Our client is a PE‑backed business with c.2,500 employees across 160 UK locations. They have grown significantly through acquisition and have continued growth planned.
Recent independent security assessments confirm they have solid foundational controls but need structured governance, clearer accountability, and systematic improvement to meet board and investor expectations whilst supporting aggressive growth.
Reporting to the CTO, they need a Cyber and Information Security Lead who can build and maintain an appropriate security posture; one that meets legal and regulatory requirements, satisfies board and investor expectations, and enables (not blocks) their fast‑paced, acquisition‑led growth.
This is a single point of accountability for both cyber security and information security at a strategy, policy, and programme level. You’d set the direction, define what needs to happen, and drive it through existing teams rather than building a security department.
Implementation is executed by their MSP, the IT Services team, and the product and data teams who own their own domains and will need to be secure by design.
They want someone who views security through a commercial risk lens. Someone who can explain the business impact of a risk in language the board and business understands, prioritise based on what actually matters to the organisation, and resist the temptation to.
Time allocation: 30% strategy & governance, 40% hands‑on policy and risk work, 30% influencing others.
Working patterns: 4 days per week in the office (central London) with quarterly branch visits across the UK.
Required Skills & Experience
Must Have
- Security framework implementation: Proven experience implementing structured security controls (ISO 27001, NIST, Cyber Essentials Plus, or equivalent) from gap analysis through to operational maturity in 1,000+ employee organisations
- Scale: Experience securing 2,000+ employees across multiple physical locations
- Collaboration: Track record of influencing without authority; translating technical risks into business language that boards and investors understand
- Microsoft Security: Practical knowledge of M365 security capabilities (Defender, Sentinel, Entra ID, Conditional Access, Purview)
- Data protection: Solid understanding of UK GDPR including DPIAs, data subject rights, and marketing consent
- Orchestration mindset: Comfortable being the single accountable person for security, driving outcomes through an MSP, internal IT teams, and product teams rather than building your own department
Nice to Have
- Hands‑on technical security skills (tool configuration, scripting, application security)
- PE‑backed business experience; familiarity with investor due diligence expectations
- Property/service industry or CRM‑centric business model understanding
#J-18808-Ljbffr…