Our client is a PE-backed business with c.2,500 employees across 160 UK location. They have grown significantly through acquisition and have continued growth planned.
Recent independent security assessments confirm they have solid foundational controls but
need structured governance, clearer accountability, and systematic improvement to meet
board and investor expectations whilst supporting aggressive growth.
Reporting to the CTO, they need a Cyber and Information Security Lead who can build and maintain an appropriate security posture; one that meets legal and regulatory requirements, satisfies board and investor expectations, and enables (not blocks) their fast-paced, acquisition-led growth.
This is a single point of accountability for both cyber security and information security at a
strategy, policy, and programme level. You’d set the direction, define what needs to happen,
and drive it through existing teams rather than building a security department.
Implementation is executed by their MSP, the IT Services team, and the product and
data teams who own their own domains and will need to be secure by design.
They want someone who views security through a commercial risk lens. Someone who can
explain the business impact of a risk in language the board and business understands,
prioritise based on what actually matters to the organisation, and resist the temptation to
over-engineer controls.
Time allocation: 30% strategy & governance, 40% hands-on policy and risk work, 30%
influencing others
Working patterns: 4 days per week in the office (central London) with quarterly branch visits across the UK.
Required skills & experience:
Must Have
• Security framework implementation: Proven experience implementing structured
security controls (ISO 27001, NIST, Cyber Essentials Plus, or equivalent) from gap
analysis through to operational maturity in 1,000+ employee organisations
• Scale: Experience securing 2,000+ employees across multiple physical locations
• Collaboration: Track record of influencing without authority; translating technical
risks into business language that boards and investors understand
• Microsoft Security: Practical knowledge of M365 security capabilities (Defender,
Sentinel, Entra ID, Conditional Access, Purview)
• Data protection: Solid understanding of UK GDPR including DPIAs, data subject
rights, and marketing consent
• Orchestration mindset: Comfortable being the single accountable person for
security, driving outcomes through an MSP, internal IT teams, and product teams
rather than building your own department
Nice to Have
• CISSP, CISM, or ISO 27001 Lead Implementer certification
• Hands-on technical security skills (tool configuration, scripting, application security)
• PE-backed business experience; familiarity with investor due diligence expectations
• Property/service industry or CRM-centric business model understanding
• M&A integration security experience
…