GRC Operations Manager

Hybrid - working from home with travel to BCA sites

£70,000 - £80,000 per annum + car allowance + bonus + benefits

40 hours per week, Monday - Friday

Constellation Automotive Group is the largest vertically integrated digital car marketplace in Europe, with over 15,000 staff and a turnover in excess of £12 billion per year combining the leading digital brands across the segments of consumer to business, business to business and business to consumer.

Security is at the heart of everything we do and Constellation Automotive Group is actively expanding and improving Cyber Security throughout our business and supply chain. Want to join us on our journey?

We're looking to recruit a Group GRC Operations Manager, working within the Chief Information Security Office for the Constellation Automotive Group (CAG). As a Group GRC Operations Manager you will provide the operational excellence in governance, risk and compliance management to deliver on our Business... Customer and Regulatory Cyber and Information Security requirements.

Reporting to the Head of Governance, Risk and Compliance this senior cyber risk role is responsible for the creating a culture of risk accountability across the Group. You will bring a wealth of experience of building, automating and continuously improving Information Security Risk Management Systems for digital and cloud first organisations, and build a culture of cyber and information security awareness. You must have technical and business acumen with an ability to build strong, trusted relationships across the business and partners.

Key Responsibilities
• Evolve the Group’s GRC Operations into a world class high performing team in a fast paced digital and cloud first environment.
• Lead and mentor GRC Operations Analysts; managing demand to support group governance, risk and compliance projects and initiatives; supporting CISO pillar leaders and GRC Specialists in achieving shared goals and performance metrics.
• Owner, in support of the Head of GRC, the Group GRC annual roadmap (as a subset of the CISO roadmap) as agreed with stakeholders; adapting this with agility to changes in priorities.
• Leading author for the continuous improvement of a digital and cloud first ISMS that can be certified at both group and business level to ISO/IEC 27001, NIST and other global standards as appropriate.
• Contribute to the evolution of Group global information security policies, standards and guidelines that enable business and customer success through automation.
• Ensure full global adoption of information risk policies through collaboration and balanced enforcement with business and technology leadership. In particular driving the culture of risk accountability within senior business leads.
• Implement and evolve appropriate automated risk management processes that support fast and safe decisions.
• Evolve framework for measuring Corporate Information Security Risk based on applicable international/regional industry recognized standards, such as ISO/IEC 27000 series, NIST SP800 series, COBIT, FERPA, COPPA, etc.
• Ensure this framework is used as the common standard for automating and measuring risk in/by the business and technology.
• Drive, with GRC Specialists, vendor risk management practises as part of a third-party risk management strategy.
• Ensure the organisation and its partners achieve its risk remediation targets in a timely fashion and can clearly evidence risk mitigation to customers, partners, stakeholder and authorities as required. Meeting and surpassing our customer requirements.
• Liaise with customers, partners, security organizations and others to support the business governance, risk and compliance management effort.
• Lead the development and delivery of information and cyber security training and awareness.
• Act as a Security role-model and champion throughout the company.

Person Specification
• Experience of plus qualification/certifications from Cloud providers such as AWS, MS Azur etc
• Practitioner knowledge of relevant legislation and regulation such as: - Data Protection Act (DPA) 2018 - GDPR- Payment Card Industry Data Security Standard (PCI DSS)
• Practitioner knowledge of industry best practice and frameworks such as: ISO27001, PCI-DSS, NIST and CIS Critical Security Controls and the principles of enterprise risk management and governance techniques.
• Professional security management qualifications and certifications, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other relevant credentials.
• Extensive experience in the information security field with specific focus on risk management, policy, compliance and/or security frameworks within hybrid environments of Cloud and On Prem.
• Knowledge and understanding of relevant legal and regulatory requirements, specifically US, UK and EU.
• Practitioner knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and NIST SP800.
• Experience with Cloud services risk management such as AWS, Google, Azure, Oracle.
• High level of personal integrity, and the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity.
• High degree of initiative, dependability and thought leadership.
• Experience in developing risk management frameworks including tools such as RSA Archer, Allgress, ServiceNow and other RAID tools
• + years of experience in Risk and Compliance roles
• 5+ years of experience in enterprise IT, system technology, infrastructure, integration, cloud, hosting and shared technology services.
• Minimum of 2 years of management experience working in a similar sized organisation.

Our policy is to employ the best qualified people and provide equal opportunity for the advancement of employees including promotion and training and not to discriminate against any person because of gender, race, ethnicity, age, sexual orientation, religion, belief or disability
England UK

Salary Criteria