Head of Security - Cyber GRC

The Head of Cyber Governance, Risk & Compliance (GRC) plays a pivotal role in protecting some of the UK's most critical national infrastructure. Reporting to the Security Principal, the role provides senior operational leadership for Cyber GRC and assurance across NHS England's complex and highly federated technology landscape.

NHS England operates at national scale, delivering and enabling services that are essential to patient safety, public trust and national resilience. This role operates at the heart of that system, ensuring that cyber risk is understood, governed and managed proportionately while enabling digital transformation at pace.

The post holder will lead the day to day delivery of the Cyber GRC function with delegated authority, managing specialist teams and exercising matrix leadership across cyber, digital and technology services. The role is focused on leading technological change, ensuring governance and assurance remain effective as services, operating models and platforms continue to evolve.

Cyber resilience is fundamental to the successful delivery of the NHS Long Term & 10 Year Health Plans. This role will help ensure that transformation and modernisation initiatives can be delivered safely, securely and without disruption from cyber incidents, supporting continuity of care and public confidence.

Main duties of the job

The post holder will provide senior operational leadership for NHS England's Cyber GRC function, acting under delegated authority from the Security Principal to ensure effective, proportionate governance across a complex, highly federated and evolving environment.

Key responsibilities include leading the operation and development of cyber governance, policy and risk management frameworks, ensuring security policies, standards and controls remain fit for purpose, aligned to business risk, and capable of protecting critical national infrastructure that underpins safe patient care and public trust. The role will oversee assurance activity against recognised frameworks and obligations, including ISO 27001, the NCSC Cyber Assessment Framework and nationally mandated requirements.

The post holder will lead the development and communication of high quality cyber risk and resilience reporting, providing clear insight to senior leaders and governance forums to support informed decision making during significant organisational, technological and service change.

Working in partnership with technology, operational and transformation teams, the role will embed security by design into services and programmes, supporting delivery of the NHS Long Term and 10 Year Health Plans. The role requires calm, credible leadership and resilience, balancing competing priorities while leading specialist teams and matrixed stakeholders through sustained change in a high profile environment.

Job responsibilities

Please see the attached Job Description and Person Specification for more information about the role and responsibilities.

Person Specification Knowledge

• Highly developed specialist knowledge of tools, techniques, approaches and processes of cybersecurity risk management; ability to ensure organisational network operation and minimise negative effect by cybersecurity risks.
• Detailed knowledge of and the ability to protect information and information systems while ensuring their confidentiality, integrity and availability.
• Specialist knowledge of technologies and technology based solutions dealing with information security issues; ability to apply these in protecting information security across the organisation.

Skills & Experience

• Expert knowledge of IT security policies, standards, and procedures; ability to utilise a variety of administrative skill sets and technical knowledge to ensure cyber security compliance.
• Advanced specialist knowledge of the processes, tools and techniques of information security management, ability to deploy and monitor information security systems, as well as detect, resolve and prevent violations of IT security, to protect organisational data.

Qualifications

• Masters level degree in Cyber Security or relevant subject, or equivalent level of experience.

Disclosure and Barring Service Check

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

Important: Please be aware there are residency requirements you need to meet:

All NHS England Cyber Security personnel must hold Security Clearance level as a minimum. To meet National Security Vetting requirements, SC clearances require 5 years continuous UK residency. In certain cases, this can be reduced to three years continuous UK residency, with additional overseas checks for the previous two years. Candidates who were posted abroad for service with HM Government, Armed Forces or within a UK government role - will still be considered.

Failure to achieve the requirements for SC after an offer will result in the job offer being withdrawn.

£103,355.20 to £119,091.70 a year Per Annum (this includes a RRP payment of 30%).