GRC Policy and Governance Lead

JD Sports- Head Office, Warwick House, Bury, Bury, United Kingdom Req #306

24 March 2025

Established in 1981 with a single store in the Northwest of England, the JD Group is a leading omni-channel retailer of Sports Fashion, Outdoors and Gyms with our colleagues working in stores across several retail fascias in many markets around the world.

JD Sports Fashion Plc was listed on the London Stock Exchange in 1996 and has been a FTSE100 publicly quoted company since 2019 and continues to grow in the UK and internationally.

We want to be the leading global omnichannel retailer in the sports and outdoor industry. To be a part of this successful company and help us to achieve this you will have the desire to ingrain our strategic goals of being a people-led, innovative and customer-focused organisation which provides operational excellence whilst identifying new areas of growth as part of our day to day objectives.

Business Area: Information Security

Job Title: IT & Cyber Governance and Policy Lead

Scope and Coverage: Global

This role will:

• Implement and develop and own IT and cyber governance processes and forums in alignment with the IT and Information security operations and risk framework.
• Maintain and improve the IT and information security policy framework including the suite of policies and standards and associated processes.
• Help drive a robust security posture for a large, complex organisation, trading globally within a constantly evolving IT and information security threat environment.

• Implement governance framework to enable enforcement and management of IT and cyber policies across all JD entities.
• Help drive good security hygiene and the use of appropriate controls into the business culture of JD Sports.

This role resides in the Information Security Function and reports to the Global Head of Governance, Risk and Compliance.

Individual contributor with possible management of a GRC Analyst and periodic oversight of seconded resources, contingent workers and systems integrators.

The job holder will be responsible for developing, implementing and maintaining IT and cyber governance frameworks, policies and standards to enable the policy framework to be deployed and enforced across the technology organisation of the business. In this role, the job holder will be responsible for the following activities:

• Develop a clear understanding of the organisation, its various entities (business units, subsidiaries, partners, and interdependent entities) to assess existing and applicable policy requirements.
• Maintain and develop the IT and cyber policy framework to drive continuous improvement and its usability and application.
• Establish a robust governance structure to manage and facilitate IT and cyber policy and risk management. This includes clearly defined roles, responsibilities, processes and relevant artefacts.
• Lead on alignment of governance for IT and cyber controls in line with JD Sports Policies, Standards, and security strategy.
• Definition of IT and information security policies, standards and guidelines in line with applicable and recognised best practice requirements.
• Harmonise with any differing compliance and controls requirements to establish a company-wide consistent set of policies and standards used across all entities.
• Implement and maintain a robust policy development lifecycle ensuring effective policy management and review in line with compliance and technological advancements and changes.
• Analyse incidents and events to identify omissions and opportunities for improvement in accordance with the organisation's risk exposure and appetite.
• Identify, analyse and report on key policy metrics such as policy exceptions, breaches and identify relevant risks arisen from policy exceptions.
• Prepare and report on governance and policy reporting to senior leadership highlighting adherence status, risks and mitigation strategies.
• Address opportunities for exploiting automation and tool sets for policy enforcement and management.

• Communicate with internal stakeholders (technical and non-technical) and suppliers to discuss policy requirements and implementation.
• Collaborate with third-party vendors and partners to enforce consistent policy adherence within the supply chain and vendor ecosystem.
• Develop policy compliance regime in conjunction with GRC compliance and in accordance with the 3 lines of defence model.
• Work closely with HR, procurement, legal, and other departments to ensure that controls are integrated into key business processes.
• Clearly articulate policy non-compliance issues including their associated risks and provide actionable recommendations for mitigation as part of the risk management processes.
• Provide guidance and training to teams across the organization on IT and cyber policies and best practices.
• Establish strong working relationships with internal and external stakeholders to ensure the policies are adhered to and effective as designed.
• Act as SME for all levels of stakeholders across the organisation on IT and cyber governance, policies and advising adherence strategies.

• Bachelor’s degree in Cybersecurity, Information Technology, Compliance or a related field.
• 5+ years of experience in IT and cyber governance frameworks, policy development, cyber assurance, compliance or a related discipline.
• Certifications such as CISSP, CISM, CRISC, or equivalent are strongly preferred.
• In-depth understanding of cybersecurity frameworks (e.g., NIST, ISO 27001) and risk management methodologies.
• Experience with controls development and management tools, and familiarity with security controls, threat modelling, and vulnerability management.
• Experience of third-party risk management.
• Knowledge of regulatory requirements and compliance frameworks (e.g., GDPR, ITGC, PCI-DSS, etc…) related to IT, cybersecurity and risk management.
• Awareness of various operating systems including but not limited to Windows, Linux, Unix.
• Awareness of Database technologies (SQL, Oracle, DB2, Mongo) and associated controls optimised for their protection.
• Experience with cloud environments (AWS, Azure, GCP) and understanding of cloud security risks.
• Awareness of Agile environments and practices.
• Familiarity with advanced cybersecurity technologies such as SIEM, IDS/IPS, and endpoint detection solutions.

The job holder is expected to possess the following skill set:

• Ability to extract clarity from fast-paced, evolving scenarios by helping to clarify the inevitable ambiguity arising within a large, complex, and interdependent organisation.
• Strong analytical and problem-solving skills, with the ability to make informed risk-based decisions.
• Excellent communication skills, both written and verbal, to effectively present risks to senior leadership and non-technical audiences.
• A proven ability to work collaboratively and constructively with other managers to ensure clarity of purpose, effective communication, and mutual understanding of policy frameworks and how to apply them.
• Strong mentoring and organisational skills with experience of leading and working collaboratively within multi-disciplined teams.
• Competent, engaging communication skills and an ability to articulate goals, achievements, risks, expectations, and needs to individuals and teams at all organisational levels.
• An ability to manage and inspire diversely located team members (internal and external) to focus on common goals and timelines.

We know our colleagues work tirelessly to make JD Sports the success it is today and in turn, we offer them some amazing benefits including staff discount on JD Group and other brands within the organisation and personal development opportunities to learn and develop at work.