Head of Information Security Risk Management

Head of Information Security Risk Management

**Job Description**:
**Head of Information Security Risk Management**

**UK Locations (Hybrid Working)**

**Full Time**

**Permanent**

**Applications close: Friday 7th February 2024**

**We make health happen.**

At Bupa, we're passionate about technology and the role it can play improving people's lives. We're undergoing an exciting digital transformation that is pivotal to our mission to help customers to live longer, happier, healthier lives. The Technology Function are at the heart of this change.

The purpose of the role is to lead the strategic direction and delivery of the BGIUK Market Unit (BGIUK/MU) approach to Information Security risk, driving the reduction of security risks and improving security risk maturity. The role will maintain high visibility across the organisation's Business Units (BUs) and will provide governance and oversight to prevent risks crystallising. This is a key role supporting the delivery of the information security across all BUs within BGIUK by providing robust challenge, with focus on successful achievement of the outcomes, in line with legislative requirements and industry-accepted good practice. This requires close relationship with the CISO functions (both Group and MU), BUs Operational risk teams, and senior management to facilitate risk assessments and risk management processes. Resulting in the reduction of security risks and improving security risk maturity. The role requires extensive experience and specialist expertise in information security governance, risk, and compliance in order to lead BGIUK's approach to information security risk, and to provide strategic level direction and delivery.

The role-holder will need to support both the Director of IT Governance Risk and Control and BGIUK CISO in carrying out their responsibilities.

**How you'll help us make health happen**:

- Define, implement, and maintain the Information Security (including Cyber Security) part of the Risk Management Framework for BGIUK MU Technology.
- Lead in the scoping and delivery of the Market Unit Wide Information Security Risk Assessments and facilitate risk appetite evaluations.
- Contribute to the Cyber risk appetite definition for BGIUK.
- Support the upskill of GRC team in Information Security topics.
- Provide advice and direction to the Third-Party Assurance and the Risk & Control teams on information security matters, proposing appropriate solutions and new ways of working to effectively and efficiently manage both Third-Party and internal security risks.
- Undertake detailed reviews of proposed security controls or solutions with the Security team providing challenge and oversight to ensure such solutions contribute to effective risk mitigation for appropriate cost.
- Establish the appropriate governance forums and reporting mechanisms for the assessment and reporting of the MU wide Information Security risks, including reporting templates, risk logs and actions tracking.
- Establish collaborative relationships with senior managers and stakeholders across the Group and MU.
- Attend selected key security meetings/forums and provide feedback/challenge, representing the GRC function.
- Have oversight of InfoSec risks across the MU, providing challenge on the prioritisation and reporting (including escalation) of such risks and ensuring that risk management is an integral part of the information security governance.
- Contribute to one of source of the truth for all MI - working closely with other GRC leadership.
- Report on InfoSec Risks and appetite position to the BGIUK Executive committee - Including where needed, Board papers.
- Input to and have oversight of InfoSec Management Information - reporting to Group.
- Manage the security components of the Integrated Assurance plan - with Line 2 and Line 3 (MU and Group).
- Have oversight over InfoSec risk remediation commitments by the CIO's direct reports and input into the integrated GRC Plan.
- As a member of the MU GRC Leadership team, contribute as a senior leader to the wider agenda of MU and BU Technology.
- Work in conjunction with the Security Threat team to advise the GRC Director and CIO on relevant Information Security Risk matters, notably any emerging risks, any deterioration of risk position due to increases in threat landscape.
- Work with the BINS compliance team to understand any relevant changes in regulatory expectations then factor these into assessments.

**What you'll bring**
- Extensive experience in information security and governance risk and compliance, with demonstrable ability to act as a leading authority on information security, providing guidance on the governance and management of information security risks for major IT programmes and strategic initiatives.
- Proven track record of contributing to the strategic planning for information security in a complex environment and for developing and implementing organisation-level policies, standards, and g