Information Security & Data Governance Lead (US)

About The Position

Requirements

• Significant experience in information security, cybersecurity GRC, or IT governance roles
• Proven experience implementing data governance frameworks
• Strong understanding of international data protection and cybersecurity regulations
• Experience working within regulated environments
• Familiarity with ISO 27001, NIST, or equivalent frameworks
• Experience supporting audit and compliance processes

Nice To Haves

• Experience in the energy, utilities, or critical infrastructure sector
• Exposure to Operational Technology (OT) environments
• Professional certifications (e.g., CISSP, CISM, CRISC, CISA, CDMP)
• Experience with GRC tools (e.g., ServiceNow GRC, RSA Archer, MetricStream)

Responsibilities

• Develop, implement, and maintain information and cyber security policies, standards, and procedures
• Ensure alignment with recognized frameworks (ISO 27001, NIST CSF, CIS Controls)
• Conduct risk assessments across IT, cloud, and Operational Technology (OT) environments
• Support incident response planning and continuous improvement of security controls
• Embed secure-by-design principles into infrastructure and operational systems
• Establish and maintain an enterprise data governance framework
• Define and enforce data classification, handling, retention, and protection standards
• Ensure compliance with international data protection regulations including GDPR, UK Data Protection Act, and applicable US privacy laws
• Promote data ownership, stewardship, and accountability across business units
• Support data quality, integrity, and lifecycle management
• Ensure compliance with applicable cybersecurity, data governance, and energy sector regulations
• Lead and support internal and external audit activities, including evidence collection and remediation tracking
• Maintain enterprise risk registers and compliance reporting
• Continuously monitor global cyber and data regulatory changes
• Assess impact of regulatory developments and update internal policies, standards, and procedures accordingly
• Ensure compliance is maintained across all regions of operation
• Design and deliver enterprise cybersecurity awareness programmes
• Conduct phishing simulations and risk-based awareness campaigns
• Tailor training for corporate and operational (OT) environments
• Measure effectiveness and drive continuous improvement in user behaviour
• Act as subject matter expert and advisor on security, governance, and compliance matters
• Administer and support third-party/vendor risk management programme
• Provide reporting and insights to leadership on security posture, regulatory changes, and risk exposure
• Contribute to the continuous improvement of governance, risk, and compliance (GRC) capability
• Member of change management board and contributor to change management process
• Stop work by challenging and stopping unsafe acts and behaviours or unsafe conditions.
• Comply with Standard Operating Procedures defined in Responsibilities above, and company STOP WORK system.
• Ensure that cybersecurity considerations support safe and reliable operational environments, particularly within OT systems