Lead GRC Manager

The Lead Governance, Risk & Compliance (GRC) Manager is responsible for establishing, operating, and continuously improving the organisation's enterprise-wide compliance, risk, and security governance frameworks. This senior leadership role requires deep expertise across regulatory, industry, and cybersecurity standards-specifically the UK Telecom Security Act, PCI DSS, ISO/IEC 27001, and NIS 2. You will act as the organisation's authoritative subject matter expert, ensuring end to end compliance, overseeing risk posture, and enabling secure and resilient operations through structured governance and proactive risk management.

• Governance & Compliance Leadership
  • Lead the design and operation of the organisation's GRC strategy, ensuring alignment with business objectives and regulatory obligations.
  • Serve as the principal authority on:
    • Telecoms Security Act (TSA) & Code of Practice
    • Payment Card Industry Data Security Standard (PCI DSS)
    • ISO/IEC 27001 Information Security Management System (ISMS)
    • NIS 2 Directive requirements & associated national legislation
  • Maintain and continuously improve compliance roadmaps, policies, and controls across the enterprise.
  • Oversee the governance framework, ensuring effective risk ownership, reporting, and leadership engagement.
• Risk Management
  • Lead the enterprise risk management (ERM) programme, ensuring risks are identified, assessed, prioritised, and treated effectively.
  • Own the corporate risk register and report regularly to senior leadership, audit committees, and regulatory stakeholders.
  • Design and implement risk assessment methodologies to support security, operational, and regulatory decision making.
• Security Assurance & Control Oversight
  • Drive internal and external audit cycles (TSA compliance, PCI assessments, ISO 27001 audits, NIS 2 evaluations).
  • Oversee testing of security controls, including assurance reviews, control maturity assessments, and continuous compliance monitoring.
  • Ensure remediation actions are managed through to completion and embedded into business processes.
• Regulatory Engagement & Reporting
  • Support business units during their contact with regulatory bodies and national CSIRTs/competent authorities for NIS 2.
  • Prepare and deliver accurate regulatory submissions, compliance evidence, incident notifications, and executive reporting.
• Policy, Standards & Framework Development
  • Develop, own, and maintain enterprise information security policies and standards.
  • Ensure policies reflect current legal, regulatory, and industry practices, and are adopted consistently across the organisation.
  • Foster a strong risk aware culture through training, awareness, and stakeholder engagement.
• Cross Functional Leadership
  • Lead a high performing GRC team and influence stakeholders across engineering, operations, legal, procurement, and product functions.
  • Provide expert guidance on secure by design initiatives, and supplier risk management.
  • Support major programmes and transformation initiatives ensuring compliance and risk considerations are integrated from inception.

• Extensive experience working with:
  • UK Telecom Security Act & Code of Practice (TSA/SRF)
  • PCI DSS v4.0 including SAQ/ROC, segmentation, and control validation
  • ISO/IEC 27001:2022 and associated 27000 series standards
  • NIS 2 Directive, cybersecurity measures, governance requirements, and incident reporting obligations
  • NCSC Cyber Assessment Framework
• Strong understanding of risk management frameworks (NIST, ISO 27005, ISO 31000, COSO).
• Experience managing audits, external assessors, and regulatory reviews.
• Solid knowledge of threat landscapes and operational security best practices.
• Solid grounding in information security principles, controls, and assurance practices.
• Experience overseeing technical and non technical security controls.
• Ability to shape long term GRC strategy aligned to business objectives.
• Strong understanding of network security, telecoms architecture and cloud platforms.
• Experience with security tooling and GRC platforms such as Onetrust.
• Proven ability to lead, coach, and develop a high performing GRC team.
• Skilled at influencing cross functional stakeholders without direct authority.