tiered assessment framework and deliver a measurable reduction in supply‑chain cyber risk exposure across the Group.

Continuous Controls Assessment & Control Effectiveness MI

• Lead the Group continuous controls monitoring programme, leveraging Axonius and complementary tooling to provide real‑time, evidence‑based visibility of control coverage, gaps, and drift across the estate.
• Design and produce control effectiveness MI that is meaningful to different audiences – from technical teams needing remediation data to ExCo and Board needing a clear view of overall security posture.

Cyber Assurance Programme & Audit Finding Management

• Define and deliver the end‑to‑end Group cyber assurance programme, encompassing internal reviews, thematic assessments, divisional control testing, and first‑line challenge – providing the CISO with independent confidence in the state of security controls.
• Own the management of audit findings across internal audit, external audit, and regulatory reviews; drive timely remediation, track progress rigorously, and ensure sustainable rather than cosmetic closure of issues.

Cyber Communications, Culture & Awareness

• Drive cyber awareness and behavioural change agenda; develop and deliver engaging, targeted programmes that embed a strong security culture across a diverse, geographically dispersed, and federated workforce.
• Lead Group cyber communications, ensuring messaging is clear, consistent, aligned to risk priorities, and pitched appropriately for each audience from shopfloor to Board; influence organisational culture to embed risk‑based thinking at every level.

Regulatory Reporting (GDPR / NIS2 / DORA) & Legal Liaison

• Lead regulatory compliance reporting across applicable regimes, including GDPR, NIS2, and DORA; act as the primary cyber security liaison to legal teams and regulators, ensuring responses are consistent, accurate, defensible, and filed within required timeframes.
• Monitor the evolving regulatory landscape across the global operating jurisdictions; proactively advise the CISO and business on incoming obligations and ensure compliance posture is maintained ahead of regulatory change.

Security Hygiene & Resilience Programme

• Lead the Group security hygiene and operational resilience programme, strengthening the ability to prevent cyber incidents, detect threats early, and recover effectively – with clear metrics, targets, and accountability for improvement.
• Define and track hygiene KPIs – including patching currency, MFA adoption rates, vulnerability remediation SLAs, and phishing resilience scores – and report progress against targets to senior leadership and divisional stakeholders.

Board / ExCo / ISC Reporting Pack Production

• Produce clear, authoritative, and insightful reporting packs for the Board, Executive Committee, and Information Security Committee; deliver a joined‑up view of cyber risk, control effectiveness, assurance outcomes, and regulatory standing that enables confident governance decisions.
• Respond to ad‑hoc reporting requests from divisions, business units, and senior management; translate complex technical risk and assurance matters into accessible, decision‑ready business language.

Crisis Exercising & Playbook Execution

• Coordinate Group cyber crisis exercising, including tabletop scenarios, cross‑divisional simulations, and Executive‑level war‑gaming; ensure the Group is genuinely prepared – not just theoretically compliant – to respond to major cyber incidents.
• Own the cyber incident response playbook framework; ensure playbooks are maintained, tested, regularly updated to reflect the threat landscape, and actionable by the right people at pace when an incident occurs.

Experience, Knowledge, Skills & Attributes

Essential Experience

• 10+ years in cyber security, information security, or technology risk, with demonstrable progression into senior leadership roles.
• Proven track record designing and operating a cyber GRC / second‑line‑of‑defence function within a large, complex, or highly regulated organisation.
• Demonstrable experience of enterprise cyber risk management, including quantification methodologies, risk register ownership, and reporting to Board and ExCo.
• Experience managing regulatory compliance obligations including GDPR and NIS2; working familiarity with DORA or equivalent financial or operational resilience frameworks.
• Experience leading third‑party / supply‑chain security programmes at scale, including risk‑tiered assessment frameworks and ongoing assurance models.
• Track record delivering security awareness and culture change programmes across large, diverse, and geographically dispersed workforces.
• Experience producing Board‑level cyber reporting packs and presenting to senior governance forums such as Audit, Risk, or Information Security Committees.

Knowledge & Skills

• Deep knowledge of cyber security governance frameworks – ISO/IEC 27001:2022, NIST CSF 2.0, CIS Controls – and their practical application in complex enterprise environments.
• Familiarity with continuous controls monitoring / CAASM tooling (e.g. Axonius, Qualys) and the ability to translate tool outputs into actionable, audience‑appropriate MI.
• Strong understanding of UK/EU data protection law and operational resilience regulations; able to translate legal obligations into practical security controls.
• Excellent communication and influencing skills; able to translate complex technical risk into clear, compelling narratives for non‑technical audiences up to and including Board level.
• Able to build trusted relationships and influence without authority across complex, federated organisational structures at pace.

Qualifications

• Degree‑level education, or equivalent professional experience in a relevant discipline.
• Professional certification in cyber security or risk management: CISM, CISSP, or CRISC (or active equivalent).

Desirable Experience

• Experience in a large FMCG, food & beverage, retail, or FTSE‑listed organisation, ideally with exposure to OT or manufacturing security environments.
• Experience building a GRC or cyber assurance function from a low or inconsistent maturity baseline, including framework design, tooling selection, and team development.
• Leading or contributing to an ISO/IEC 27001 certification programme: ISMS design, gap analysis, internal audit, and management review.
• Coordinating or participating in cyber crisis exercises at enterprise level, including war‑gaming against realistic, intelligence‑led scenarios involving senior leadership.
• Direct engagement with supervisory authorities, data protection regulators, or national cyber agencies (e.g. ICO, NCSC, BSI).

Knowledge & Skills

• Practical knowledge of cyber risk quantification methodologies, including FAIR (Factor Analysis of Information Risk) or equivalent.
• Understanding of OT/ICS security considerations and the interaction between IT and operational technology risk in manufacturing or supply chain environments.
• Familiarity with GRC platforms (e.g. ServiceNow GRC, Archer) and their use for integrated risk register, policy, and audit finding management.
• Working experience across multiple regulatory jurisdictions simultaneously; multilingual capability is welcome given the global footprint.

Qualifications

• ISO/IEC 27001 Lead Auditor or Lead Implementer certification.
• Additional qualifications in privacy (CIPP/E, CIPM) or business continuity / resilience (CBCI, MBCI) are advantageous.
• Membership of a recognised professional body (ISACA, (ISC)², BCS, CIISec, or equivalent) is welcome.