Head of Cyber Security & Privacy

The Head of Cyber Security & Privacy is accountable for implementing and maintaining information security across Nando's UKI's operations, protecting customers and Nandocas whilst enabling the business to operate securely. This role ensures security policies, standards and practices agreed with and set by the Group CISO are effectively embedded across restaurants, digital platforms, supply chain and support functions within the Nando's UKI.

This role involves working with peers and the CISO to set standards and policies and assuring those in market. This individual is also the Data Protection Officer for Nando's UKI.

Reporting & Accountability

• Reports to: UKI Technology Director
• Works closely with: Group CISO (for guidance, standards, and frameworks).
• Accountable for: UKI cyber security posture, compliance and assurance.
• Works closely with the UKI Chief Risk Officer
• Works closely with the Head of Product & Delivery- Technology Platforms.

Key Responsibilities

Security Implementation & Operations

• Understand Group security Architecture and Implement Group information security policies and standards across Nando's UKI.
• Manage day-to-day security operations including monitoring, threat detection and incident response.
• Coordinate with the Security Operations Centre on Nando's UKI-specific threats and incidents.
• Maintain the Nando's UKI cyber security risk register and elevate significant risks.
• Conduct security assessments of Nando's UKI systems, suppliers and processes.
• Act as approver for the Data Protection Impact Assessment process.

Incident Response

• Act as Nando's UKI incident commander for cyber security incidents.
• Coordinate response with Group CISO for major incidents.
• Document and report incidents following Group standards.
• Implement lessons learned and track remediation actions.

Nando's UKI Stakeholder Engagement

• Build relationships with Nando's UKI leadership (Tech, People, Ops, Risk, Legal, Supply Chain).
• Ensure security is embedded in Nando's UKI initiatives, projects and training.
• Support the Nando's UKI CEO to understand and prioritise cyber security.
• Translate technical security risks into business impact for Nando's UKI stakeholders.

Security Culture & Awareness

• Deliver security awareness training to Nando's UKI teams using Group materials.
• Make security engaging and relevant to restaurant teams and support office staff.
• Act as the face of security in the Nando's UKI - visible, approachable and credible.
• Communicate security in line with Nando's values and tone of voice.
• Maintain knowledge of the evolving threat landscape, relevant regulatory requirements, and industry standards applicable to Nando's (e.g. ISO 27001 and NIST).
• Keep abreast of emerging risks related to technology, data privacy, and cyber security.
• Actively engage with reputable industry bodies, publications, and peer networks, and apply relevant insights to continuously assess whether the organisation's security posture, policies, and controls remain fit for purpose.

Third-Party & Vendor Management

• Assess security risks of Nando's UKI-specific suppliers and vendors.
• Work with Procurement to ensure security requirements in supplier contracts.
• Monitor ongoing compliance of third parties with security standards.
• Escalate significant third-party risks to Group CISO.

Compliance & Audit

• Ensure and demonstrate Nando's UKI compliance with Group security policies and relevant legislation (e.g. GDPR, local data protection laws).
• Coordinate Nando's UKI participation in security audits and assessments.
• Maintain evidence and documentation for compliance reporting.
• Support Group CISO with regulatory reviews affecting the Nando's UKI.

Architecture & Projects

• Review and approve security requirements for Nando's UKI technology initiatives.
• Ensure secure configuration of Nando's UKI systems and infrastructure.
• Work with Group CISO to implement identity and access management standards.
• Support secure deployment of the Global Nando's Platform in the Nando's UKI.

Data Security

• Implement data classification and data lifecycle management practices.
• Ensure sensitive data is appropriately protected across the Nando's UKI.
• Monitor and report on data security metrics.
• Investigate and remediate data security incidents.

Skills & Qualifications

Essential

• 5+ years experience in information security, with at least 2 years in a leadership role.
• Strong practical knowledge of security operations, incident response and risk management.
• Experience implementing security frameworks (NIST CSF, ISO 27001 or similar).
• Ability to influence stakeholders without direct authority.
• Excellent communication skills - can explain technical risks to non-technical audiences.
• Understanding of GDPR and data protection principles.
• Experience working in multi-site or retail/hospitality environments.

Desirable

• Relevant certifications (CISSP, CISM, Security+, CEH or similar).
• Experience with cloud security (AWS, Azure, GCP).
• Up to date knowledge of security tools (SIEM, EDR, vulnerability management).
• Understanding of secure development practices.
• Experience in a franchised or multi-site organisation.

What Success Looks Like

Year 1

• Nando's UKI leadership understands and actively supports security priorities.
• Clean audit outcomes against Group security standards.
• Security embedded in all major Nando's UKI projects and initiatives.
• Effective incident response demonstrated through exercises and/or real incidents.
• High engagement rates with security awareness programmes.

Ongoing

• Nando's UKI consistently meets Group security metrics and KPIs.
• Strong working relationship with Group CISO and other Nando's UKI Heads of Security.
• Proactive identification and mitigation of Nando's UKI-specific risks.
• Security seen as an enabler rather than a blocker.
• Positive feedback from Nando's UKI stakeholders on security support and guidance.