Cyber Strategy and Policy Team Lead

Profile Title: Strategy & Policy Team Lead

Reports to: Deputy CISO

Job Family: TBC

Capability: TBC

Function/Division: Cyber Security>

Grade:

The Strategy & Policy Team Lead plays a key role in supporting the Deputy CISO by overseeing strategic cyber security initiatives, refining governance processes, fostering cross-functional collaboration, and strengthening communication across the organisation. This role also drives the development of security awareness, education, and culture throughout the business.

Acting as a trusted advisor and liaison, the Team Lead helps align cyber risk management, compliance efforts, and leadership engagement. They contribute to shaping the broader cyber security strategy and enhancing CS&IA’s long-term capability and resource planning. Additionally, they promote risk awareness and translate strategic security objectives into actionable insights for senior leadership.

• Drive continuous improvement of cyber security processes, controls, and metrics to enhance resilience and reduce risk.
• Support the Deputy CISO in shaping and delivering the cyber security strategy, including talent planning and resource coordination.
• Coordinate governance boards and meetings, and prepare executive briefings, board papers, and stakeholder presentations.
• Act as a key liaison with NDA, GICC, and other oversight bodies, managing cross-cutting issues and urgent priorities.
• Develop and maintain cyber security policies, standards, and procedures, ensuring alignment with regulatory and organisational requirements.
• Maintain the cyber risk register and ensure accurate reporting of key metrics, maturity indicators, and dashboards for leadership.
• Lead internal cyber awareness campaigns and training initiatives to embed a strong security culture.
• Enhance governance processes, documentation standards, and operational workflows.
• Promote automation and innovation in compliance and assurance activities to improve efficiency and transparency.

• Directly manages a team of three within the Cyber Security Strategy & Policy function.
• Provides technical leadership across all CS&IA security domains, ensuring alignment with strategic objectives.
• Influences up to 16,000 personnel through the development and implementation of cyber security policy, risk management, and assurance across both IT and OT environments.
• Safeguards enterprise reputation by proactively managing and communicating cyber risks in collaboration with the CS&IA team, particularly in a landscape of increasing public, regulatory, and stakeholder scrutiny.

• Proven experience in drafting, reviewing, and implementing cyber security policies, procedures, and standards.
• Degree or equivalent professional experience in cyber security, information assurance, risk management, or a related discipline.
• Strong understanding of cyber risk management, including qualitative and quantitative risk assessments and maintenance of risk registers.
• Demonstrated ability to develop and track cyber security metrics, including dashboards and reporting for senior executives and governance forums.
• Familiarity with regulatory and legislative frameworks such as ONR SyAPs, CAF, NIS/NIS2, DPA, and GDPR.
• Experienced in engaging a wide range of stakeholders, including technical teams, business units, and risk, audit, and compliance functions.
• Proficient in data visualisation tools such as Power BI, Excel, and ServiceNow dashboards.
• Experience supporting cyber security awareness and culture change initiatives, including campaigns, briefings, and training delivery.

• Experience in the nuclear, critical national infrastructure, or similarly regulated sectors.
• Knowledge of information security frameworks and standards (e.g., ISO/IEC 27001, ISO 27005, NIST CSF, CAF, NIST SP 800-53, CIS Controls).
• Familiarity with enterprise risk management frameworks and integration of cyber risk into broader business risk processes.
• Understanding of assurance models (1st, 2nd, 3rd line) and their application in cyber security.
• Experience with supplier assurance frameworks and third‑party risk management tools.
• Experience working within federated or group structures (e.g., NDA Group) to align assurance practices.
• Awareness of digital transformation and its impact on cyber governance and risk.
• Experience engaging with regulatory bodies such as the ONR or ICO.

This is a newly established role within the organisation, created to lead the development and implementation of cyber security policies, standards, and governance frameworks. The role plays a critical part in shaping the future‑state (“to‑be”) model of the cyber security function, helping to define its structure, capabilities, and strategic direction.

A key challenge lies in reviewing existing policies and standards, identifying gaps, and establishing a coherent and forward‑looking framework that aligns with regulatory expectations and business needs. This includes building a strong reference model and ensuring consistency across IT and OT environments.

The role requires a deep understanding of cyber security across the organisation, particularly within ICT & Digital / ISO, to ensure CS&IA is effectively integrated and resourced to support delivery. It also involves working closely with stakeholders to identify policy gaps, drive improvements, and build the capability needed to mature the function.

Operating in a complex and evolving threat landscape, the role must balance strategic oversight with hands‑on delivery, ensuring that cyber risk is well understood, communicated, and managed across the enterprise.

For information about how Sellafield Ltd manage personal information, please visit https://www.gov.uk/government/publications/sellafield-ltd-privacy-statement

Sellafield Ltd, Registered in England number 1002607