Head of Governance, Risk and Compliance for Technology and Information Security

Establish and lead a streamlined, coordinated, and cohesive Information Security Governance and Compliance strategy to strengthen and expand our IT Risk and Governance capabilities and support a strong and effective Risk management culture across M&S Technology!

Description

The Head of Information Security Governance, Risk and Compliance performs a meaningful role in the maintenance and implementation of Technology Risk and Information Security Risk within M&S. A senior role reporting directly to the CISO, the Head of GRC is creative and innovative, capable of thought leadership, and can build strong and long-lasting relationships with our key partners throughout the business.

This role is responsible for establishing and leading a streamlined, coordinated, and cohesive and continuously improving M&S Technology and Information Security Governance Product as part of the Information Security and Tech Risk Business Platform.

This Product is responsible for oversight and management of a number of key outcomes;

Governance for the Information Security and Tech Risk Business Platform, responsible for the strategy, planning, implementation, management and monitoring of Information Security and Tech Risk Products, – working closely with the Technology Transformation Office, Technology Products and Platforms, and Audit.

Technology Risk and Controls framework for M&S – working closely with Enterprise Risk.

Information Security Transformation programme – a multi-million InfoSec Transformation programme improving Controls across M&S.

Technology and Information Security Compliance for M&S in order to meet M&S regulatory and other compliance requirements.

As Tech Risk and Information Security are both principle Risks that senior management and the board have to assess, being able to understand the balance between the needs of the Business in creating new value, and the driver to manage this Risk to an acceptable level and report to senior Partners, is key to the role.

This role requires an entrepreneurial Governance leader with sound knowledge of Risk and Compliance and a solid understanding of Information Security technologies and Technology Risk, and is a driver of business Technology change and Information Security improvement!

In this role, you will be working directly with non-IT partners such as Legal, Audit, Data Protection Office, Procurement, Treasury and to ensure organisational alignment.

Key accountabilities and measures

Information Security Governance:

Lead and implement the Risk Management plan and strategy, and communicate expectations and obligations through Partners up to Board level, and supervise and report on Technology and Information Security Risk performance to improve M&S Technology Risk profile

Provide technical leadership, processes, tools and support to M&S Technology Governance, Compliance and Risk Products.

Coordinate Information Security and Risk Transformation Programmes.

Own the Information Security Business Platform Budget, including BAU and Change activities, including Transformation Budgets.

Follow up on deficiencies identified in supervising reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation measures have been taken.

Coordinate with Audit on planning, actioning and remediation of IT Audit activities and findings.

Act as a Governance, Risk and Compliance advocate, influencing and handling Partner relationships while providing SME advice and information on emerging Governance, Compliance and Risk issues.

Advise and coordinate the delivery of regular Governance reports and Transformation programs crafted to anticipate and to minimise threats to the M&S.

Develop, implement, lead and maintain the M&S Technology and InfoSec Governance Strategy, Policy, systems and processes and supervise and report on performance and compliance to enable the M&S to deliver its objectives within legal and regulatory obligations

Lead and oversee governance colleagues and resources and prioritise governance activities to better lead and minimise risks and support the strategic objectives

Providing support, education and training to colleagues to build risk awareness within the organisation.

IT Compliance

Resolve and maintain an inventory of all IT and Information Security Regulatory, Commercial and Interpersonal technology compliance requirements.

Report the levels of IT Compliance Risk and Control effectiveness to key partners such as IT Product and Platform management, senior management, board of directors, legal management, regulators, internal/external auditors, etc.

Facilitate the creation when required, modification and management of all Technology and Information Security Policies.

Operate the IT compliance and Risk framework and periodically assess the regulatory, commercial and interpersonal, inherent and residual IT compliance risks. Lead oversight and monitoring of risk mitigation and coordination of policy and controls with the compliance manager and the chief information security officer (CISO), to ensure that other managers are taking effective remediation steps.

Commercial Compliance Activities

Work with corporate procurement, strategic sourcing, and external sales and marketing representatives to identify all IT compliance commercial requirements and industry standards, related to the supply as well as the delivery of goods and services.

Communicate IT compliance standards and requirements to relevant suppliers through various means, such as requests for proposal, contractual terms, etc.

Perform vital due diligence activities to resolve third-party alignment with IT compliance requirements before establishing a business relationship.

Supervise third-party consistency to IT compliance requirements and address any and all instances of noncompliance.

Request proof of required industry standard certification or report (e.g., ISO 27001, Service Organization Control Reports, PCI DSS, etc.).

Organisational Compliance Activities

Work with IT and business representatives to identify the goals and objectives of the organisation and translate them into IT and Information Security Risk and compliance requirements.

Evaluate any related external frameworks or standards (e.g., ITIL, COBIT, National Institute of Standards and Technology [NIST], etc.) or internal standards (e.g., code of conduct and use) to resolve relevant IT compliance requirements and controls.

Identify any gaps between the desired level of compliance and the current level of maturity.

Implement the required IT compliance policies and controls to meet the desired level of compliance maturity reflected in a given standard or framework.

Be responsible for the monitoring and periodic testing of IT compliance controls to ensure ongoing consistency, with a given standard or framework.

Identify and resolve any issue of noncompliance, with a related standard or framework

IT Risk Management Governance

Facilitate business alignment and communications in conjunction with the Technology Transformation Office.

Create, disseminate and (as the need arises) update documentation of M&S identified IT Risks and Controls.

Provide oversight of IT Risk Management and work with the Technology Transformation Office and other internal groups to facilitate IT Risk analysis and Risk management processes, identify acceptable levels of residual risk, and establish roles and responsibilities related to information classification and protection.

Review risk assessments, analyse the effectiveness of M&S IT control activities and report on them — with practical recommendations — to the CISO, Technology Leadership teams, and CTO

Key skills

Business

Consistent track record with running a Governance, Risk and Compliance operation and supporting partner or senior management committees in their efficient operation.

Consistent record with Business Security and Risk management principles, frameworks and processes to help prioritise and define mitigation strategies.

Experience of leading an administrative function to enable senior positions/management teams to work effectively.

Awareness of the principles of effective Product management, risk mitigation, risk management

Understanding of business metrics and OKRs.

Validated leadership ability

Strong organisational skills and oral / written presentation abilities

Ability to communicate complex material in a business friendly format

Superb communication, partner management, presentation and technology leadership skills with respect to peers and senior partners

Strong persuasive communication and presentation skills

Ability to handle multiple concurrent tasks in a high paced environment without supervision.

Ability to set direction and run with hands-off approach

An understanding of business organisational change and its importance to the success of security initiatives

Consistent record of delivering enhancements to process efficiency

Technical

Experience using computers for a variety of tasks. Key application use is Office 365

A good understanding of technical areas that foster into Risk Management.

Proven knowledge and skill in IT Technical Governance and Risk

Able to demonstrate a broad technical knowledge and expertise covering conduct of business matters, Corporate IT Governance matters and regulatory risk and regulatory change matters

Helpful

Experience of Retail organisations and broader industry.

Consistent record in delivering training and awareness programs for the organisation

Experience of delivering security solutions/services.

Experience in working with Agile practises and the application of information security standard methodologies

Experience of working in IT/Security/Business/Retail (desirable)

M&S is ready to push boundaries to lead the industry into a greener, speedier, more inspiring digital era. That’s why we’re revolutionising how we work and offering our most exciting opportunities yet. There’s never been a better time to be part of our team. Marks & Spencer aims to be an inclusive organisation, trusted and admired by our colleagues, customers and suppliers. Join us and make an immediate impact. We are committed to an active Inclusion, Diversity and Equal Opportunities Policy, which starts with our recruitment and selection process, and we are happy to talk flexible working.

We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process. If you consider yourself to have a disability or learning difficulty which means you are unable to complete the application process online, please get in touch either by phone on 0345 300 3725 or by email recruitment.online@marksandspencer.com so we can make alternative arrangements for you.

#LI-ZF1