Head of Information Security Risk Management

Job Description:

Head of Information Security Risk Management

UK Locations (Hybrid Working)

Full Time

Permanent

Applications close: Friday 7th February 2024

We make health happen. 

At Bupa, we’re passionate about technology and the role it can play improving people’s lives. We’re undergoing an exciting digital transformation that is pivotal to our mission to help customers to live longer, happier, healthier lives. The Technology Function are at the heart of this change.

The purpose of the role is to lead the strategic direction and delivery of the BGIUK Market Unit (BGIUK/MU) approach to Information Security risk, driving the reduction of security risks and improving security risk maturity. The role will maintain high visibility across the organisation’s Business Units (BUs) and will provide governance and oversight to prevent risks crystallising. This is a key role supporting the delivery of the information security across all BUs within BGIUK by providing robust challenge, with focus on successful achievement of the outcomes, in line with legislative requirements and industry-accepted good practice. This requires close relationship with the CISO functions (both Group and MU), BUs Operational risk teams, and senior management to facilitate risk assessments and risk management processes. Resulting in the reduction of security risks and improving security risk maturity. The role requires extensive experience and specialist expertise in information security governance, risk, and compliance in order to lead BGIUK’s approach to information security risk, and to provide strategic level direction and delivery.

The role-holder will need to support both the Director of IT Governance Risk and Control and BGIUK CISO in carrying out their responsibilities.

How you’ll help us make health happen: 

• Define, implement, and maintain the Information Security (including Cyber Security) part of the Risk Management Framework for BGIUK MU Technology.
• Lead in the scoping and delivery of the Market Unit Wide Information Security Risk Assessments and facilitate risk appetite evaluations.
• Contribute to the Cyber risk appetite definition for BGIUK.
• Provide subject matter expertise and independent guidance to the scoping, assurance, and delivery of the Information Security transformation programmes as well as the embeddedness of security controls in the wider transformation programmes.
• Support the upskill of GRC team in Information Security topics.
• Provide advice and direction to the Third-Party Assurance and the Risk & Control teams on information security matters, proposing appropriate solutions and new ways of working to effectively and efficiently manage both Third-Party and internal security risks.
• Undertake detailed reviews of proposed security controls or solutions with the Security team providing challenge and oversight to ensure such solutions contribute to effective risk mitigation for appropriate cost.
• Establish the appropriate governance forums and reporting mechanisms for the assessment and reporting of the MU wide Information Security risks, including reporting templates, risk logs and actions tracking.
• Establish collaborative relationships with senior managers and stakeholders across the Group and MU.
• Attend selected key security meetings/forums and provide feedback/challenge, representing the GRC function.
• Have oversight of InfoSec risks across the MU, providing challenge on the prioritisation and reporting (including escalation) of such risks and ensuring that risk management is an integral part of the information security governance.
• Contribute to one of source of the truth for all MI – working closely with other GRC leadership.
• Report on InfoSec Risks and appetite position to the BGIUK Executive committee – Including where needed, Board papers.
• Input to and have oversight of InfoSec Management Information – reporting to Group.
• Manage the security components of the Integrated Assurance plan – with Line 2 and Line 3 (MU and Group).
• Have oversight over InfoSec risk remediation commitments by the CIO’s direct reports and input into the integrated GRC Plan.
• As a member of the MU GRC Leadership team, contribute as a senior leader to the wider agenda of MU and BU Technology.
• Work in conjunction with the Security Threat team to advise the GRC Director and CIO on relevant Information Security Risk matters, notably any emerging risks, any deterioration of risk position due to increases in threat landscape.
• Work with the BINS compliance team to understand any relevant changes in regulatory expectations then factor these into assessments.

What you’ll bring 

• Extensive experience in information security and governance risk and compliance, with demonstrable ability to act as a leading authority on information security, providing guidance on the governance and management of information security risks for major IT programmes and strategic initiatives.
• Proven track record of contributing to the strategic planning for information security in a complex environment and for developing and implementing organisation-level policies, standards, and guidance.
• Ability to establish relationships and influence key stakeholders at all levels of the organisation to build the reputation of Information Security.
• Demonstrable experience of managing a team of Information security risk experts and managing relationships between teams and stakeholders across an organisation (Group, MU and BU levels) in order to deliver an efficient and successful information security risk service.
• Demonstrable experience in developing and managing information security audit and assurance programmes, including assessing the security of third parties.
• Demonstrable experience in developing/managing information security reporting frameworks and dashboards.
• Experience in providing guidance, council and advice on information security to a diverse range of stakeholders explaining difficult concepts in language they can understand and consume.
• Excellent analytical skills, the ability to manage multiple IT/IS projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
• High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.
• Excellent written and oral communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and non-technical audiences at all levels of the organisation.
• Graduate calibre with appropriate qualifications, such as BCS Fellow, CESG, IISP, CISM, CISSP, CRISC, CDPSE, CCISO.
• Knowledge of common information security management/governance frameworks, such as ISO/IEC 27002, NIST, CIS 18 and COBIT
• Knowledge of cloud technologies with a preference for MS Azure.
• Experience of working in regulated Financial services supporting SMF roles in the distribution of their responsibilities.

Benefits 

Our benefits are designed to make health happen for our people. Viva is our global wellbeing programme and includes all aspects of our health – from mental and physical, to financial, social and environmental wellbeing. We support flexible working and have a range of family friendly benefits. Joining Bupa in this role you will receive the following benefits and more: 

• 25 days holiday, increasing through length of service, with option to buy or sell 
• Bupa health insurance for you and your family as a benefit in kind 
• An enhanced pension plan and life insurance 
• Annual 25% performance-based bonus 
• Company car allowance
• Onsite gyms or local discounts where no onsite gym available 
• Various other benefits and online discounts

Diversity and Inclusion

Bupa is committed to making sure that every applicant is assessed based on personal merit and qualifications. We actively celebrate the diversity of our colleagues and provide an inclusive environment so you can truly be you at Bupa. We want to ensure you are treated fairly. That’s why we’re happy to offer reasonable adjustments as part of our recruitment process to anyone that needs them.

Time Type:

Full time

Job Area:

IT, Legal, Risk & Audit

Locations:

Angel Court, London, Bupa Place, Kirkstall Forge, Staines - Willow House