Job description

We are currently recruiting for a Global Information Security Governance, Risk & Compliance (GRC) Senior Manager join our London office to lead on all InfoSec risk and assurance related matters for the InfoSec, IT, and Client Audit teams.

Role purpose

• Client InfoSec requirement compliance – In partnership with the Client Audit Team, manage the process by which our clients audit A&O's information security controls. Review changes in client requirements in order to verify A&O's capability to comply, or recommend investment cases to meet control gaps. Prepare for and attend client audit meetings / visits. Liaise directly with senior client and internal stakeholders when negotiating control changes. Manage the workload of a team of international InfoSec assurance analysts in order to maintain the flow of client audit and remediation requests. Be the operational champion for process efficiency work and self-service projects in this space.
• InfoSec framework maintenance and governance – Own the maintenance of the ISO27000 series and SOC2 frameworks for the firm. Conduct the annual policy review & sign-off, and manage the process of external audit (at least 3 a year across multiple locations) of the frameworks. Prepare for and manage the ISO27001 and SOC2 governance meetings across the firm, bringing together senior stakeholders to review and to challenge progress.
• Technology risk process and the IT elements of annual financial audit – Lead the quarterly cycle of review and confirmation of the contents of the IT Risk Register with senior management in global technology. Manage the IT controls component of the annual external financial audit.
• Client facing incident response – In the event of an incident which requires client interaction work alongside the CISO to co-ordinate and front client facing InfoSec conversations.
• Global Security Champions community and InfoSec awareness materials – Lead regional security champions' knowledge sharing, training, and certification programmes. Make updates to the firm’s annual InfoSec compliance training and global InfoSec awareness training as and when required.
• Behavioural security testing – Lead initiatives, which test behavioural compliance with InfoSec standards including the global phishing testing, training and reporting capability within the firm.

Key relationships

• Supports the CISO in working with the business to develop and maintain security posture, policies and procedures.
• Works with Client Relationship Partners & the Client Audit Team to ensure client compliance expectations are met regarding Information Security at A&O.
• Works with the physical security and in-house legal teams to ensure a consistent and coherent approach to information security and security in general.
• Manages the global team of Information Security Assurance Analysts in the firm (the role has management responsibility for resources in EMEA (London & Belfast) and APAC (Singapore).

Role and responsibilities
Business / IT Strategy

• Support the CISO in clearly understanding risk across the global practice groups and support functions.
• Support the CISO and Senior Architect Security Assurance in selecting and defining the detailed controls which protect the firm.
• Support the CISO in developing and maintaining successful internal and external business relationships (at senior level) in order to understand existing and emerging security supplier capability, the cyber threat landscape including the geopolitical cyber threat landscape.

Supplier Management

• Maintain a broad understanding of how the organisation sources, deploys and manages external partners from a security capability perspective.
• Support the CISO in ensuring that supplier performance is properly monitored and regularly reviewed as defined by the Supplier Management Framework.
• Support the CISO in providing advice on policy and procedures covering the selection of suppliers, tendering and procurement.
• Works closely with the Procurement team to ensure all areas of commercial negotiation are documented and adhere to the Supplier Management processes.

Risk Management

• Operate the IT Risk Management framework for IT.
• Coordinate and monitor the development of risk treatment plans.
• Maintain the effectiveness of IT Risk management by reviewing and revising the IT Risk operating model when required.

Quality, Methods & Tools

• Facilitate improvements to processes using industry best practices, typically using recognised frameworks such as ISO27001 and SOC2.
• Support the CISO with the design and delivery of communication and training activities to update and refresh colleagues’ knowledge on quality standards.
• Take responsibility for the control, update and distribution of quality standards and advise on their use concerning InfoSec compliance.

Key requirements
Business Competencies

• Ability to develop good working relationships across the firm and effectively share knowledge between individuals and teams to contribute to the overall effectiveness of project and service improvement work.
• Commercial acumen including an understanding of the overall picture of how technology adds value to the business.
• High level of personal credibility, impact and influence at all levels of the organisation.
• Excellent communication and presentation skills, both oral and written.
• Ability to manage ambiguity and often conflicting priorities.
• Highly self-motivated, self-starter, who will undertake all activities to the highest professional standards.
• Experience of working in a global environment with an appreciation of multiple cultures.

Knowledge

• Sound practical knowledge of Cyber Security, particularly with regard to Cloud security, IT data network security and general IT infrastructure and software security.
• Expected to have a solid understanding of all major technologies used in Cyber Security including cloud technologies.
• Knowledge of technology trends.
• Knowledge and experience of working in ITIL environments.

Experience

• Extensive experience of Information Security and Cyber security leadership particularly from a policy, assurance and governance perspective.
• Track record of managing small teams across multiple locations globally.
• Some technical as well as policy background preferred, with a wide range of experience across multiple technical areas
• Proven experience of balancing technical, commercial and other issues to deliver business advantage.
• Experience in contract specification and schedule production.
• Experience of security and IT risk management.

Should you require additional support at any stage of the recruitment process due to a disability or a health condition, please do not hesitate to contact a member of Allen & Overy’s recruitment team who will work with you to provide any reasonable adjustments as required.  We are an equal opportunities recruiter and do not discriminate on the basis of race, colour, sex, religion, sexual orientation, national origin, disability, or any other protected characteristic.

Additional information - External

Allen & Overy is a leading global law firm operating in over thirty countries. We work on some of the most challenging and important deals and have built a reputation for delivering exceptional legal solutions that help our clients grow, innovate and thrive. The legal industry is changing, and we're committed to leading that change, putting our people first, embracing new ways of thinking and integrating technology into our everyday work. Our business teams work hand-in-hand with our lawyers, Consultants and other specialist teams, and are ambitious, driven and leaders in their field.

With us, you will constantly be learning and growing. We invest in you by offering exceptional professional and personal development – providing training, mentoring and practical support. We offer rewarding careers that are built around your strengths and designed to ensure you can achieve your personal and professional goals, recognising that those may look different for everyone.

We have a powerful commitment to diversity, equity and inclusion. We’re determined to play our part in advancing a workplace where progress is made by harnessing our differences – whatever defines you, we ask you to bring your whole self to work.

What truly defines a career at Allen & Overy? We recruit the best and ask for the best of you. We provide challenge, support and a place for you to belong. And together we excel, working on meaningful projects of global significance.