At M&G our purpose is to give everyone real confidence to put their money to work. As an international savings and investments business with roots stretching back more than 170 years, we offer a range of financial products and services through Asset Management, Life and Wealth. All three operating segments work together to deliver attractive financial outcomes for our clients, and superior shareholder returns.
Through our behaviours of telling it like it is, owning it now, and moving it forward together with care and integrity; we are creating an exceptional place to work for exceptional talent.
We will consider flexible working arrangements for any of our roles and also offer work place accommodations to ensure you have what you need to effectively deliver in your role.
Overall Job Purpose
1. The M&G plc Risk & Compliance function, within the second line of defence, is responsible for effectively advising and challenging key stakeholders, challenging risks effectively and proactively, and adding value through providing enhanced business insights to ensure that risk is managed in line with the expectations of clients, shareholders and regulators, and to support the delivery of customers’ long term needs.
2. The Cyber Risk Oversight VP reports to the Head of Technology Risk and Support Functions Oversight, M&G plc, and to the Director of Risk and Compliance, M&G Global.
3. This role is primarily responsible for providing oversight of cyber security risk across M&G plc, including delivering a second line evaluation of the strength of first line security measures and controls.
4. The role manages the planning and delivery of Red Team Cyber testing activities by qualified third parties, and provides effective end to end stakeholder engagement in relation to the findings made during these tests.
5. The role is also responsible for developing and operating a second line model for delivering oversight of M&G’s cyber threat intelligence capability and techniques.
6. The role works in close partnership with stakeholders across the business in Technology, Security, Non-Financial Risk, external suppliers and with programme leads to ensure effective oversight of cyber risk across M&G plc.
7. The role leads on facilitating the risk appetite statements relating to cyber security risks
8. The role also supports the delivery of wider Risk and Compliance projects, strategic and management activities, business development and digital initiatives.
Responsibilities
The key responsibilities of this role are to support the delivery of the Technology Risk team’s objectives to support the embedding of the technology risk framework across M&G plc in relation to cyber security risk, and to provide consolidated risk analysis and information for Senior Management as required. The role is required to:
9. Manage the planning, engagement and delivery of Red Team Cyber testing activities with appropriately qualified third party cyber specialists.
10. Oversee and guide cyber security risk mitigation programmes, projects and control improvement initiatives, including the use of AI in enhancing cyber security.
11. Assess first line processes and technical analysis of cyber security events and root cause, as well as remedial solutions, and provide a second line view on their effectiveness.
12. Provide advice and guidance on compliance with regulatory requirements that relate to cyber risk and contribute to regulatory enquiries.
13. Assess the effectiveness of processes and internal controls implemented by the first line, including the Security Operations Centre (SOC) and infrastructure functions, through a programme of a sampling to evaluate their quality and associated documentation, and provide feedback for action.
14. Work closely with existing IT, security and business functions as well as collaborating with third parties and business partners, both to receive input and to provide practical and actionable intelligence.
15. Nurture strong working relationships with stakeholders at functional levels.
16. Manage the risk appetite statements for technology and digital risks in relation to cyber and provide reporting of performance against these statements using sampling methods.
17. Develop and maintain high level Cyber Risk policy, embedding relevant Group, regulatory and industry good practice requirements.
18. Participate in cyber incident response planning, testing, and execution when required.
19. Participate in the annual programme of deep dive and thematic reviews, leading reviews where these relate to cyber across all business areas and outsourced service providers as may be required.
20. Oversee the identification, assessment, processing, analysis, and reporting of tactical and strategic threat intelligence to assist in decision making and actively thwart emergent and current threats targeting our organisation.
21. Contribute to the continuous improvement of the Technology Risk function.
22. Identify and lead digital initiatives that deliver efficiencies and improved ways of working commensurate with best practices of FTSE 100 digitally enabled business.
23. Ensure compliance to the people policies, Group Code of Conduct and embedding of desired behaviours, including completion of any mandatory training requirements.
24. Being personally accountable for supporting the identification, assessment, management and reporting risks within your area of responsibility, including supporting formal risk management activities e.g. Risk & Control Self Assessments and timely closure of Assurance actions.
25. Work flexibly in support of the wider Risk and Compliance agenda.
26. Line management of a Risk professional in the Technology Risk team.
Key Interfaces
Internal:
27. M&G plc Risk and Compliance
28. All M&G plc UK Business Areas and Senior Management Teams
29. Internal Audit
External:
30. M&G plc Risk and Compliance
31. All M&G plc UK Business Areas and Senior Management Teams
32. Internal Audit
Experience and Skills
33. 12+ yrs of relevant experience in in a Risk/Audit function/Big4 within a financial institution, directly delivering cyber security and cyber threat intelligence activities.
34. Significant knowledge of Cybersecurity organization practices, risk management principles, architectural requirements, engineering threats and vulnerabilities, including incident response methodologies.
35. Excellent stakeholder management skills, with the ability to successfully navigate a complex organisation as well as build strong relationships and work collaboratively with teams across the business.
36. Knowledge of insurance / investment products, markets and competitors.
37. Experience within financial services companies or consulting/technology companies supporting. financial services clients in cyber security and Technology risk (2LOD) functions.
38. Experience in developing and embedding Cyber risk policies, setting Cyber risk appetite and embedding processes to assess performance against the same.
39. Experience in managing a team of cyber/security specialists.
40. Experience in leading reviews, where these relate to Cyber risk and understanding the lessons learnt.
41. Delivery of gap analysis against Cyber Security policy, standards and technology risk requirements.
42. Experience in developing, operating and maintaining a Cyber threat intelligence framework.
43. Strong understanding of cyber security products and technologies utilized in Enterprise environments.
44. Strong understanding of Cloud computing platforms, primarily Amazon AWS and Microsoft Azure.
45. Experience as part of a security operations or incident response organization would be beneficial.
46. Experience in investigating fraud and eCrime.
47. Keen understanding of national and international laws, regulations, policies and ethics related to financial industry cybersecurity.
48. Understanding of threat modelling techniques with some experience in developing threat models.
49. Significant experience of reporting and presenting cyber risks and controls information with the wider business, regulatory and industry context, in a simple and effective way.
50. Experience of authoring papers for Risk Committees and senior management teams.
51. Knowledge of industry best practice and good network / links with individuals and external bodies.
52. Curious and continually looking to seek out improvements and not just accepting the status quo.
53. Ability to work collaboratively across immediate team and broader technology function whilst also being to work independently under own initiative.
54. Strong drive and delivery, committed to achieving results and delivering on time.
55. Strong analytical thinking and a critical evaluator of information/issues.
56. Strong work ethic with the highest levels of professionalism, commitment and integrity.
57. Gravitas and ability to be pragmatic where appropriate.
58. Ability to operate remotely, in a diverse and multi-cultural environment with international work or consultancy exposure.
Education and Professional Qualifications
59. Graduate/Post-Graduate degree in Engineering, Information Technology or Computer Science
60. Relevant Certification in Cyber Security and cloud such as CISSP, CISA, CISM
Experience Level: Manager/Expert
Recruiter: Helen Simons
We have a diverse workforce and an inclusive culture at M&G plc, underpinned by our policies and our employee-led networks who provide networking opportunities, advice and support for the diverse communities our colleagues represent. Regardless of gender, ethnicity, age, sexual orientation, nationality, disability or long term condition, we are looking to attract, promote and retain exceptional people. We also welcome those who take part in military service and those returning from career breaks.
M&G is also proud to be a, and we welcome applications from candidates with long-term health conditions, disabilities, or neuro-divergent conditions. Being a Disability Confident Leader means that candidates who meet the minimum criteria of a job, will be offered an interview if they 'opt in' to the scheme when applying.
If you need assistance or an alternative means of applying for a role due to a disability or additional need, please let us know by contacting us at: