Director of Information Security

JOB DESCRIPTION

JOB TITLE:                           Director of Information Security

DEPARTMENT:                Data and Technology

REPORTS TO:                   Chief Technology Officer

DIRECT REPORTS:        5-10

LOCATION:                     UK Biobank’s facilities in Greater Manchester (Initially based in Stockport with a move to Greenheys in 2026) for 2-3 days per week, with occasional travel to partner sites in Oxford & London.

PURPOSE OF THE ROLE:

Reporting to the Chief Technology Officer, this role provides strategic leadership for the organisation’s information security posture, setting the long‑term vision and operational direction required to protect critical data, systems, and services.

The role holder will oversee a team of specialist staff responsible for all aspects of information security, including Governance, Risk and Compliance, Identity Management, Business Continuity, Cyber and Physical Security.  They will also be accountable for the security of UK Biobank’s participant data, as well as the cloud platforms and third-party organisations involved in data processing.

Representing information security at Executive, Board, and Committee meetings, the role holder will establish a high degree of trust, confidence, and authority. They will also translate risks and regulatory obligations into clear and actionable insights, and drive a strong, organisation‑wide security culture while ensuring that security practices enable, rather than constrain, the organisation’s need to innovate and grow.

PRINCIPAL DUTIES AND RESPONSIBILITIES:

•   Develop and implement a comprehensive information security strategy aligned with strategic objectives and organisational risk tolerance.

•   Build, manage, and lead the information security team, providing direction and support to ensure effective implementation of security controls.

·     Conduct regular risk assessments, audits, tests, and modelling to identify and evaluate vulnerabilities and potential threats.

·     Oversee the performance of the organisation’s Managed Security Operations Centre.

•   Prioritise and oversee the implementation of controls and other safeguards designed to mitigate risks and enhance the organisation's security posture.

•   Provide regular updates to the executive leadership team and represent information security at board, audit, and governance committees

•   Produce reports on security posture, risks, emerging threats, priorities, progress compliance status.

•   Establish and track a range of metrics to measure and assess the performance of information security controls and countermeasures.

•   Establish and enforce information security policies, procedures, and guidelines aligned with standards and frameworks, particularly ISO27001 and the NCSC Cyber Assessment Framework, as well as regulatory requirements and industry best practices.

•   Stay updated on relevant laws and regulations regarding information security.  Ensure that the organisation’s practices comply with these requirements, liaising with regulatory bodies and auditors as necessary.

•   Establish and maintain governance structures to ensure oversight and accountability for security practices.

•   Conduct security risk assessments of third-party suppliers and partner organisations. 

•   Set and require contractual standards for suppliers and partners and monitor for ongoing compliance.

•   Ensure that critical data and assets have been identified, classified, and subject to appropriate controls, including for handling, ownership, and destruction.

•   Perform business impact assessments as part of business continuity planning, identifying priorities and overseeing recovery testing and simulations.

•   Develop incident response plans to ensure security incidents are responded to and dealt with in a timely and effective manner.

·     Lead the organisation’s response to major cyber incidents, including providing out of hours and crisis level support when required.

•   Oversee and support the communication, investigation, and reporting of security incidents to key stakeholders, including Legal teams and external bodies.

•   Stay abreast of emerging threats, vulnerabilities, and other developments that might impact the organisation’s resilience.

•   Promote and communicate a culture of security awareness so all staff understand their role in maintaining information security.

•   Oversee the delivery of a security awareness, education, and training programme for all staff.

·     Manage the Information Security budget, set investment priorities, and contribute to financial planning.

PERSON SPECIFICATION

Essential Knowledge and Experience:

·     Significant experience in information security management, with a proven track record of leadership in the field.

·     Relevant industry certifications, preferably CISSP, CISM, or CCISO.

·     Strong knowledge of information security standards, frameworks, and best practices.  Previous experience of ISO270001 is a key requirement; knowledge or experience of the NCSC Cyber Assessment Framework and/or the NHS Data Security Protection Toolkit is highly desirable.

·     A clear understanding of the laws and regulations associated with controlling and processing personal data, including medical records.

·     Strong knowledge and understanding of risk management.

·     Experience working with Security Operations Centres to develop and extend the organisation’s monitoring and response capabilities.

·     Experience leading business continuity planning exercises and directing organisation responses to cyber incidents.

·     Strong knowledge and understanding of the cyber threat landscape, including the threats and opportunities presented by AI.

·     Experience securing cloud environments with a knowledge of the vulnerability detection tools and security services available in AWS and /or MS Azure.

·     Experience deploying preventative measures across networking, end-user compute, identity and access management, software development, and business operations to minimise the likelihood of security incidents.

·     Experience of recruiting specialist staff and building teams.

·     Experience with training and developing existing staff, including through coaching and mentoring.

·     Experience of defining and monitoring KPIs and other management metrics.

·     Experience of managing budgets, and knowledge of financial planning and controls.

Desirable Knowledge and Experience:

·     Degree, or higher degree in a related discipline.

·     Management or leadership qualification.

·     Experience of formal project management methods.

·     Knowledge of governance frameworks (e.g. COBIT)

·     Evidence of working collaboratively across multi-disciplinary groups in academic and other organisations.

·     Knowledge of the evolving healthcare information environment in the UK.

Skills and Competencies:

·     Excellent verbal communication skills with the ability to engage effectively with technical and non-technical stakeholders at all levels.

·     Excellent written communication skills with the ability to produce clear and concise documentation.

·     Proven leadership and people management skills with the ability to build relationships, set expectations, and influence results.

·     Strategic thinker with strong operational execution capability.

·     High ethical standards and commitment to the protection of personal and sensitive data.

·     Calm and decisive under pressure.

·     Ability to balance security, usability, and innovation.

·     Strong analytical and problem-solving abilities.