Job Description for IT & Cyber Policy and Governance Lead
Business Area: Information Security
Job Title: IT & Cyber Governance and Policy Lead
Scope and Coverage: Global
Outline Purpose of Role
This role will:
* Implement and develop and own IT and cyber governance processes and forums in alignment with the IT and Information security operations and risk framework.
* Maintain and improve the IT and information security policy framework including the suite of policies and standards and associated processes.
* Help drive a robust security posture for a large, complex organisation, trading globally within a constantly evolving IT and information security threat environment.
Impact of Role
* Implement governance framework to enable enforcement and management of IT and cyber policies across all JD entities.
* Help drive good security hygiene and the use of appropriate controls into the business culture of JD Sports.
Reports to: This role resides in the Information Security Function and reports to the Global Head of Governance, Risk and Compliance.
Direct Reports: Individual contributor with possible management of a GRC Analyst and periodic oversight of seconded resources, contingent workers and systems integrators.
Key Elements of the Role
The job holder will be responsible for developing, implementing and maintaining IT and cyber governance frameworks, policies and standards to enable the policy framework to be deployed and enforced across the technology organisation of the business. In this role, the job holder will be responsible for the following activities:
IT and Cyber Policy Framework:
* Develop a clear understanding of the organisation, its various entities (business units, subsidiaries, partners, and interdependent entities) to assess existing and applicable policy requirements.
* Maintain and develop the IT and cyber policy framework to drive continuous improvement and its usability and application.
* Establish a robust governance structure to manage and facilitate IT and cyber policy and risk management. This includes clearly defined roles, responsibilities, processes and relevant artefacts.
* Lead on alignment of governance for IT and cyber controls in line with JD Sports Policies, Standards, and security strategy.
* Definition of IT and information security policies, standards and guidelines in line with applicable and recognised best practice requirements.
* Harmonise with any differing compliance and controls requirements to establish a company-wide consistent set of policies and standards used across all entities.
* Implement and maintain a robust policy development lifecycle to ensure effective policy management and review in line with compliance and technological advancements and changes.
* Analyse incidents and events to identify omissions and opportunities for improvement in accordance with the organisation's risk exposure and appetite.
* Identify, analyse and report on key policy metrics such as policy exceptions, breaches and identify relevant risks arising from policy exceptions.
* Prepare and report on governance and policy reporting to senior leadership highlighting adherence status, risks and mitigation strategies.
* Address opportunities for exploiting automation and tool sets for policy enforcement and management.
Stakeholder Engagement and Advisory:
* Communicate with internal stakeholders (technical and non-technical) and suppliers to discuss policy requirements and implementation.
* Collaborate with third-party vendors and partners to enforce consistent policy adherence within the supply chain and vendor ecosystem.
* Develop policy compliance regime in conjunction with GRC compliance and in accordance with the 3 lines of defence model.
* Work closely with HR, procurement, legal, and other departments to ensure that controls are integrated into key business processes.
* Clearly articulate policy non-compliance issues including their associated risks and providing actionable recommendations for mitigation as part of the risk management processes.
* Provide guidance and training to teams across the organization on IT and cyber policies and best practices.
* Establish strong working relationships with the internal and external stakeholders to ensure the policies are adhered to and effective as designed.
* Act as SME for all levels of stakeholders across the organisation on IT and cyber governance, policies and advising adherence strategies.
Key Attributes of The Jobholder
Experience and Qualifications
* Bachelor’s degree in Cybersecurity, Information Technology, Compliance or a related field.
* 5+ years of experience in IT and cyber governance frameworks, policy development, cyber assurance, compliance or a related discipline.
* Certifications such as CISSP, CISM, CRISC, or equivalent are strongly preferred.
* In-depth understanding of cybersecurity frameworks (e.g., NIST, ISO 27001) and risk management methodologies.
* Experience with controls development and management tools, and familiarity with security controls, threat modelling, and vulnerability management.
* Experience of third-party risk management.
* Knowledge of regulatory requirements and compliance frameworks (e.g., GDPR, ITGC, PCI-DSS, etc…) related to IT, cybersecurity and risk management.
* Awareness of various operating systems including but not limited to Windows, Linux, Unix.
* Awareness of Database technologies (SQL, Oracle, DB2, Mongo) and associated controls optimised for their protection.
* Experience with cloud environments (AWS, Azure, GCP) and understanding of cloud security risks.
* Awareness of Agile environments and practices.
* Familiarity with advanced cybersecurity technologies such as SIEM, IDS/IPS, and endpoint detection solutions.
Key Skills
The job holder is expected to possess the following skill set:
* Ability to extract clarity from fast-paced, evolving scenarios by helping to clarify the inevitable ambiguity arising within a large, complex, and interdependent organisation.
* Strong analytical and problem-solving skills, with the ability to make informed risk-based decisions.
* Excellent communication skills, both written and verbal, to effectively present risks to senior leadership and non-technical audiences.
* A proven ability to work collaboratively and constructively with other managers to ensure clarity of purpose, effective communication, and mutual understanding of policy frameworks and how to apply them.
* Strong mentoring and organisational skills with experience of leading and working collaboratively within multi-disciplined teams.
* Competent, engaging communication skills and an ability to articulate goals, achievements, risks, expectations, and needs to individuals and teams at all organisational levels.
* An ability to manage and inspire diversely located team members (internal and external) to focus on common goals and timelines.
#J-18808-Ljbffr