Job Description

We are seeking a highly accomplished Director of Information Security GRC to join a senior leadership team. This is a crucial role responsible for governing and institutionalising cybersecurity risk, regulatory compliance, and control frameworks across a Group's global operations.
You will lead the design and continuous enhancement of enterprise-wide GRC programmes, enabling robust, risk-informed decision-making and ensuring adherence to global and regional standards. If you are adept at partnering with C-level stakeholders across Legal, Internal Audit, HR, and Technology to operationalise trust, this is your next challenge.
Key Responsibilities: The Pillars of Trust
GRC Strategy & Operating Model: Design and execute the Information Security GRC strategy, defining the operating model and KPIs to ensure scalable, effective governance practices.
Risk Management: Own the Information Security Risk Management Framework (ISRMF), including risk identification, quantification (e.g., FAIR), assessment, and integration into project and third-party governance.
Policy & Compliance: Develop and maintain security policies aligned with standards like ISO 27001, NIST CSF, and COBIT. Ensure robust compliance with regional regulations, including Global Data Protection Laws, Sector-Specific Standards (like PCI-DSS), and regional requirements.
Audit Readiness: Lead internal/external audits, manage global security certification efforts, and collaborate with Internal Audit and Legal to ensure efficient issue closure.
Third-Party Risk (TPCRM): Own the end-to-end Third-Party Cybersecurity Risk Management programme, defining due diligence, contract clauses, and periodic reassessments.
GRC Technology: Oversee the GRC platform, driving integration with ITSM and other systems to automate workflows and enhance reporting.
Your Experience & Credentials:
12+ years of progressive experience in cybersecurity or technology risk, with 5+ years in a senior GRC leadership role within a global enterprise.
Strong track record managing multi-audit environments and engaging C-level stakeholders across complex compliance matters.
Deep understanding of global and regional data protection laws and enterprise risk management principles.
Relevant certifications are strongly preferred: CISM, CRISC, CGEIT, CISSP, ISO 27001 Lead Auditor, or equivalent.
Bachelor's or Master's degree in Cybersecurity, Information Assurance, Law, Risk Management, or a related field.
This is a key leadership appointment, requiring a strategic, pragmatic, and highly organised professional dedicated to embedding security accountability at the highest level.

Skills Required