Arriva is a leading European passenger transport partner, operating in 11 countries across the UK and Europe. The company employs around 35,000 people, delivering more than 1.5 billion passenger journeys connecting people and communities safely, reliably and sustainably.
We have strong roots dating back to 1938, an ambitious growth and sustainability agenda, and a continuously developing relationship with I Squared Capital – a global infrastructure investment fund manager – who acquired Arriva in 2024.
Direct Responsibilities
* Reviews current project assurance framework within Arriva UK, implementing improvements, and rolling out framework across all operating units, including training, monitoring, and mentoring.
* Maintains and improves Arriva’s non functional requirements for new systems to ensure security by design (SbD) is embedded in our systems, in line with Arriva’s strategic direction and risk appetite.
* Ensures cyber and technology risk is managed in line with risk appetite so that products, solutions and platforms are designed, built, and deployed securely as well as being aligned to organisational goals, and that technical debt arising from insufficient security controls is adequately captured, working with the Head – InfoSec GRC & Awareness to track those risks in the information security risk register.
* Builds relationships and collaborates with senior leaders and professionals across the Arriva to understand, communicate and encourage mitigations for technical security risks relating to the implementation of new solutions. Ensuring that any remaining risk is signed off by the business.
* Stays updated on the latest security trends, threats, vulnerabilities, and technologies to proactively identify and address emerging risks as well as surfacing those risks during the improvement of Arriva’s technical standards.
* Collaborates within the Group Information Security team and wider Group Information Technology teams to agree project related InfoSec KPIs, set targets and implement monitoring across the organisation.
* Collaborates with internal and external partners to ensure that all software and hardware changes are secure by design, championing strong security architecture and identity management across the technology teams in the business, and proactively identify and mitigate risks; this includes representing information security on the change advisory board and stage gate reviews.
* Supports the business in understanding the necessity of penetration tests, analysing results, and ensuring vendors implement robust security improvements, working with the Head – InfoSec GRC & Awareness to include and track in the InfoSec risk register.
* Supports infrastructure and architecture teams in defining and delivering IT security services across physical and cloud infrastructures, ensuring compliance with Arriva cyber security standards, regulatory and organisational requirements.
* Contributes to merger and acquisition processes to understand risks related to current security architecture and posture, as well as supporting the onboarding of newly acquired entities/franchises/concessions or any offboarding of legal entities.
* Drives the implementation and auditing of IAM frameworks, including MFA, PIM, and Conditional Access, to enforce a zero-trust security model.
* Supports the wider Arriva group information technology team in creating a holistic Identity and Access Management strategy, supporting the implementation of Information Security related elements to ensure IAM maturity improvements across Arriva’s key systems across the group.
Knowledge, Skills & Experience
* Demonstrable experience in designing and implementing security architecture solutions, managing risk and monitoring compliance in a complex organisation.
* Evidencable knowledge and experience of project delivery and secure software development lifecycles, particularly implementing security by design.
* Demonstrable experience in researching and communicating how emerging technologies can present opportunity, risks, and challenges within Information Security and the broader technology teams.
* Knowledge of all areas of IT security, including: cyber security for digital technologies, identity and access management, authentication and single sign-on, authorisation, logging and monitoring, audit, secure communications and cryptographic services, network and endpoint protection, hosting and cloud, vulnerability management, platform security and systems development lifecycle.
* Experience with cloud platforms (Azure, AWS), DevSecOps, and infrastructure as code.
* Provides clear vision and direction, inspiring and engaging individuals and the wider team to deliver excellence.
* Written and verbal communication and presentation skills. Influencing and negotiating skills. Possesses a proactive and solution-focused attitude, being capable of analysing business problems and delivering real solutions.
* Practitioner qualifications such as CISSP, CEH, OSCP, GCIH are beneficial but not required.
Success Criteria & Indicators
* Security non-functional requirements (NFRs) are consistently embedded across all new systems and platforms, with documented assurance reviews and risk sign-offs prior to go-live.
* Group-wide implementation of an enhanced project assurance framework, including training delivery, adoption metrics, and measurable improvements in secure solution design.
* Delivery of a strategic IAM governance framework, with demonstrable improvements in identity lifecycle management, RBAC, PAM, and zero-trust enforcement across key systems.
* Identification, documentation, and tracking of security-related technical debt and risks, with clear escalation to risk registers and evidence of remediation or accepted risk sign-off.
* Active collaboration with architecture, infrastructure, and delivery teams, resulting in measurable improvements in secure architecture practices and reduced security exceptions at stage gates.
This job description sets out the main duties and responsibilities of the jobholder. It does not constitute an exhaustive or comprehensive description of duties and the job holder will be required to carry out any additional tasks as and when requested to do so by their manager. Responsibilities and duties may also change considering future business needs and personal development.
The closing date for applications is Friday 31st October 2025. Arriva Group reserves the right to close this vacancy early.
#J-18808-Ljbffr