Security Governance Analyst

Security Governance Analyst - 6 Month Fixed Term - London Our Head Office department is in the heart of Piccadilly and occupies the 5th & 6th floor of our beautiful flagship store. This central London location offers so much to explore including restaurants, bars, cultural sites, shopping and more, and only a short walk from the Green Park Tube Station and plenty of bus stops. As a Technology Security Governance Analyst, you will support and manage elements of Fortnum & Mason Information Security Governance Framework. As Technology Security Governance Analyst, you will:

• Own and manage the process for third party information security assurance to ensure that ongoing security assessments are undertaken and that contractual agreements reflect information security requirements.
• Support information security awareness throughout the organisation including managing phishing awareness campaigns and delivering and supporting training and awareness to specific user groups.
• Support management and investigation of any information security incidents including ensuring that incident logs are maintained, and any actions / lessons learned are addressed.
• Support Fortnum & Masons PCI compliance program including ensuring evidence of compliance is collated and maintained and undertaking audit checks within stores.
• Manage the process for Information Security Risk Management to ensure that all information security risks are owned and documented and remediated to an agreed and accepted level.
• Support the process for project engagements to ensure that Information Security requirements are defined for each project, Architectural design documents are reviewed to ensure appropriate controls are in place and testing and acceptance processes are in place to ensure that agreed controls have been implemented.
• Serve as a hands‑on Security Analyst, proactively identifying opportunities for improvement and delivering security enhancements to our systems.
• Understanding of server hardware, hypervisors, virtual machines, operating systems, Microsoft services, including Intune, Entra, Office365, Azure, SQL Server, SCCM, and File & Directory services.
• Collaborate with partners to ensure the security of the Cisco Meraki network, taking an initiative‑taking stance in mitigating risks and initiative‑taking patch management.
• Assist with internal and external vulnerability assessments, working with security partners to maintain PCI DSS compliance, overcome security challenges, and drive continuous improvements aligned to the NIST framework/ISO271002 standards.
• Report and review our secure device imaging using Microsoft Intune & Autopilot, ensuring a standardised, scalable, and resilient set‑up for retail, hospitality POS, and all corporate end‑user devices.
• Effectively operate security tooling reporting against our SIEM platform, endpoint protection solutions, and identity access controls, reviewing automated threat detection and forensic incident response to protect critical infrastructure and services.
• Create and manage security policy documentation, assist with security procedures, and train our internal teams and wider retail staff.
• Undertake disaster recovery planning, ensuring business continuity and resilience against potential disruptions.
• Work proactively alongside support, application, and transformation teams, fostering collaboration and communicating security procedures and policies.
• Deliver concise, well‑structured documentation, providing clarity for teams and enabling rapid adoption of security best practices.
• Function as a trusted advisor, recognised as the go‑to subject matter expert for security, and bridging the gap between end‑users and the infrastructure and security team.
• Guide and support third‑party engagements, ensuring vendors align with enterprise security standards, compliance requirements, and best practices.
• Educate and empower both internal teams and the broader business, fostering a security‑first culture and promoting best practices in security and business continuity.

• Experience with security and compliance standards frameworks such as ISO 27001, ISO 22301, GDPR, PCI‑DSS, NIST, and ACPO guidelines.
• Understanding of UK legal frameworks including the Data Protection Act and Computer Misuse Act.
• Understanding of Microsoft infrastructure including Windows Server Administration, Active Directory AAD Administration, Group Policy, Microsoft 365 services and Azure Cloud resource management.
• Proficiency in Microsoft SQL Server.
• PowerShell scripting skills.
• Identity & Access Management (IAM) expertise, including Microsoft Entra ID (formerly Azure AD), role‑based access control (RBAC), and multi‑factor authentication (MFA).
• Cloud security experience securing Azure environments, including Microsoft Defender for Cloud, Sentinel, and compliance frameworks such as PCI‑DSS.
• Threat protection and incident response capabilities: ability to identify vulnerabilities, implement threat protection, and respond to security incidents.
• Patch management and endpoint security knowledge: understanding of patching, importance of regular updates, and endpoint protection across Windows and Azure environments.
• Familiarity with backup and disaster recovery tools and practices.
• Phishing awareness tools and ability to create training for end‑users on security best practices.

• Competitive salary.
• A generous store and restaurant discount of up to 40 %.
• 25 days holidays (excluding bank holidays) and an extra day off for your birthday.
• A fantastic subsidised staff restaurant which uses Fortnum's ingredients.
• A range of opportunities to develop and grow personally and professionally.
• Excellent pension scheme.