Information Security GRC Lead

About us

Halfords is on a journey — building the future of motoring and cycling and looking for people who want to help shape what comes next. We’re a place for cocreators: people who want to make a real impact, take ownership and be part of something that’s still evolving. Technology at Halfords is at a turning point. We’re modernising our foundations, sharpening our delivery, and ensuring every technology decision is connected to real commercial and customer outcomes. We're looking for people who act as trusted advisors to the business, take end-to-end accountability for outcomes, and can balance pace with long-term architectural integrity. Innovation here means practical, scalable solutions, not ideas that stay on whiteboards.

Halfords operates a hybrid working policy – this position will be based 3 days per week at our support centre in Redditch, West Midlands.

About the role

As Information Security GRC Lead within our Technology Information Security function, you'll own the governance, risk, and compliance capability for the organisation end to end. It’s a key role within the function where you’ll be responsible for ensuring security risks are understood and managed at the right level, compliance obligations are met without becoming a drag on delivery, and decision-makers have what they need to act with confidence. Day to day, you'll maintain the security policy framework, own the technology and cyber risk register, and lead PCI DSS Level 4 and Cyber Essentials Plus assurance and audit coordination. You'll independently assess and challenge technical security controls from technology teams and third-party suppliers, coordinate internal audits and UK GDPR reviews, and deliver clear compliance reporting to Technology Leadership and the Board. This role requires genuine technical credibility alongside strong governance instincts. You'll need to be equally comfortable challenging a control gap with an engineering team as presenting compliance status to an audit committee. If you want to own a GRC function with real organisational reach, this is a strong platform to do it from.

Key responsibilities

• Own the information security GRC function, maintaining the security policy framework, standards, and supporting procedures, ensuring policies are current, risk-based, and practically adoptable without creating unnecessary friction.
• Lead information security risk management, owning the technology and cyber risk register, driving risk ownership across the organisation, and providing clear risk-based recommendations to support senior decision-making.
• Independently assess and validate technical security controls and evidence provided by technology teams and third-party suppliers, challenging where controls are insufficient and forming clear, documented risk conclusions.
• Own PCI DSS Level 4 assurance and audit coordination, managing evidence collection, engaging with assessors, tracking remediation to closure, and maintaining continuous audit readiness.
• Own Cyber Essentials Plus certification, managing the assessment process and ensuring controls remain compliant between certification cycles.
• Coordinate internal information security audits and UK GDPR technical control assurance, managing evidence collection, stakeholder engagement, and remediation tracking.
• Manage third‑party security assurance, maintaining a supplier security risk framework and ensuring third‑party controls meet the organisation's standards.
• Deliver clear, decision‑ready reporting on GRC posture, audit outcomes, and compliance status to Technology Leadership and the Board and Audit and Risk Committee where required.
• Own the security training and awareness programme, including planning and executing campaigns and driving continuous improvement in colleague awareness.

About you

• Proven experience leading an information security GRC function, owning policy frameworks, risk registers, audit coordination, and compliance assurance in a complex technology environment.
• Strong technical credibility, with the ability to independently assess and challenge technical security controls across cloud, identity, endpoints, networks, and applications without owning those controls directly.
• Hands‑on experience managing PCI DSS compliance obligations, including evidence management, assessor engagement, gap remediation, and maintaining continuous audit readiness.
• Experience managing Cyber Essentials Plus certification processes, including scoping, evidence collection, and control validation.
• Proven experience managing information security risk registers, driving risk ownership, and articulating risk clearly to senior and non‑technical stakeholders.
• Strong written and verbal communication skills, able to produce clear, concise reporting for technical, business, and audit audiences as well as plan and deliver awareness material.
• Experience in UK retail, omnichannel, or customer‑facing technology environments with payment card and data protection obligations would be an advantage.
• Relevant certifications such as CISSP, CISM, CISA, or CRISC are desirable, though equivalent demonstrable experience in security governance, risk, and compliance is equally welcome.

A fair and competitive salary evaluated against market data, car allowance, annual discretionary bonus scheme, pension, life assurance, 25 days annual leave plus bank holidays and enhanced family leave. Commitment and dedication to your ongoing personal and professional development. We help you to own and grow your potential so you can be at your best in your current role and to support your future career aspirations. We offer hybrid working with a blend of working in our Support Centre and from home. You will have access to a wealth of employee discounts across the Halfords suite of products and services. Wellbeing and inclusion are at the heart of our colleague experience. We offer resources and ongoing support to enhance your wellbeing at work and active Colleague Networks supporting inclusion initiatives across Halfords.

Not sure you meet all the criteria? We'd encourage you to take the wheel and apply anyway! At Halfords we are committed to creating an inclusive workplace for our colleagues. We're an equal opportunities employer and proud to welcome applications from all backgrounds and embrace diversity within our one Halfords Family.