Head of Security Governance, Risk & Compliance

• Job Title: Head of Security Governance, Risk & Compliance
• Salary: £70,400 - £94,100
• Location: Cambridge/Hybrid Minimum 2 days a week in the office
• Contract: Permanent

The Head of Security GRC is a senior leadership role within the Security SMT, tasked with driving the organisation's security governance, risk, and compliance strategy. This position engages across all levels of the business, ensuring regulatory compliance, effective risk management, and robust assurance processes to support decision-making by the Senior Leadership Team.

You will deliver a robust Security Assurance Framework, oversee supplier assurance activities, and maintain relevant ISO and Cyber Essentials certifications. Additionally, you'll drive the implementation of security standards, policies, governance reporting, and audit programmes to ensure robust controls are in place. You'll play a critical role in enabling informed decision-making and promoting a culture of security awareness across the organisation.

About the role

The position involves engaging at all organisational levels, managing security risks, ensuring regulatory compliance, and providing assurance on business practices to support informed decisions by the Senior Leadership Team and Security Board. Responsibilities include implementing and monitoring security standards, policies, AI governance, and audit programmes to ensure effective mitigations and controls. Additionally, the role entails designing and delivering the Security Assurance Framework, conducting supplier assurance activities and audits, leading the Awareness Community of Practice, and maintaining relevant ISO & Cyber Essentials certifications.

Key Accountabilities:

• Develops security standards, policies, and guidelines and ensures compliance across Cambridge.
• Leads the delivery of approved projects and investments to reduce risk and security exposure.
• Proactively identifies new threats, risks, and trends; reports mitigation progress to the Security Board and SLT.
• Collaborates with key stakeholders to create customer-centric security policies for products and services.
• Coordinates audits, regulatory inquiries, and external vendor activities to align with industry standards.
• Responsible for leading and managing the GRC team to achieve compliance and team success in the organisation.
• Oversees vendor relationships to ensure protection of Cambridge global people and assets.
• Aligns attack surface management (ASM) process with GRC objectives and provides updates on mitigation progress.
• Integrates AI governance with relevant GRC frameworks to meet regulatory standards.
• Manages certifications like ISO 27001, 42001, Cyber Essentials, and HMG Security Policy Framework.

We are a hybrid working organisation, and we offer a range of flexible working options from day one. We expect most hybrid-working colleagues to spend 40-60% of their time at their dedicated office or location. We will also consider other work arrangements if you wish to work more flexibly or require adjustments due to a disability.

Ready to pursue your potential? Apply now.

We review applications on an ongoing basis, with a closing date for all applications being 23rd April although we may close it earlier if suitable candidates are identified. Interviews are scheduled to take place shortly after it closes.

Please note that successful applicants will be subject to satisfactory background checks including DBS due to working in a regulated industry.

Why join us

Joining us is your opportunity to pursue potential. You'll belong to a collaborative team that's exploring new and better ways to serve students, teachers and researchers across the globe – for the benefit of individuals, society and the world. Sharing our mission will inspire your own growth, development and progress, in an environment which embraces difference, change and aspiration.

Cambridge University Press & Assessment is committed to being a place where anyone can enjoy a successful career, where it's safe to speak up, and where we learn continuously to improve together. We welcome applications from all candidates, regardless of demographic characteristics (age, disability, educational attainment, ethnicity, gender, marital status, neurodiversity, religion, sex, gender identity and sexual identity), cultural, or social class/background.

If you would like to know more about this opportunity and what will make you successful, please see the full job description attached to the bottom of this vacancy on our careers site.

Rewards and benefits

We will support you to be at your best in work and to live well outside of it. In addition to competitive salaries, we offer a world-class, flexible rewards package, featuring family-friendly and planet-friendly benefits including:

28 days annual leave plus bank holidays, private medical and permanent health insurance, discretionary annual bonus, group personal pension scheme, life assurance up to 4 x annual salary, green travel schemes.

About you

We are looking for a highly skilled and experienced professional with the following expertise:

Proven experience managing an Information Security Management System (ISMS), including ISO 27001 certification. Strong working knowledge of security threats and proportionate mitigations, as well as supply chain security management systems. A minimum of 3 years' experience in a senior governance or risk management role. Active CRISC or ISO 27005 Risk Manager certification (or higher), with additional certifications such as ISO 27001/42001 Lead Auditor or Implementor being advantageous. Demonstrated experience in strategic governance of security, managing security risks in line with ISO 27005, and implementing ISO 27001 compliant systems. Expertise in auditing security controls for both internal operations and third parties. Exceptional stakeholder management skills, with the ability to build relationships across all organisational levels. Strong negotiation skills to influence decisions and achieve positive outcomes. Experience leading and developing teams, both within the UK and regionally.