Head of Governance, Risk & Compliance (UK)

About LRQA Nettitude

LRQA Nettitude (formerly Nettitude) been around since 2003 and our focus has always been on excellence in cyber security. We have teams that offer world class consulting and advisory services, specifically in red teaming, penetration testing, threat intelligence, research and development, detection and response, governance, risk, and compliance, and plenty more across the cybersecurity services. Our business is global and so are our clients. We work closely with central banks, central and local government, critical national infrastructure, large retailers, and plenty more besides! 

We’re an award winning provider of cyber security services and we’re are at a very exciting stage of development. We are looking for the right people to join us as we embrace the challenges thrown up by the advancements within the IT industry and within the threats faced. Nettitude will be at the forefront of this arena and we want to seek the right people to join the team and make it happen.

You can find out more about us at www.nettitude.com. If you want to review our research and tooling, then head on over to https://labs.nettitude.com

The role

We are looking for a candidate to lead the UK Governance, Risk & Compliance team and oversee US operations until we expand this region further. The primary purpose of the role is to oversee all aspects of delivering governance, risk, and compliance (GRC) consultancy services to our clients and ensuring we are hitting high standards across the board and maintaining a client first approach. This includes leading a team of consultants, aligning services with client requirements, resolving issues, and driving client satisfaction, e.g. NPS.

This role is home-based, with occasional travel to client sites and LRQA offices.

What you’ll be doing in your role:

Key responsibilities: 

• Team management and recruitment. Lead and manage the team, including recruitment, performance management, and development. This also includes managing a pool of subcontractors as appropriate, to provide additional flexible resources. 
• Service ownership. Own all GRC services, with overall responsibility for delivery. Develop new services and evolve existing services based on client-demands and industry changes. 
• Financial and utilisation performance. Achieve defined revenue, profitability, and utilisation targets and reporting these figures to the P&L holder. 
• Support sales and marketing. Work with colleagues to ensure that GRC services are appropriately marketed. Ensure sales and presales teams are supported in selling GRC services, by creating or contributing to proposals, sales training materials, Confluence content, etc.  
• Create bespoke solutions. Ensure that requests for bespoke services are evaluated, and be creative in developing solutions that meet unique client requirements that do not align to existing services. Manage risks related to delivery of bespoke services. 
• Support delivery scheduling. Work with the Project Delivery team to prioritise conflicting demands on consultant resources to ensure that engagements are scheduled as efficiently as possible. Ensure that delivery demands are balanced to support a healthy work/life balance for consultants. Act as an escalation point where client timelines are at risk, and make use of subcontractors where appropriate.  
• Client delivery. Provide support and oversight to strategic engagements. 

You’ll be leading a team of delivering security consultants, with a particular focus on:

• PCI DSS consultancy and assessments
• Security reviews against standards or guidelines such as the NCSC 10 Steps to Cyber Security and NIST CSF
• ISO 27001 gap analyses
• Helping our clients to implement Information Security Management Systems and achieve and maintain ISO27001 certification
• Conducting risk assessments
• Creating or supporting third-party risk management and audit programmes

Location

• This role is home-based, with an expectation of travel to client sites, primarily in the UK, but with some opportunities for European and international travel; therefore, all candidates must be willing to travel where appropriate
• We can support working from across the UK
• All applicants will require residence in the UK

Key Skills:

Essential skills and experience:

• Strong experience in GRC consultancy, with expertise in domains such as PCI DSS, ISO 27001, NIST CSF, and NCSC CAF. Hands on delivery experience in at least one of these areas.
• Have a proven track record in team management, including recruitment and retention of professional services consultants, performance management, and professional development.
• Commercial awareness and ability to work with sales and presales teams to align commercial and delivery requirements.
• Extensive experience in client-facing delivery, with strong customer relationship management skills.
• Proven ability to resolve client complaints and objections, taking ultimate responsibility for the delivery of GRC services and client satisfaction.
• Be able to set direction and lead clients in a multitude of scenarios, including where direction and expectations are unclear, and be able to quickly pivot to meet changing client requirements.
• Leadership and communications skills.

Desirable skills and experience:

• Experience working with the NIS directive, NCSC CAF or CAA ASSURE
• Be experienced at C-Level, including presenting to top-level management, decision makers and risk owners. You will have the ability to articulate information security risks in a way that demonstrates an understanding of the broader business impact
• Demonstrate leadership experience and line management
• Experience in delivering security awareness training to end-users
• Hand-on technical experience, even if not recent

Certifications

Whilst a collection of certifications is less important than experience, many areas in which our team works have pre-requisite certifications that our consultants either hold or are working towards achieving. With this in mind, its expected the head of this team should have one or more of the following qualifications, either valid or expired:

• PCI DSS QSA, with experience delivering PCI DSS assessments for complex merchant and service providers using  PCI DSS v3.2.1 or v4.0. 
• ISO 27001 Lead Auditor or Lead Implementor. 
• At least one of: CISSP, CISA, CISM, CRISC 

What we offer:

We are a people-focused, high-performing, high-trust professional services team. You’ll be part of a diverse and growing international group of consultants, and we go out of our way to make sure our consultants feel part of our team. We use technology to ensure we’re always communicating with each other and schedule time every week to talk as a team.

The successful candidate will have opportunities to:

• Make a difference – as clichéd as it sounds, this really is true. We encourage all employees to challenge norms and empower them to get involved. This might be getting involved with other teams or developing a new service offering – but if you want to do something, we always try to make it happen
   
• Get involved – enjoy blogging or public speaking? Our team is committed to getting involved in industry discussions. We make time to attend conferences and get involved in the infosec community
   
• Develop their skills – we love learning and ensure we find time for professional development. This isn’t just about collecting certifications and attending training courses – gaining and sharing knowledge in new areas is vital. These don’t always have to be directly related to your “day job”; in fact, we actively encourage developing knowledge in new and exciting domains

Apply?

Are you interested in this job? Apply now via the ‘apply’ button and upload your C.V. and cover letter