Head of Information Security | London, UK

As Head of Information Security, you will report directly into the Group CISO, and be responsible for leading and managing key pillars of our security programme, with a primary focus on Third-Party Security Risk Management, Data Loss Prevention (DLP), Policy Governance, Security Training & Awareness, and Identity & Access Management (IAM). You will work closely with the Group CISO to ensure consistent high standards in your areas of responsibility and ensure global adherence to security practices. The ideal candidate will have deep knowledge of regulatory frameworks such as NYDFS Cybersecurity Regulation, GDPR, and other European and Australian data protection laws, and will bring a proactive, risk-based approach to the governance and operationalisation of security controls.

Within this role, you will act as a member of the CISO's leadership team, contributing to security strategy, budgeting, and cross-functional planning. This involves supporting the CISO to build and manage a high-performing team aligned with the security program's objectives. Other key responsibilities include:

• Management of Cyber Incidents supporting the CISO and CISO team in the co-ordination of managing these events globally.
• Manage vendor relationships within your areas of responsibility, including responsibilities around renewals, negotiations, contract updates and regular touch points with the vendors.
• Working collaboratively with legal, procurement, and operational resilience teams to ensure Third Party Risk Management is being supported end-to-end and the correct due diligence is in place to monitor our supply chain, along with SLAs.
• Leading the assessment, onboarding, and continuous monitoring of third-party vendors.
• Implementing and refining risk-based frameworks and tools for evaluating vendor security posture with an aim of continuously monitoring and evaluating the CFC supply chain.
• Maintaining, updating, and socialising security policies, standards, and procedures to reflect evolving threats, technologies, and regulations.
• Overseeing DLP strategy to prevent unauthorised data access, use, or transfer involving continuously tuning DLP tooling, policies and rules to align with emerging threats and business needs and coordinating incident response activities related to DLP alerts.
• Develop a company-wide security awareness and training program including tailoring training to address emerging risks, regulatory obligations, and role-specific responsibilities and measuring/reporting on the effectiveness of this training.
• Directing the strategy and operations for IAM, including provisioning, access reviews, and privileged access management.
• Partnering with IT to integrate IAM best practices into enterprise systems and workflows.
• Working closely with the CISO to ensure security controls meet compliance obligations under NYDFS, GDPR, and relevant global financial regulations.

The ideal candidate for this role will come with proven leadership in information security governance within a regulated environment. We will also be looking for someone with a strong familiarity with UK and international regulatory frameworks in the US, Europe and Australia. Also, you will be:

• Adept at translating complex regulatory or technical requirements into practical business-aligned controls, policies and processes.
• Comfortable working with audit and compliance stakeholders during assessments, certifications, or investigations.
• From a strong background in information security frameworks, standards, and regulatory requirements including a strong understanding of enterprise IT and security architecture, cloud security, data protection, threat management, and incident response.
• Proficient in developing programme and project management reporting and documentation.
• Able to manage third-party vendors, MSSPs, and contract negotiations.

Core Values

• Love what you do: We show up each day ready to take on the world. Our passion and intensity set us apart and makes the difference to our colleagues, customers, brokers and carriers.
• Challenge everything: We're never afraid to question the way that things are done and we constantly challenge ourselves and others to make things better.
• Have fun, be good: Insurance is a serious business, but we don't take ourselves too seriously. We make it fun to work at CFC, we welcome all viewpoints, and we treat everyone how we would expect to be treated.