Head of Information Security GRC

We are champions of rail, inspired to build a greener, more sustainable future of travel. Trainline enables millions of travellers to find and book the best value tickets across carriers, fares, and journey options through our highly rated mobile app, website, and B2B partner channels.

Now Europe’s number 1 downloaded rail app, with over 125 million monthly visits and £5.9 billion in annual ticket sales, we collaborate with 270+ rail and coach companies in over 40 countries. We want to create a world where travel is as simple, seamless, eco‑friendly and affordable as it should be.

Today, we're a FTSE 250 company driven by our incredible team of over 1,000 Trainliners from 50+ nationalities, based across London, Paris, Barcelona, Milan, Edinburgh and Madrid. With our focus on growth in the UK and Europe, now is the perfect time to join us on this high‑speed journey.

As Head of Governance, Risk & Compliance (GRC), you’ll play a pivotal role in shaping and leading this transformation of our security function. Reporting directly to our CISO, you’ll take ownership of how governance, risk, and compliance come together to protect, enable, and future‑prove the business. This is about building a cohesive GRC strategy that balances control with creativity, fits Trainline’s business context, and drives long‑term cultural change.

In this critical role, you will collaborate closely with cross‑functional teams including Legal, Engineering, and Procurement to embed risk management into daily operations and strategic initiatives. As a key member of the Security leadership team, your remit will extend beyond risk and compliance to include shaping the security and privacy strategy, enhancing supplier risk processes, and fostering a culture of security awareness across the company. Your leadership and strategic insight will be essential in navigating the evolving regulatory landscape and supporting Trainline’s growth ambitions with robust yet pragmatic risk management.

• Redesign and embed a pragmatic, risk‑first GRC framework that integrates governance, risk, and compliance across the business.
• Assess current maturity and deliver a transformation roadmap that unifies fragmented processes into a single, clear model aligned to Trainline’s risk appetite.
• Maintain key standards such as ISO 27001, ISO 22301, and PCI DSS, while ensuring they add real business value.
• Manage and develop the Risk and Compliance team, setting clear goals and cultivating an inclusive culture of accountability, continuous learning and collaboration.
• Develop and deliver concise, data driven risk and compliance reports for senior management and stakeholders, highlighting trends, emerging risks, and mitigation strategies.
• Act as a trusted advisor to executive stakeholders, providing actionable insight and guidance to support risk‑aware decision‑making.
• Partner with Legal, Privacy, Engineering, Procurement, and other functions to embed security, governance, and compliance into products, systems, and processes.
• Oversee and mature the end‑to‑end third‑party risk management process, focusing on tiering, assurance automation, and stronger alignment with procurement and legal teams.
• Champion and scale security awareness and governance training programmes to build a strong, security‑first culture across Trainline.
• Own the development, communication, and maintenance of information security policies, ensuring alignment with evolving threats and compliance needs.

• Experience transforming or scaling GRC or risk management functions within dynamic, high‑growth or complex businesses.
• Proven ability to balance control and creativity — tailoring governance frameworks that fit the business.
• A proven record of leading and developing high‑performing teams, setting clear goals and cultivating accountability and continuous improvement.
• Deep understanding of enterprise and cyber risk frameworks (ISO 27005, ISO 31000, NIST CSF) and how to communicate risk appetite in business terms.
• Excellent communication skills, with the ability to present complex risk and compliance information clearly to senior leadership and stakeholders.
• Strong analytical and critical thinking skills, capable of identifying risks, evaluating controls, and recommending effective mitigation strategies.
• Experience integrating risk management processes into business operations, including supplier and third‑party risk assessments.
• A collaborative, solutions‑focussed approach and the ability to work cross‑functionally with security, engineering, procurement, and business teams to embed security and compliance requirements.
• Track record of delivering actionable risk reporting and advisory support to executive teams, influencing strategic decision‑making.

Enjoy fantastic perks like private healthcare & dental insurance, a generous work from abroad policy, 2‑for‑1 share purchase plans, an EV Scheme to further reduce carbon emissions, extra festive time off, and excellent family‑friendly benefits.

We prioritise career growth with clear career paths, transparent pay bands, personal learning budgets, and regular learning days. Jump on board and supercharge your career from day one!

• 💭 Think Big - We're building the future of rail
• ✔️ Own It - We focus on every customer, partner and journey
• 🤝 Travel Together - We're one team
• ♻️ Do Good - We make a positive impact

We know that having a diverse team makes us better and helps us succeed. And we mean all forms of diversity — gender, ethnicity, sexuality, disability, nationality and diversity of thought. That's why we're committed to creating inclusive places to work, where everyone belongs and differences are valued and celebrated.

Interested in finding out more about what it's like to work at Trainline? Why not check us out on LinkedIn, Instagram and Glassdoor!