Director, information security - assurance

Cambridge
AVEVA
Director
Posted: 17h ago
The role

AVEVA is creating software trusted by over 90% of leading industrial companies.

Job Title: Director, Information Security - Assurance

Location: Cambridge | UK

Employment type: Full-time regular

Previous Experience: 10+ years in information security with at least 5 years in a senior role biased towards building audit/assurance capability, not just running it. Proven track record of building and leading assurance or audit teams in complex, international and multi-stakeholder environments. Experience designing and operating controls assurance programmes spanning IT, cloud, and product security domains, with direct exposure to external audit and certification processes (ISO 27001, SOC 2).

The job

The Director, Information Security - Assurance leads AVEVA’s Security Assurance function within the central Digital Security organization a critical second-line leadership role in AVEVA’s federated security model. This role is accountable for independently testing whether AVEVA’s security controls are operating as designed, providing the objective evidence that underpins the risk assurances given to AVEVA leadership and Schneider Electric, and connecting assurance findings directly to the risk register and governance process.

AVEVA is a fast-growing software company operating in highly regulated markets and is an independent subsidiary of Schneider Electric. The Assurance function must be a scalable, continuously improving capability; evolving beyond point-in-time testing towards automated, data-driven assurance that provides real-time visibility into control effectiveness across the AVEVA estate.

We are building a highly integrated security practice, where all security disciplines share and act in coordination on risk signal. The successful candidate must combine deep technical assurance expertise with a collaborative mindset, working closely with the GRC function to close the loop between testing and governance, and with federated teams who own the controls being assessed. They will bring analytical rigour, a passion for automation, and the courage to surface findings clearly and honestly.

As a senior leader, and member of the functional SLT, the Director of Security – Assurance will routinely be called on to provide consultation to business leaders, and counsel to the CISO and peers. They are responsible for generating new theories, concepts, principles and methodologies and will contribute significantly to the development of policy for the Digital Security function. As a leader of leaders, this individual must establish a culture of performance excellence, ensuring the team reflect the demands and expectations of the business, our internal and external stakeholders, in accordance with AVEVA’s values.

Key Responsibilities

Operating as the central second-line assurance function, the Director provides independent testing and validation of controls across all federated teams. Assurance findings feed directly into the GRC risk register and governance process, and support the external audit and certification programme ensuring AVEVA can evidence its security posture to customers, regulators, and Schneider Electric.

  • Design and lead a continuous controls assurance programme that independently tests whether security controls across all federated teams are operating effectively against policy objectives and centrally defined standards.
  • Drive automation to shift from periodic point-in-time reviews to ongoing, evidence-based control monitoring.
  • Commission and oversee in-depth technical assurance activities including penetration testing, configuration reviews, and control effectiveness assessments.
  • Provide objective, evidence-based findings across the AVEVA digital estate — covering IT, cloud, product, and R&D environments.
  • Own the security evidence library and lead coordination of external audit and certification processes (ISO 27001, SOC 2).
  • Leverage proactive assurance activity to build continuous audit readiness rather than reactive preparation reusing assurance evidence to reduce duplication of effort.
  • Identify control weaknesses and coverage gaps across the AVEVA estate including areas where controls are under-deployed, misconfigured, or ineffective against the threat landscape.
  • Drive remediation tracking through the GRC risk register and report progress to the CISO and leadership.
  • Provide high-quality, evidence-based assurance reporting to the CISO, AVEVA Executive Team, and Schneider Electric Group Security.
  • Translate technical findings into clear, actionable risk insight that directly informs governance decisions and the enterprise risk register.
  • Build and develop a high-performing Assurance team with a culture of rigour, intellectual curiosity, and continuous improvement.
  • Set clear objectives, invest in professional development, and act as a visible advocate for the Assurance function across AVEVA and Schneider Electric.
  • An assured and experienced leader of both direct reports and in-directs to drive strategic alignment and output, setting and maintaining high standards as a member of the Digital Security Senior Leadership Team.
  • Possesses a demonstrated ability to navigate ambiguity and make tough decisions—ranging from structural re-organizations and budgetary choices to talent optimization—while maintaining team morale, transparency, and a people-first culture in accordance with AVEVA’s values.

    • Skills and Experience

  • 10+ years in information security with at least 5 years in a senior role biased towards building audit/assurance capability, not just running it.
  • Deep expertise in control testing methodologies, assurance frameworks, and security audit practices across ISO 27001, SOC 2, NIST CSF, NIS2, and IEC 62443.
  • Strong technical breadth across IT security, cloud security and application security, sufficient to design and oversee effective control testing across a diverse and distributed estate.
  • Experience designing and operating controls assurance programmes in complex, multi-stakeholder environments ideally spanning IT, cloud, and product security domains.
  • Proven track record of building and leading assurance or audit teams in complex, international and multi-stakeholder environments. Experience leading leaders is advantageous.
  • Experience owning or leading external audit and certification processes (ISO 27001, SOC 2, or equivalent) including evidence gathering, auditor management, and remediation tracking.
  • Reporting assurance findings and control weaknesses to executive leadership and parent company governance structures.
  • Driving automation in assurance testing and evidence gathering workflows to improve programme scalability.
  • Experience operating in regulated markets with direct exposure to compliance frameworks (ISO 27001, NIS2, IEC 62443, SOC 2).
  • Execution bias; demonstrated ability to act tactically while innovating next generation solutions.
  • Rational empathy; demonstrated experience in aligning security imperatives with the goals and values of the organisation.
  • Natural collaborator; demonstrated experience delivering joined-up solutions across security disciplines and with federated partners.
  • Data literate, automation biased, operationally fluent.
  • Excellent assurance reporting skills; able to translate technical findings into clear, evidence-based risk narratives for executive, audit, and regulatory audiences.

    • Desired/Preferred

  • Industrial software, OT/ICS security, or technology companies serving critical infrastructure or highly regulated industries.
  • Working within a large enterprise group security governance structure as a subsidiary security leader.
  • Working with AI and machine learning applications in security assurance and automated control testing.
  • Professional certifications: CISSP, CISA, CISM, or ISO 27001 Lead Auditor.
  • Commercial acumen and working knowledge of cloud security, DevSecOps, and Agile delivery practices.
  • Experience in a federated, matrixed, or multi-subsidiary structure.

    • Competencies

  • Adaptable and resilient: Thrives in dynamic environments; maintains strategic focus through regulatory change and organisational evolution.
  • Practical and logical: Structured thinking with a bias toward pragmatic, implementable solutions.
  • Self-motivated and decisive: Comfortable making and owning decisions in ambiguous situations.
  • Collaborative and influential: Earns influence through credibility and expertise; builds trusted relationships across federated teams and leadership.
  • Transparent and courageous: Surfaces difficult assurance findings and brings problems to leadership without softening the message.
  • Curious and growth-oriented: Continuously learning about emerging threats, evolving control landscapes, and improvements in assurance automation and tooling.

    • Digital Security at AVEVA

    Our Digital Security organization is responsible for protecting AVEVA’s digital estate and products across a federated security model. We are building a highly integrated security practice where all security disciplines share and act in coordination on risk signal, enabling AVEVA to operate securely in highly regulated markets as an independent subsidiary of Schneider Electric.

    We pride ourselves on a collaborative, inclusive and authentic culture that provides a framework allowing for autonomy, whilst always being available for support and guidance. We respect the differences that each team member brings and seek to include those perspectives in our solutions for our business functions. The energy and sense of purpose is evident when talking to team members, you will feel part of something special from the first day you join.

    #LI-DY1


    UK Benefits include:

    Flexible benefits fund, emergency leave days, adoption leave, 28 days annual leave (plus bank holidays), pension, life cover, private medical insurance, parental leave, education assistance program.


    It’s possible we’re hiring for this position in multiple countries, in which case the above benefits apply to the primary location. Specific benefits vary by country, but our packages are similarly comprehensive.


    Find out more: aveva.com/en/about/careers/benefits/


    Hybrid working

    We work in a hybrid way at AVEVA. Most roles are based at a local AVEVA office, with an expectation of being on-site 50% of your working hours to support collaboration and connection. Some positions are fully office-based depending on the nature of the work, and certain roles that support specific customers or markets may be remote. The working arrangement for this position will be confirmed during the hiring process.


    Hiring process

    Interested? Great! Get started by submitting your cover letter and CV through our application portal. AVEVA is committed to recruiting and retaining people with disabilities. Please let us know in advance if you need reasonable support during your application process.


    Find out more: aveva.com/en/about/careers/hiring-process


    About AVEVA

    AVEVA is a global leader in industrial software with more than 6,500 employees in over 40 countries. Our cutting-edge solutions are used by thousands of enterprises to deliver the essentials of life – such as energy, infrastructure, chemicals, and minerals – safely, efficiently, and more sustainably.


    We are committed to embedding sustainability and inclusion into our operations, our culture, and our core business strategy. Learn more about how we are progressing against our ambitious 2030 targets: sustainability-report.aveva.com/


    Find out more: aveva.com/en/about/careers/


    Apply
    Create E-mail Alert
    Job alert activated
    Saved
    Save
    See more jobs
    Similar jobs
    Management jobs in Cambridge
    jobs Cambridge
    jobs Cambridgeshire
    jobs England
    Apply
    Create E-mail Alert
    Job alert activated
    Saved
    Save