Job Description
:
Chief Information Security Officer (CISO)
Location – London
NEW GROUND WON’T BREAK ITSELF.
Grant Thornton UK is a leading professional services firm providing audit, tax and advisory services. The firm is undergoing a significant technology-led transformation, including the enterprise deployment of generative AI, a product-centric IT operating model, and the modernisation of data platforms. This transformation, combined with the firm’s obligations to regulators, clients and professional standards bodies, makes security governance and risk management a critical discipline.
A look into the role
The CISO will be the firm’s senior IT security authority, reporting directly to the CIO. The role bridges strategic risk ownership and hands-on governance, ensuring security is embedded by design into platforms, products and processes. This is not a purely advisory role; the CISO will own the security framework, lead a team, and be a visible and influential voice at senior leadership level. rant Thornton UK is a leading professional services firm providing audit, tax and advisory services. The firm is undergoing a significant technology-led transformation, including the enterprise deployment of generative AI, a product-centric IT operating model, and the modernisation of data platforms. This transformation, combined with the firm’s obligations to regulators, clients and professional standards bodies, makes security governance and risk management a critical discipline.
The CISO will be the firm’s senior IT security authority, reporting directly to the CIO. The role bridges strategic risk ownership and hands-on governance, ensuring security is embedded by design into platforms, products and processes. This is not a purely advisory role; the CISO will own the security framework, lead a team, and be a visible and influential voice at senior leadership level.
Key Responsibilities
Security Strategy and Governance
1. Develop and maintain the firm’s Information Security strategy, aligned to the IT strategy, CDO priorities and the firm’s broader digital transformation programme.
2. Own and operate the Information Security Management System (ISMS), ensuring compliance with ISO 27001 and other applicable standards.
3. Provide senior input to the risk committees on AI and information security, and represent security at the AI Governance Board.
4. Maintain and report on a cyber risk register, providing regular risk posture updates to the CIO, CDO and relevant governance forums.
AI and Digital Transformation Security
5. Lead security governance for the firm’s generative AI programme.
6. Assess and govern emerging risks from AI-generated outputs, including artefact hosting, client-facing microsites, and third-party MCP integrations.
Risk, Compliance and Regulatory Obligations
7. Ensure the firm’s security posture meets obligations to professional standards bodies (ICAEW, FRC), client contractual requirements, and applicable regulation.
8. Lead incident response governance, including classification, escalation, investigation and lessons-learned processes for cyber and information security incidents.
9. Oversee third-party and supplier security risk management, including due diligence on SaaS platforms (ESM, GRC, LMS, HR systems) and cloud infrastructure providers.
10. Support or lead engagement with cyber insurers, clients, external auditors and any regulatory enquiries related to information security.
Security Culture and Awareness
11. Drive a security-aware culture across the firm, developing and maintaining the training and awareness programme so it is engaging, practical and proportionate.
12. Champion a ‘secure by design’ mindset across IT, the digital team and the wider business, particularly as new products and platforms are introduced.
Leadership and Stakeholder Engagement
13. Lead, manage and develop the security function, including GRC, security engineering and awareness roles.
14. Act as the primary escalation point and senior authority for all security matters, providing clear and credible advice to the CIO, CDO and firm leadership.
15. Represent Grant Thornton UK in external forums, industry bodies and client conversations where security governance or assurance is relevant.
16. Build influence and effective working relationships with the CISO community across the Grant Thornton International network.
Knowing you’re right for us
We’ve set ambitious growth targets for the firm, and we need the right people to help us achieve these. We’re looking for people who will bring ambition and drive to their role. In changing markets, we need to be able to work at pace and be adaptable to change and to be curious, asking questions of ourselves, each other and our clients to ensure we are delivering the services and quality we expect.
Essential Experience
17. Proven experience as a CISO or senior information security leader in a professional services, financial services or similarly regulated environment.
18. Demonstrable track record of developing and operating an ISMS, managing a cyber risk register, and reporting to senior leadership and governance forums.
19. Hands-on experience governing AI platforms from a security and compliance perspective, including data governance, audit logging and acceptable use.
20. Experience owning DLP controls, incident response processes and third-party security risk management in a cloud-first environment.
21. Strong grasp of relevant compliance frameworks: ISO 27001, NIST CSF, UK GDPR, and professional services regulatory obligations.
Desirable Experience
22. Familiarity with generative AI platforms, LLM governance, and emerging risks from AI-generated content and tool integrations (MCP, API gateways).
23. Experience with CrowdStrike or equivalent EDR/SIEM platforms, including integration with compliance logging pipelines.
24. Exposure to Microsoft Fabric, Databricks or similar data platform environments.
25. Experience operating within a Big Four or Top Ten professional services firm, including understanding of client confidentiality obligations and engagement letter governance.
Qualifications
26. CISSP, CISM, or equivalent professional certification.
27. ISO 27001 Lead Implementer or Auditor (desirable).
28. Degree in Information Technology, Cybersecurity, Computer Science or a related discipline, or equivalent professional experience.
Knowing we’re right for you
The culture at Grant Thornton is what sets us apart, we’re known for our inclusive culture and creating environments where all our people can flourish. The things that set you apart, we value them, and this helps us all to perform at our best.
Our values are the unwavering principles that shape our daily behaviours and decisions, alongside our drive to do the right thing. We’re looking for people who align with our values and are purposefully driven, actively curious and candid but kind. You can learn more about our values in practice here.
It’s not just about our culture and values, in addition to a competitive salary and reward package, us you’ll also get:
29. Tailored development programmes and access to coaching
30. Flexible bank holidays – allowing you to celebrate the days that are important to you
31. Benefits including pension, life assurance and private medical, additional holiday purchasing and health benefits
32. Any benefits giving you access to shopping discounts, gym memberships, financial advice
And more. Visit our benefits section to read more.
How we work
We have a trust-based way of working, driven by responsible people who have the best interests of our firm and our clients at heart. Our how we work framework gives flexibility in where, how, and when we work to deliver the best results for our clients, whilst helping you keep a balance between work and life. Life is more than work, the things you do, and the people you’re with outside of work matter, that’s why we’re happy to look at flexible working options for all our roles. That is how it should be.
We’re looking for people who can help drive the business forward, who want to contribute, spark fresh ideas and go beyond expectations. People who want to be able to proudly do what’s right, for the firm, our clients, our people and themselves. It’s how it should be.