What you will do:
As the Lead Cyber Risk Manager will be responsible for providing ongoing Risk oversight and assurance of the Bank’s Information & Cyber Security (Infosec) framework, risk position and working with third-party partners to validate and assure control improvement
1. Lead Risk input into the Cyber Risk Improvement Programme, providing updates to SteerCo, Board, and regulators. Offer informed perspectives on risk reduction strategy and oversee third-party co-source arrangements. While the 1LOD programme will drive delivery, take ownership of building and enhancing the 2LOD cyber risk oversight capability, including leveraging external partners.
2. Provide ongoing oversight and assurance of the Information Security (Infosec) and Cyber risk and control environment.
3. Deliver independent review and challenge across Infosec improvement programmes, including validation of risk position, prioritisation, target operating model, service design, and overall feasibility.
4. Ensure identified control gaps are effectively addressed within solution design, and assess the maturity, sustainability, and practicality of proposed controls.
5. Act as the key liaison between third-party assurance providers and internal stakeholders at Metro Bank.
6. Conduct robust review and challenge of policies, standards, metrics, risks, and controls to ensure effectiveness and alignment with regulatory expectations.
7. Ensure testing and assurance activities are completed to high standards and provide reliable outcomes.
8. Support senior risk reporting by contributing clear, accurate updates on the Bank’s Infosec and Cyber risk posture to executive committees.
9. Review and challenge the 1LOD approach to identifying and managing emerging risks.
10. Provide input and challenge on regulatory updates and notifications to ensure appropriate response and compliance.
11. Influence and challenge the design of Information Security controls across IT and the wider business to ensure they are efficient, effective, and aligned with the evolving threat landscape.
12. Promote transparency and accountability in Information Security decisions across all supported programmes and projects.
13. Build and maintain strong relationships with senior stakeholders across Information & Cyber Security, Audit, and Risk functions.
14. Any other duties as required that reasonably fall within the job.
And... we are a bank so risk is a part of everything we do. We love people who take responsibility, do the right thing for customers, colleagues and Metro Bank and have the ability to call out any concerns.
What you will need:
15. Extensive experience (7+ years) in Information Security, Cyber, Technology Risk, or 2nd Line Risk, operating at Manager, Lead, or Head level.
16. Demonstrated experience within a regulated UK financial services environment, with strong understanding of regulatory expectations and industry standards.
17. Proven track record of designing, implementing, or enhancing risk management and resilience frameworks.
18. Confident presenting to senior stakeholders, including Executive Committees and Board Risk Committees, with the ability to influence decision-making.
19. Relevant professional certifications are desirable ( CISSP, CISM, CISA, CRISC, ISO 27001), reflecting expertise across both Information Security and Risk disciplines.
20. Strong experience in risk assessment methodologies, including RCSAs, control testing, and scenario analysis.
21. Practical knowledge of secure design, build, and control frameworks aligned to recognised standards such as ISO 27001, PCI DSS, and NIST.
22. Solid understanding of the regulatory landscape impacting financial institutions and the ability to interpret and apply regulatory requirements effectively.
23. Good understanding of Information Security within the project lifecycle, combined with strong working knowledge of enterprise technology environments.
24. Demonstrated experience in conducting security risk assessments for projects and designing effective, proportionate security controls.
25. Strong communication skills, with the ability to translate complex technical and risk concepts into clear, actionable insights for non-technical stakeholders.
26. Ability to critically assess regulatory and cyber risks across systems and projects, considering the broader business and Information Security context.
27. Clear understanding of operational and enterprise risk, with accountability for managing the impact of risk decisions on the organisation and its stakeholders.
28. Understand the risks associated with your job and what that means for you, Metro Bank and all our stakeholders
Our promise to you…
• We will make sure that you are well-rewarded by providing you with a competitive salary, discretionary annual bonus, and a wide range of benefits, including generous holiday allowance, attractive pension scheme, healthcare, life assurance, and a number of colleague discounts!
• We will give you the training to ensure you succeed in your role and plenty of internal opportunities to progress your career (around 40% of our recruitment comes from internal promotions!