Head of Cyber Security Governance, Risk and Compliance in London

The Group Cyber Security team is responsible for ensuring that cyber risk is managed appropriately across the Group. The cyber strategy has been updated, recognising that cyber security needs to be part of the Group's culture and DNA. The Group operates a highly federated business model, and the strategy has considered the most effective way to build improved cyber capabilities while supporting this operating model. This permanent role will play a key part in shaping and supporting the delivery of the transformation programme, before assuming responsibility for embedding, operating, and continually improving the new initiatives as they transition into business-as-usual.

The Head of Cyber Security Governance, Risk & Compliance (GRC) serves as the driving force behind the Group's vision for world-class cyber resilience and is accountable for defining and advancing the enterprise cyber risk and assurance strategy. This role champions a culture of proactive risk management, robust governance, and unwavering compliance, ensuring that the Group not only meets but sets the standard for information security across a complex, global business landscape.

Key Responsibilities:

• Governance
  • Define and maintain the cyber security governance framework, policies, and standards.
  • Lead the liaison with divisional GRC roles, supporting the development and maintenance of the GRC operating model and framework.
  • Ensure alignment with the Cyber Standard and global regulatory requirements (e.g., NIS2, GDPR).
  • Provide direction on cyber security tooling relating to governance and assurance objectives.
  • Collaborate with the Technical Assurance team to define and implement metrics and reporting standards for divisions.
  • Chair governance forums and provide regular reporting to senior leadership and audit committees.
  • Plan, coordinate and facilitate Security Working Group (SWG) meetings.
  • Assist in the preparation of board papers and materials for annual reporting and Group level risk management.
• Risk Management
  • Develop and implement enterprise-wide cyber risk management processes.
  • Lead risk quantification initiatives by implementing risk quantification methodologies and developing metrics to measure and communicate risk reduction.
  • Provide assurance that cyber risks are identified, assessed, and mitigated across all divisions.
  • Maintain and update risk registers, ensuring Group risks are accurately captured, assessed, and managed.
  • Conduct and oversee risk assessments at Group level in support of all divisions and business units.
  • Track and manage deviations from policy, including the documentation and approval of exceptions.
  • Conduct horizon scanning for regulatory changes and emerging cyber security requirements, ensuring the risk landscape is proactively managed.
• Compliance & Assurance
  • Build and lead the non-automated second line assurance capability to monitor compliance to the Group's cyber standard.
  • Oversee readiness for internal audits and external regulatory reviews, liaising with internal audit and external bodies to support audit activities, address findings, and drive remediation.
  • Report monthly on GRC and assurance activities to senior management and divisional stakeholders.
  • Respond to ad-hoc reporting requests from divisions, business units, and senior management.
• Third Party Security
  • Develop the strategy for third party cyber security.
  • Manage cyber security third-party risk and assurance, at point of contract and through ongoing assurance.
  • Deliver a demonstrable and measurable reduction in third party cyber security risk.
• Strategic Leadership
  • Lead the Group Cyber Security GRC function, establishing a robust second line of defence and embedding risk-based decision-making.
  • Provide strategic direction on GRC initiatives, ensuring continuous improvement and alignment with business objectives whilst supporting the delivery of the cyber transformation programme.
  • Act as a trusted advisor to the CISO and senior stakeholders on governance and compliance matters.
  • Influence organisational culture to embed security awareness and risk-based thinking.
  • Work in partnership and collaborate across verticals with the GCS Leadership Team.
• Stakeholder Engagement
  • Collaborate with divisional GRC functions, BISOs, legal, finance, and operational teams to ensure integrated risk management.
  • Represent the Group in external forums and regulatory engagements.
  • Build and maintain trusted relationships with senior stakeholders, demonstrating a personable and collaborative approach.
  • Ensure positive engagement and communication with all internal and external stakeholders.

Experience, Knowledge, Skills & Attributes

Essential

• 7+ years experience in governance, risk, and compliance within a large, complex organisation.
• Strong knowledge of cyber security frameworks (ISO 27001, NIST, CIS Controls).
• Expertise in regulatory compliance (GDPR, NIS2, SOX).
• Excellent leadership, communication, and influencing skills.
• Professional certifications such as CISSP, CISM, CRISC.
• Proven experience developing and implementing enterprise-wide cyber risk management processes.
• Excellent collaboration skills with cross-functional teams.
• Strong relationship-building and communication skills, with a personable and credible approach.

Desirable

• Experience in a federated business model.
• Familiarity with risk quantification tools and methodologies.
• Ability to drive cultural change and embed security awareness.
• Experience building a strong relationship with internal audit.
• Experience implementing an effective third party security risk management service.