Purpose of Role:

The purpose of the role is to ensure the right security policies are in place with the right level of requirements following Diageo's risk appetite and tolerance. The role has to ensure that there is sufficient oversight on the embedment of the policy requirements in line with the IT Security & Control framework and non compliances and exceptions are managed. Risks and strategy is aligned with our policies.

• Ensure security policies are in place, up to date and follows the framework of the choice (NIST, ISF, ISO27x)
• Set up and monitor metrics to inform management on the embedment of the policies

Ensure that every function in Diageo has the right level of awareness of these requirements working with the IM&S outreach team.

Top 3-5 Accountabilities:

• Maintain and regularly update IM&S security policies, standards and guidelines.
• Define governance and monitoring requirements for policies
• Define process to manage exceptions to defined requirements
• Own and continuously improve policies and processes in relation to requirements set out in policies and exceptions
• Ensure stakeholders are fully aware of the level of embedment
• Work with other D&T functions and in IM&S namely security solution architects, risks leads, communications to identify potential improvement areas and increase security maturity of Diageo
• Ensure potential gaps are highlighted and action plans are created and agreed to in agreement with other D&T and IM&S stakeholders
• Drive the remediation of identified gaps, ensure timely delivery
• Assess changes in external regulatory landscape and their impact on our internal requirements
• Help in Training and awareness by developing security awareness training program for employees

Capabilities:

• Cyber security

Has a deep understanding of security concepts and principles and can apply them in real world scenario

• Risk and control effectiveness

Has a deep understanding of critical business processes and controls and uses wide experience to identify priority risks for the business. Actively applies leading edge audit capabilities to generate insights into business issues and deliver high quality solutions.

• Risk evaluations and mitigation

Proactively leads the development of highly effective and creative risk mitigation approaches and communicates value of the discipline to the business. Utilises a highly effective style of facilitation.

• Commercial understanding and judgement

Able to use extensive knowledge of Diageo business and the external environment to anticipate business issues. Constantly demonstrates ability to influence strategic decisions across the business.

• Consulting

Generates insights into issues quickly, prioritises effectively and develops solutions that drive the business forward. Highly valued for ability to deliver independent and unbiased advice. Respected for personal stance and ethical approach.

• Conceptual and analytical rigour

Identifies how best to analyse strategic options, chooses and applies the most appropriate tools/techniques. Participates in leading the business in the selection of the right strategic options. Leads others through the creative process of developing alternatives to strategic issues.

• Be authentic

Build great relationships with those you work with, both internally and externally

• Consistently deliver great performance

Have a positive outlook; channel your energy into finding opportunities and solutions even in times of uncertainty and ambiguity

Qualifications and Experience Required:

• Information Systems / Information Technology degree
• Excellent English, both written and spoken
• Minimum 4-5 years of Cyber Security experience
• Risk Mindset - Ability to identify risks and can apply them to broad areas
• Ability to communicate in an effective way
• Good ability on prioritisation, urgency and problem solving
• Good project management skills
• Experience with advanced Microsoft tools is an advantage (Powe BI, Power Apps)
• Knowledge of cloud security and compliance (e.g. Azure, AWS)
• Security qualification (i.e.: CISSP, CISA, CISM, SANS, etc) is a plus