Information security & data governance lead (uk)

Principal Accountabilities

• Information Security
  • Develop, implement, and maintain information and cyber security policies, standards, and procedures
  • Ensure alignment with recognized frameworks (ISO 27001, NIST CSF, CIS Controls)
  • Conduct risk assessments across IT, cloud, and Operational Technology (OT) environments
  • Support incident response planning and continuous improvement of security controls
  • Embed secure-by-design principles into infrastructure and operational systems
• Data Governance
  • Establish and maintain an enterprise data governance framework
  • Define and enforce data classification, handling, retention, and protection standards
  • Ensure compliance with international data protection regulations including GDPR, UK Data Protection Act, and applicable US privacy laws
  • Promote data ownership, stewardship, and accountability across business units
  • Support data quality, integrity, and lifecycle management
• Compliance & Regulatory Oversight
  • Ensure compliance with applicable cybersecurity, data governance, and energy sector regulations
  • Lead and support internal and external audit activities, including evidence collection and remediation tracking
  • Maintain enterprise risk registers and compliance reporting
  • Continuously monitor global cyber and data regulatory changes
  • Assess impact of regulatory developments and update internal policies, standards, and procedures accordingly
  • Ensure compliance is maintained across all regions of operation
• Cybersecurity Awareness & Training
  • Design and deliver enterprise cybersecurity awareness programmes
  • Conduct phishing simulations and risk-based awareness campaigns
  • Tailor training for corporate and operational (OT) environments
  • Measure effectiveness and drive continuous improvement in user behaviour
• Governance & Advisory
  • Act as subject matter expert and advisor on security, governance, and compliance matters
  • Administer and support third-party/vendor risk management programme
  • Provide reporting and insights to leadership on security posture, regulatory changes, and risk exposure
  • Contribute to the continuous improvement of governance, risk, and compliance (GRC) capability
  • Member of change management board and contributor to change management process

Qualifications and Experience

• Required
  • Significant experience in information security, cybersecurity GRC, or IT governance roles
  • Proven experience implementing data governance frameworks
  • Strong understanding of international data protection and cybersecurity regulations
  • Experience working within regulated environments
  • Familiarity with ISO 27001, NIST, or equivalent frameworks
  • Experience supporting audit and compliance processes
• Desired
  • Experience in the energy, utilities, or critical infrastructure sector
  • Exposure to Operational Technology (OT) environments
  • Professional certifications (CISSP, CISM, CRISC, CISA, CDMP)
  • Experience with GRC tools (ServiceNow GRC, RSA Archer, MetricStream)

HSE Responsibilities

• Stop work by challenging and stopping unsafe acts and behaviours or unsafe conditions.
• Comply with Standard Operating Procedures defined in Responsibilities above, and company STOP WORK system.
• Ensure that cybersecurity considerations support safe and reliable operational environments, particularly within OT systems

Competencies

• Risk & Compliance Expertise: Strong understanding of regulatory and governance frameworks
• Analytical Thinking: Ability to assess and mitigate complex risks
• Stakeholder Engagement: Ability to influence across technical and business teams
• Communication: Clear communication of technical and regulatory requirements
• Autonomy: Operates independently with accountability for outcomes
• Continuous Improvement: Proactively adapts to changing regulatory and threat landscapes

Any Other Information

• This is a senior individual contributor role with no direct reports
• The role operates across multiple jurisdictions with varying regulatory requirements