Chief Information Security Officer

In this senior leadership role, you will own and drive cyber security strategy, governance and operational resilience across Surrey County Council's complex hybrid environment. Your typical week will include:

• Leading cyber risk management, governance forums and assurance activity across IT&D, ensuring risks are identified, assessed and clearly reported to senior stakeholders.
• Overseeing incident preparedness and live response, including coordination with suppliers, IT operations and information governance.
• Providing expert direction on security technologies, control effectiveness, logging/monitoring, and vulnerability management priorities.
• Setting clear security expectations and driving cultural change across service owners, technical teams and leadership groups.
• Developing and maintaining cyber policies, standards and evidence based reporting.

This is a hands-on leadership role where strategic thinking and operational decision-making are equally important. You will hold line management responsibility for the cyber security function, including analysts or virtual team members through matrix management, and provide leadership and direction across IT&D and supplier teams.

Within your first 12-18 months, you will be expected to lead or significantly contribute to:

• Delivery of a refreshed cyber security strategy and multi year improvement roadmap
• Establishment of strengthened cyber governance, including improved reporting, risk tracking and decision making structures
• Implementation of a formal cyber exercising programme (tabletop and technical) across IT&D, information governance and key suppliers
• Measurable improvements in vulnerability management, logging/monitoring coverage and supplier assurance
• Significant uplift in incident response maturity, including documentation of playbooks, interfaces and recovery expectations.

This role is central to strengthening the resilience of essential public services. You will directly shape the council's ability to manage and reduce cyber risk, influence technology and service design decisions, and embed a cyber aware culture across one of the UK's largest local government environments. With a dedicated investment programme to drive security improvements, you will have a significant opportunity to transform how the organisation protects its people, data and systems.

• Significant senior cyber security leadership experience in a complex organisation
• Strong capability to operate strategically and hands on, delivering measurable security improvements
• Deep understanding of cyber risk management, governance and assurance frameworks
• Proven experience leading cyber incidents, including response coordination and exercising
• Excellent communication and stakeholder influence skills across technical and non technical groups
• Familiarity with NCSC aligned approaches and/or frameworks such as NIST CSF
• Relevant professional qualifications such as CISSP or CISM

This role has a starting salary of £70,975 per annum, for working 36 hours per week., * 26 days' holiday, rising to 28 days after 2 years' service and 31 days after 5 years' service (prorated for part time staff)

• Option to buy up to 10 days of additional annual leave
• A generous local government salary related pension
• Up to 5 days of carer's leave and 2 paid volunteering days per year
• Paternity, adoption and dependents leave
• An Employee Assistance Programme (EAP) to support health and wellbeing
• Learning and development hub where you can access a wealth of resources
• Wellbeing and lifestyle discounts including gym, travel, and shopping
• A chance to make a real difference to the lives of our residents., To apply, we request that you submit a CV and you will be asked the following 4 questions:

1. What steps would you take in your first few months to understand our cyber risks and priorities?
2. Can you describe a complex cyber incident you have led, including how you coordinated the response and what improvements were implemented afterwards?
3. How do you balance strategic cyber security planning with hands on delivery to ensure both long term resilience and quick, tactical gains?
4. Which cyber security governance or risk management frameworks (e.g., NCSC CAF, NIST CSF) have you implemented, and how have they influenced decision making and assurance in your previous organisations?