We are Direct Line Group – home to some of the country’s best-known brands including Direct Line, Churchill, Privilege, Greenflag and NIG. Our vision is to create a world where insurance is personal, inclusive, and a force for good, and our purpose is to help people carry on with their lives, giving them peace of mind now and in the future.
To help us deliver on this vision and purpose, we’re in an evolution to be a forward-thinking technology and data company. Following significant build and transformation of core assets- combined with a move to Agile ways of working for segments of our business, the next wave of our maturity brings incremental, fast-paced delivery which is underpinned by a cohesive multi-year tech, architecture, and refreshed Information and Security strategy. We want to have purpose-led technology, in service of sustainable growth, changing market conditions and exponential progress to meet the expectations of our customers. But we need to have an environment and culture to do this creatively, safely, and securely, to grow our business even further.
A Chief of Information and Security Officer (CISO) role is required to accelerate and join the community of 100+ amazing security experts, creating a world-class Information and Security team. As DLG brings new and exciting products to customers, the safety and security of digital, data and Technology of the Group is a prerequisite and priority for the business to have the right to execute further on the digital and data strategy.
This role will create healthy tension across the group – challenging and pushing for speed to market, but ensuring ALL initiatives can flourish, safely and securely.
The complexity of the role and the natural tension it will create requires leadership behaviours that augment and push DLG with collaboration at a higher order capability. Reporting into our newly arrived Group CIO, this role is part of a new Technology Leadership Team that will drive our evolution over the next 3 years.
What does this role involve?
It’s a group-wide role covering all of our brands and is responsible for specific first-line of defence responsibility in terms of thought leadership, policy, strategy, and framework for IT Security & Operational Resilience to support a secure and resilient operation.
You’ll be accountable for leading and managing the Cyber Security & Resilience, Data Privacy, Technology Risk & Operational Resilience while balancing the growth and development of the business with the priority of ensuring this is done safely and securely for customers and colleagues at all times. We want to create a narrative that takes everyone in Direct Line Group through the purpose and reason to believe in Information and Security as a force for good!
You’ll be responsible for ensuring that technology controls secure access to sensitive data (i.e. customer, colleague, commercially sensitive information) and protecting us from breaches in confidentiality, integrity and/or availability. You will need to create and role model an environment in which all colleagues can comply with their obligations under relevant privacy and data protection legislation.
As the primary contact for Information & Technology Security in DLG, working in collaboration with second and third lines of defence in a collaborative way is essential and previous experience in leading and motivating technical, delivery and partner (3rd party) experts both directly and through influence is as well. You will need to build a team and community, and be someone who inspires others.
Influencing is key, where presenting organisation-wide security issues and risks and ensuring a DLG Security Culture and best practice is a positive experience. Embracing an Agile operating model, providing expert advice and guidance in developing the security strategy, engaging with projects, and ensuring effective operational security controls are established, including the oversight and enforcement of minimum standards for security and data privacy is crucial. We need to be secure while working agile!
There will be complex planned technology change in the next 5 years. Supporting this whilst also dealing with unplanned Response and Recovery from crisis events (such as Covid-19, large scale technology failures, and Cyber Security Incidents) requires this role to lead through challenging times if and when they happen. Leading and managing the Operational Resilience practice will require a clear view on how the organisation can prevent, respond to, recover and learn from operational disruptions in order to maintain provision of products and services and remain compliant.
People leadership is an essential a part of the role, both direct people management as well as influencing and inspiring others across DLG and wider in the industry.
There will be regularly reporting to the Board Risk Committee and Risk Management Committee supporting Ash, our CIO – regarding Technology Risk and Cyber Security Risk Appetite. Taking part in wider DLG Executive Committee and Board Cyber Security training as required is also a key part of this role in the years ahead.
What You’ll Need
- We’re open to candidates from any industry but would expect deep understanding of customers and interest in the insurance business and its future direction
- Experience of NIST Security framework and real-world examples of transforming and delivering movement and maturity in the framework
- Understanding and management of third-party Information Security risk in the supply chain and the oversight of the organisation’s Payment Card Industry (PCI) Data Security Standard (DSS) requirements. The Cyber Defence & Oversight practice sits within this role’s remit.
- Understanding of best SAFE Agile enterprise delivery frameworks and best practice in other delivery frameworks (APM, PRINCE 2)
- Ability and experience to maintain a holistic view of Information & Technology Security threats across the business and developing effective risk management strategies aligned to the Group Strategic Plan and OKRs for discretionary change whilst also scanning external threat vectors
- Experience with developing an enterprise-wide security architecture strategy, blueprints, and processes which ensure that the strategic application of security is embedded in the management of the technology environment. Gravitas to lead through ambiguity, whilst clearly communicating current, future, and linked strategies for CISO organisation
- Ability to apply strategic and innovative thinking to problem-solving
- The Cyber Intelligence practice sits within this team. So, experience of supplier/partner vulnerability, emerging cyber threats and continual review of the strategy is essential
- Ability to navigate complex interlinks of technology architectures, processes with business benefits, with the context of cyber, security and resilience
- Strong views in how security engineering can create options and deliver though outcomes supporting growth safely for customers and colleagues
- End-to-end mindset regarding Information and Security, with particular focus on collaboration, whilst developing and challenging the status quo (and thoughtfully!)
- Leadership capability aligned to the DLG Behaviours at a senior level (e.g. being curious, empowering teams, being aligned on outcomes, testing/learning/adapting, building trust, and encouraging simplicity), having worked in a large organisation.
- Being comfortable and approachable at all levels – from junior engineers to Board
- Understanding how to build long term relationships with partners to deliver multi-year strategic plan(s) and the need to move to emerging new technologies as security tooling changes over the next few years
- Strategic thinker who brings strong, confident thought leadership coupled with commercial pragmatism and a healthy sprinkling of evangelism
Ways of Working
Here at Direct Line Group, we recognise the importance of flexibility, not only in our personal lives but also in the way we work. Our mixed model way of working offers a ‘best of both worlds’ approach combining the best parts of home and office-working, offering flexibility for everyone.
We’ve ditched the daily commute for a virtual first approach. If you do come into the office, there are exciting workspaces and zones you can use, depending on the type of work you are doing.
How much you’ll be in the office depends on your role, and we’ll consider the flexible working options that work best for you. Please get in touch with the team to discuss!