Cyber Risk & Maturity Lead (Security Excellence Program)

Role Purpose:

The Cyber Risk & Maturity Lead is responsible for driving the organization’s cyber resilience and maturity journey while leading the Security Excellence Program (SEP). Acting as the governance steward and trusted advisor, this role ensures regulatory compliance, operational delivery, and alignment with security governance objectives. The individual will provide subject matter expertise in cyber risk and control frameworks, oversee SEP execution, and embed sustainable security practices across the enterprise.

Key Responsibilities:

Cyber Maturity & Governance:

• Develop and maintain the cyber maturity roadmap, ensuring progress against defined benchmarks.
• Conduct maturity assessments and recommend improvement strategies aligned with NIST CSF, ISO 27001, and regulatory expectations.
• Act as governance steward for cyber initiatives, ensuring adherence to internal policies and external regulatory requirements.

Security Excellence Program (SEP) Leadership:

• Own and drive SEP priorities, including tactical actions and strategic updates to security policies and practices.
• Oversee execution of SEP’s three-phase approach (Stabilize, Accelerate, Embed & Sustain) across priority areas:
  • Identity & Access Management (IAM)
  • Scanning & Monitoring
  • Patching & Vulnerability Management
  • Lifecycle Management
  • Open-source dependencies, cryptography compliance, secure container images, and unauthorized data flow prevention.
• Ensure delivery of SEP metrics and milestones, reporting progress to Security Council, ExCo, and regulators.
• Coordinate with tribes and planning units to embed SEP practices into Agile Control Plans and operational workflows.

Risk & Control Expertise:

• Serve as SME for cyber risk and control frameworks, advising on regulatory readiness and operational risk mitigation.
• Support audits, regulatory reviews, and assurance activities related to cyber risk and resilience.

Stakeholder Engagement & Reporting:

• Influence senior stakeholders and drive cultural change toward cyber resilience.
• Provide regular reporting on SEP and cyber maturity progress to executive sponsors, governance committees, and regulators.

Skills & Experience:

• Strong knowledge of cyber risk frameworks (e.g., NIST CSF, ISO 27001) and regulatory requirements.
• Proven experience in security programmed management and governance.
• Familiarity with SEP-related domains: IAM, vulnerability management, zero trust, DevOps security, and regulatory compliance.
• Excellent analytical, communication, and leadership skills.

Preferred Qualifications:

• Professional certifications such as CISSP, CISM, CRISC, or equivalent.
• Experience in managing large-scale security uplift programmes and regulatory engagement.