Cyber Security Manager

We're looking for a Cyber Security Manager to be the cornerstone of IT security for npower Business Solutions (nBS), the Industrial & Commercial arm of E.ON UK. Based in Nottingham or Solihull, this permanent role (with FTC options considered) sits at the heart of our transformation – establishing and operating a robust Information Security Management System (ISMS), embedding best practices across our evolving BusDevSecOps culture, and providing expert guidance on everything from secure architecture and fraud prevention to emerging governance frameworks. Operating within the E.ON Group's overarching cyber security framework, you'll navigate a complex multi‑supplier ecosystem and lead the security agenda as we transition from a traditional service model to a modern product and DevSecOps environment. This role blends deep governance expertise with hands‑on technical acumen, advising stakeholders at all levels, including the C‑suite.

• Own cyber security, IT risk and controls for nBS – ensuring effective governance, risk management and audit readiness.
• Lead threat and risk assessments to ISO 27005, producing consolidated risk reports, defining KRIs and managing remediation plans.
• Develop, implement and mature the ISMS aligned to ISO 27001, Smart Energy Code (SEC) and emerging standards including ISO 42001 (AI Management) and the Cyber Assessment Framework (CAF) / CRA.
• Promote heightened cyber risk awareness across nBS – running drop‑in sessions, roadshows and targeted C‑suite engagement.
• Act as a trusted adviser on strategies, controls and architectural patterns to mitigate external threats, providing pragmatic guidance to product teams and leadership.
• Drive compliance and certification across key regulations and standards: Smart Energy Code (SEC), Retail Energy Code (REC), PCI DSS, GDPR, Cyber Essentials and the Cyber Assurance Framework – including planning and supporting internal control testing and acting as primary liaison with internal/external auditors.
• Be the security cornerstone in our product and DevSecOps transition – guiding secure architecture, secure coding practices, threat modelling and integrating controls throughout the SDLC.
• Manage third‑party security posture across our multi‑supplier ecosystem – covering onboarding, contractual controls, auditing and ongoing reviews for SaaS, integration and infrastructure providers.
• Own legislation and compliance engagement for PCI DSS, DPA/GDPR, SEC, REC, CRA/CAF and related UK initiatives (e.g. the Cyber Resilience Bill, the evolving UK Cyber Security Bill).
• Scope and coordinate penetration tests – managing delivery with relevant teams and ensuring findings are triaged, tracked and resolved in line with nBS's risk appetite.
• Champion a culture of security – delivering coaching and presentations from engineering squads to the C‑suite, ensuring security is a value add, not a blocker.

• Proven track record of taking companies through audits and certifications – planning, readiness, engagement and successful outcome delivery (e.g., SEC/REC, Cyber Essentials, SOC 2 Type II, PCI DSS, ISO 27001).
• A strong understanding of the UK energy sector's regulatory landscape, particularly Smart Energy Code (SEC) and Retail Energy Code (REC), with at least 5 years' experience in Smart.
• Credibility and presence at senior level, with the confidence to engage and influence the C‑suite.
• Experience operating in a complex, multi‑supplier environment – including onboarding, auditing and ongoing review of third‑party security posture.
• Hands‑on ISMS expertise – establishing, operating and maturing an ISMS aligned to ISO 27001.
• Strong technical acumen – secure architecture design, practical security guidance within DevSecOps or Agile settings, and integrating controls through the SDLC.
• Significant experience in IT risk management – conducting assessments (e.g., ISO 27005), managing risks end to end and defining meaningful KRIs.
• Demonstrated subject matter expertise in at least two of: ISO 27001, ISO 42001, Data Protection Act / GDPR, SOC 2 Type II.
• Experience ensuring compliance with security policies, controls and procedures; comfortable with frameworks such as the Cyber Assurance Framework (CAF) and Cyber Essentials.
• Familiarity with evolving UK initiatives and audits: Smart Energy Code, UK Cyber Security Bill, FUSA audits (or equivalent functional safety/security assessments), Cyber Resilience Bill.

• Certifications: CISSP (must have); CISM; ISO 27001 Lead Auditor or Lead Implementer.
• Experience building ways of working in a DevSecOps environment (tooling, pipelines, IaC guardrails, policy as code).
• Understanding of legal frameworks relevant to data protection, cyber resilience and operational compliance in energy markets.

• Award‑Winning Workplace – We're proud to be named a Sunday Times Best Place to Work 2025 and the Best Place to Work for 16‑34‑year‑olds.
• Outstanding Benefits – Enjoy 26 days of annual leave plus bank holidays, a generous pension, life cover, bonus opportunities and access to 20 flexible benefits with tax/NI savings.
• Flexible & Family‑Friendly – Our industry‑leading hybrid and family‑friendly policies earned us double recognition at the Personnel Today Awards 2024. We're open to discussing how flexibility can work for you.
• Inclusive & Diverse – We're the only energy company in the Inclusive Top 50 UK Employers. We're also proud winners of Best Employer for Women and Human Company of the Year recognising our inclusive, people‑first culture.
• Support at Every Stage of Life – We're Fertility Friendly and Menopause Friendly accredited, with inclusive support for everyone.
• Accessible & Supportive – As a Disability Confident Employer we guarantee interviews for disabled applicants who meet the minimum criteria for the role and will make any adjustments needed during the process.
• Invested in Your Growth – From inclusive talent networks to top‑tier development programmes, we'll support your growth every step of the way.