Head of Cyber Assurance
- Information Security Solutions
- 01/06/2026
Full time
Information Technology
Telecommunications
Testing
Cyber Security
Job Description
Title: Head of Cyber Assurance
Reference No: 2156
Company: FTSE100
Location: London - 3 days in the office (Tuesday - Thursday) plus if required for specific meetings on other 2 days
Working pattern: This hybrid role is 37.5 hour week Monday - Friday
Reports to: Group CISO
Salary: £130,000 - £150,000
The Role Group Cyber Security Overview The Group Cyber Security (GCS) team is responsible for managing cyber risk appropriately across the Group. The cyber strategy has been refreshed, with a renewed focus on embedding cyber security as part of the culture and DNA. The Group is a highly federated business model spanning 10 divisions, 90+ businesses and over 50 countries, and the cyber strategy has been designed to build materially improved security capabilities while working with and through that model.
It is an exciting time to join GCS - we are in a period of significant investment and transformation. GCS is establishing the Group cyber standard, measuring compliance against it across all the businesses, and standing up new capabilities at pace. This permanent role will play a pivotal part in shaping that programme and, as it maturing, in owning and continuously improving the assurance, risk, and governance functions at the heart of the Group's security posture.
Role Summary Reporting to the Group CISO, the Head of Cyber Assurance leads the second line of defence for cyber security - providing independent, risk based oversight across governance, risk management, regulatory compliance, and assurance. The role is the functional owner of everything GRC touches: from information security policy and non technical standards, through enterprise cyber risk management and third party security, to continuous controls assessment, audit management, and regulatory reporting.
This role oversees continuous controls monitoring, leveraging tooling, to provide real time visibility of control coverage and effectiveness, and translates that data into meaningful management information for informed governance decisions. They govern risk acceptance and exceptions, manage regulatory obligations under GDPR, NIS2, and DORA, and act as the primary liaison with legal teams and regulators.
Beyond formal governance, this role drives cyber communications, culture, and awareness across the diverse workforce; leads the Group security hygiene and resilience programme; produces Board, ExCo, and Information Security Committee reporting packs; and coordinates crisis exercising and playbook execution to ensure the organisation is ready to respond to major cyber incidents.
Strategic Leadership & Stakeholder Engagement
Reference No: 2156
Company: FTSE100
Location: London - 3 days in the office (Tuesday - Thursday) plus if required for specific meetings on other 2 days
Working pattern: This hybrid role is 37.5 hour week Monday - Friday
Reports to: Group CISO
Salary: £130,000 - £150,000
The Role Group Cyber Security Overview The Group Cyber Security (GCS) team is responsible for managing cyber risk appropriately across the Group. The cyber strategy has been refreshed, with a renewed focus on embedding cyber security as part of the culture and DNA. The Group is a highly federated business model spanning 10 divisions, 90+ businesses and over 50 countries, and the cyber strategy has been designed to build materially improved security capabilities while working with and through that model.
It is an exciting time to join GCS - we are in a period of significant investment and transformation. GCS is establishing the Group cyber standard, measuring compliance against it across all the businesses, and standing up new capabilities at pace. This permanent role will play a pivotal part in shaping that programme and, as it maturing, in owning and continuously improving the assurance, risk, and governance functions at the heart of the Group's security posture.
Role Summary Reporting to the Group CISO, the Head of Cyber Assurance leads the second line of defence for cyber security - providing independent, risk based oversight across governance, risk management, regulatory compliance, and assurance. The role is the functional owner of everything GRC touches: from information security policy and non technical standards, through enterprise cyber risk management and third party security, to continuous controls assessment, audit management, and regulatory reporting.
This role oversees continuous controls monitoring, leveraging tooling, to provide real time visibility of control coverage and effectiveness, and translates that data into meaningful management information for informed governance decisions. They govern risk acceptance and exceptions, manage regulatory obligations under GDPR, NIS2, and DORA, and act as the primary liaison with legal teams and regulators.
Beyond formal governance, this role drives cyber communications, culture, and awareness across the diverse workforce; leads the Group security hygiene and resilience programme; produces Board, ExCo, and Information Security Committee reporting packs; and coordinates crisis exercising and playbook execution to ensure the organisation is ready to respond to major cyber incidents.
Strategic Leadership & Stakeholder Engagement
- Lead and develop the Group Cyber Assurance function, establishing a high performing second line of defence and embedding risk based decision making as a natural habit across the organisation.
- Act as a trusted adviser to the Group CISO and senior stakeholders on all GRC matters; work in partnership with the GCS Leadership Team across all verticals and represent the Group in external forums and regulatory engagements.
- Collaborate with divisional GRC functions, BISOs, legal, finance, and operational teams to ensure integrated and proportionate risk management; build and sustain trusted relationships with senior stakeholders across a large, federated Group.
- Own and maintain the Group information security policy framework and all non technical standards; ensure they are current, enforceable, written in plain language, and visibly aligned to external regulation and the Group's risk appetite.
- Govern the risk acceptance and exception process end to end: ensure all policy deviations are formally assessed, justified, approved at the appropriate level, time bounded, and subject to periodic review.
- Plan, chair, and facilitate the Group Security Working Group (SWG) and wider governance forums; produce regular, concise reporting for senior leadership, the ISC, and audit committees.
- Develop and operate enterprise wide cyber risk management processes; maintain the Group cyber risk register and ensure risks are accurately captured, assessed, owned, mitigated, and escalated appropriately across all 11 divisions.
- Lead risk quantification initiatives; implement methodologies and develop metrics that communicate risk reduction in business terms, enabling the CISO and ExCo to make well informed investment and prioritisation decisions.
- Conduct horizon scanning for emerging regulatory requirements and threat driven risk changes; ensure the Group risk posture is proactively managed rather than reactively patched.
- Define and deliver the Group third party cyber security strategy; drive a step change in third party risk capability through the Third Party Management workstream of the cyber transformation programme.
- Manage third party cyber risk at point of contract and through ongoing assurance; build a proportionate, risk tiered assessment framework and deliver a measurable reduction in supply chain cyber risk exposure across the Group.
- Lead the Group continuous controls monitoring programme, leveraging Axonius and complementary tooling to provide real time, evidence based visibility of control coverage, gaps, and drift across the estate.
- Design and produce control effectiveness MI that is meaningful to different audiences - from technical teams needing remediation data to ExCo and Board needing a clear view of overall security posture.
- Define and deliver the end to end Group cyber assurance programme, encompassing internal reviews, thematic assessments, divisional control testing, and first line challenge - providing the CISO with independent confidence in the state of security controls.
- Own the management of audit findings across internal audit, external audit, and regulatory reviews; drive timely remediation, track progress rigorously, and ensure sustainable rather than cosmetic closure of issues.
- Drive cyber awareness and behavioural change agenda; develop and deliver engaging, targeted programmes that embed a strong security culture across a diverse, geographically dispersed, and federated workforce.
- Lead Group cyber communications, ensuring messaging is clear, consistent, aligned to risk priorities, and pitched appropriately for each audience from shopfloor to Board; influence organisational culture to embed risk based thinking at every level.
- Lead regulatory compliance reporting across applicable regimes, including GDPR, NIS2, and DORA; act as the primary cyber security liaison to legal teams and regulators, ensuring responses are consistent, accurate, defensible, and filed within required timeframes.
- Monitor the evolving regulatory landscape across the global operating jurisdictions; proactively advise the CISO and business on incoming obligations and ensure compliance posture is maintained ahead of regulatory change.
- Lead the Group security hygiene and operational resilience programme, strengthening the ability to prevent cyber incidents, detect threats early, and recover effectively - with clear metrics, targets, and accountability for improvement.
- Define and track hygiene KPIs - including patching currency, MFA adoption rates, vulnerability remediation SLAs, and phishing resilience scores - and report progress against targets to senior leadership and divisional stakeholders.
- Produce clear, authoritative, and insightful reporting packs for the Board, Executive Committee, and Information Security Committee; deliver a joined up view of cyber risk, control effectiveness, assurance outcomes, and regulatory standing that enables confident governance decisions.
- Respond to ad hoc reporting requests from divisions, business units, and senior management; translate complex technical risk and assurance matters into accessible, decision ready business language.
- Coordinate Group cyber crisis exercising, including tabletop scenarios, cross divisional simulations, and Executive level war gaming; ensure the Group is genuinely prepared - not just theoretically compliant - to respond to major cyber incidents.
- Own the cyber incident response playbook framework; ensure playbooks are maintained, tested, regularly updated to reflect the threat landscape, and actionable by the right people at pace when an incident occurs.
- 10+ years in cyber security, information security, or technology risk, with demonstrable progression into senior leadership roles.
- Proven track record designing and operating a cyber GRC / second line of defence function within a large, complex, or highly regulated organisation.
- Demonstrable experience of enterprise cyber risk management, including quantification methodologies, risk register ownership, and reporting to Board and ExCo.
- Experience managing regulatory compliance obligations including GDPR and NIS2; working familiarity with DORA or equivalent financial or operational resilience frameworks. . click apply for full job details
About Information Security Solutions