Head of Cyber Assurance

Title: Head of Cyber Assurance

Reference No: 2156

Company: FTSE
100

Location: London – 3 days in the office (Tuesday - Thursday) plus if required for specific meetings on other 2 days

Working pattern: This hybrid role is 37.5 hour week Monday – Friday

Reports to: Group CISO

Salary: £130,000 - £150,000

The Group Cyber Security (GCS) team is responsible for managing cyber risk appropriately across the Group. The cyber strategy has been refreshed, with a renewed focus on embedding cyber security as part of the culture and DNA. The Group is a highly federated business model spanning 10 divisions, 90+ businesses and over 50 countries, and the cyber strategy has been designed to build materially improved security capabilities while working with and through that model.

It is an exciting time to join GCS – we are in a period of significant investment and transformation. GCS is establishing the Group cyber standard, measuring compliance against it across all the businesses, and standing up new capabilities s permanent role will play a pivotal part in shaping that programme and, as it maturing, in owning and continuously improving the assurance, risk, and governance functions at the heart of the Group’s security posture.

Reporting to the Group CISO, the Head of Cyber Assurance leads the second line of defence for cyber security – providing independent, risk‑based oversight across governance, risk management, regulatory compliance, and assurance. The role is the functional owner of everything GRC touches: from information security policy and non‑technical standards, through enterprise cyber risk management and third‑party security, to continuous controls assessment, audit management, and regulatory reporting.

This role oversees continuous controls monitoring, leveraging tooling, to provide real‑time visibility of control coverage and effectiveness, and translates that data into meaningful management information for informed governance decisions. They govern risk acceptance and exceptions, manage regulatory obligations under GDPR, NIS2, and DORA, and act as the primary liaison with legal teams and regulators.

Beyond formal governance, this role drives cyber communications, culture, and awareness across the diverse workforce; leads the Group security hygiene and resilience programme; produces Board, ExCo, and Information Security Committee reporting packs; and coordinates crisis exercising and playbook execution to ensure the organisation is ready to respond to major cyber incidents.

• Lead and develop the Group Cyber Assurance function, establishing a high‑performing second line of defence and embedding risk‑based decision‑making as a natural habit across the organisation.
• Act as a trusted adviser to the Group CISO and senior stakeholders on all GRC matters; work in partnership with the GCS Leadership Team across all verticals and represent the Group in external forums and regulatory engagements.
• Collaborate with divisional GRC functions, BISOs, legal, finance, and operational teams to ensure integrated and proportionate risk management; build and sustain trusted relationships with senior stakeholders across a large, federated Group.

• Own and maintain the Group information security policy framework and all non‑technical standards; ensure they are current, enforceable, written in plain language, and visibly aligned to external regulation and the Group’s risk appetite.
• Govern the risk acceptance and exception process end‑to‑end: ensure all policy deviations are formally assessed, justified, approved at the appropriate level, time‑bounded, and subject to periodic review.
• Plan, chair, and facilitate the Group Security Working Group (SWG) and wider governance forums; produce regular, concise reporting for senior leadership, the ISC, and audit committees.

• Develop and operate enterprise‑wide cyber risk management processes; maintain the Group cyber risk register and ensure risks are accurately captured, assessed, owned, mitigated, and…