Information Security Governance, Risk and Culture (GRC) Manager

The Information Security Team plays a key role in protecting all aspects of Next's IT and data assets. From our 15,000 IT enabled users to our £4.9 billion revenues from our eCommerce and retail stores. We are tasked with ensuring our systems, employees and customers are protected from all forms of cyber threat.

The Information Security GRC Manager is responsible for the Governance, Risk & Culture (GRC) team within Information Security.  Reporting into the Head of Information Security, this role will involve the day-to-day running of the GRC team, developing and advising on the implementation of security policies, and working closely with the Head of Information Security to create an agile, threat lead Cyber Security culture.

The GRC Manager will ensure that our Senior Management and Executives are kept fully informed of our Cyber posture, overseeing our control assurance processes and producing executive dashboards and reporting.  They will work closely with the Security Operations Manager and Security Engineering Manager to support our Cyber Defence teams, as well as providing input and direction on our  Information Security Roadmap.  The role will also involve overseeing our Third Party Risk Management Process, PCI compliance, security by design assurance, and helping to develop and improve our Cyber Security Culture.

The successful candidate will also play a key role in developing and delivering our security Education & Awareness programme to our end users, ensuring we deliver relevant and engaging content to our business colleagues.

As a subject matter expert in Information Security you will be expected to provide pragmatic advice and guidance to technology and business teams, manage key suppliers, coach and mentor your  team members and assist with budgeting.

Key Responsibilities

• Day-to-day management of the Information Security GRC Team including mentoring, coaching, training and development and where necessary performance management.
• Create and maintain pragmatic security policies appropriate for our business, providing advice and guidance on implementation and interpretation.
• Support Next in creating and maintaining a threat lead Cyber Security framework that ensures we can effectively identify, prioritise and treat threats affecting our business.
• Oversee the development, management and promotion of our Cyber Security Education and Awareness training with the aim of ensuring content is timely, relevant and engaging.
• Create and maintain appropriate, actionable metrics and reporting to keep our Executive Sponsors informed of our Cyber Risk Posture, ensuring all reports are available in a timely manner for our meeting schedule.
• Manage our 3rd Party Risk Management process to ensure all suppliers are safely onboarded, managed and offboarded, keeping key Stakeholders fully informed of any risk the business is taking.
• Support the Head of Information Security in defining and delivering NEXT’s annual Security Roadmap.
• Manage suppliers and support the Head of Information Security with setting and managing budgets.
• Provide expert, yet pragmatic advice and guidance on Information Security to Senior Technology Stakeholders to support them in meeting their business objectives.
• Manage Next’s PCI Compliance and work with our appointed QSA to support audits and other key activities.
• Support Security Audit activities ensuring evidence can be collected and shared with auditors as efficiently as possible.
• Manage our various security assurance processes to ensure our controls are effective and systems/processes are secure by design.
• Remain up to date with the regulatory risk landscape and how it applies to NEXT, ensuring our policies and standards are adapted to meet any requirements.
• Facilitate Information Security risk assessments to keep senior leadership informed of our security risk exposure.
• Plan and execute annual tabletop simulation exercises to ensure our CSIRT and Incident Response Plan remains effective.
• Maintain and enhance knowledge, ensuring you are continually up to date with the latest security risks, threats and solutions as well as geographical and industry trends.

Criteria

Essential

• 5+ years working in Information Security with a proven track record of delivery.
• A solid understanding of the current Information Security threat landscape and emerging threats.
• A team player who is hardworking, self-motivated, collaborative and calm under pressure with the ability to communicate clearly and concisely to all levels of management.
• Excellent attention to detail.
• Understand and operate within our change management process.
• A pragmatic and forward thinking approach to Information Security.
• Ability to adapt approach dependent on the business's  requirements.
• Flexibility to cover unsociable hours and peak periods at short notice. 

 Desirable

• Technical background in Information Technology with good hands on experience of servers and/or networking.
• Relevant industry recognised security qualification (i.e CISSP).
• Experience with security or compliance standards such as PCI-DSS or ISO27001.
• Understanding and experience of working for a Retail company.

You know Next, but did you know we’re a FTSE-100 retail company employing over 35,000 people across the UK and Ireland. We’re the UK’s 2nd largest fashion retailer and for Kidswear we’re the market leader. At the last count we have over 500 stores, plus the Next Online and it’s now possible to buy on-line from over 70 countries around the world! So we’ve gone global!