Head of Security – Cyber GRC
Job summary
The Head of Cyber Governance, Risk & Compliance (GRC) plays a pivotal role in protecting some of the UK's most critical national infrastructure. Reporting to the Security Principal, the role provides senior operational leadership for Cyber GRC and assurance across NHS England's complex and highly federated technology landscape.
NHS England operates at national scale, delivering and enabling services that are essential to patient safety, public trust and national resilience. This role operates at the heart of that system, ensuring that cyber risk is understood, governed and managed proportionately while enabling digital transformation at pace.
The post holder will lead the day to day delivery of the Cyber GRC function with delegated authority, managing specialist teams and exercising matrix leadership across cyber, digital and technology services. The role is focused on leading technological change, ensuring governance and assurance remain effective as services, operating models and platforms continue to evolve.
Cyber resilience is fundamental to the successful delivery of the NHS Long Term & 10 Year Health Plans. This role will help ensure that transformation and modernisation initiatives can be delivered safely, securely and without disruption from cyber incidents, supporting continuity of care and public confidence. It offers a rare opportunity to shape how cyber security enables, rather than constrains, one of the largest and most complex health systems in the world.
Main duties of the job
The post holder will provide senior operational leadership for NHS England's Cyber GRC function, acting under delegated authority from the Security Principal to ensure effective, proportionate governance across a complex, highly federated and evolving environment.
Key responsibilities include leading the operation and development of cyber governance, policy and risk management frameworks, ensuring security policies, standards and controls remain fit for purpose, aligned to business risk, and capable of protecting critical national infrastructure that underpins safe patient care and public trust. The role will oversee assurance activity against recognised frameworks and obligations, including ISO 27001, the NCSC Cyber Assessment Framework and nationally mandated requirements.
The post holder will lead the development and communication of high-quality cyber risk and resilience reporting, providing clear insight to senior leaders and governance forums to support informed decision-making during significant organisational, technological and service change.
Working in partnership with technology, operational and transformation teams, the role will embed security by design into services and programmes, supporting delivery of the NHS Long Term and 10 Year Health Plans. The role requires calm, credible leadership and resilience, balancing competing priorities while leading specialist teams and matrixed stakeholders through sustained change in a high-profile environment.
About us
NHS England has a wide range of statutory functions, responsibilities and regulatory powers. These are focused on supporting the wider NHS to deliver high quality care, as well as doing those things that are best done once for the whole NHS.
Our staff bring expertise across clinical, operational, commissioning, technology, data science, cyber security, software engineering, education, and commercial specialisms -- enabling us to design and deliver high-quality NHS services.
In March 2025, the Government announced that NHS England and the Department of Health and Social Care will increasingly merge functions, ultimately leading to NHS England being fully integrated into the department.
If you currently work within the NHS and if successful at interview, we will initiate an Inter Authority Transfer (IAT) via the Electronic Staff Record (ESR).This retrieves key data from your current or previous NHS employer to support onboarding, including competency status, Continuous Service Dates (CSD), and annual leave entitlement. You may opt out at any stage of the process.
Colleagues with a contractual office base are expected to spend, on average, at least 40% of their time working in our offices.
Staff recruited from outside the NHS will usually be appointed at the bottom of the pay band.
Job description
Job responsibilities
Please see the attached Job Description and Person Specification for more information about the role and responsibilities.
Please ensure your supporting statement includes demonstratable evidence and specific examples on how you meet the criteria for each of the key skills specified. This will be used in both the shortlisting and interview processes
Important: Please be aware there are residency requirements you need to meet:
All NHS England Cyber Security personnel must hold Security Clearance level as a minimum. To meet National Security Vetting requirements, SC clearances require 5 years continuous UK residency. In certain cases, this can be reduced to three years continuous UK residency, with additional overseas checks for the previous two years. Candidates who were posted abroad for service with HM Government, Armed Forces or within a UK government role - will still be considered.
Please make sure you meet these requirements before applying for this role. You dont need to have SC already, however, failure to achieve the requirements for SC after offer will result in the job offer being withdrawn. For further advice please check https://www.gov.uk/government/publications/united-kingdom-security-vetting-clearance-levels/national-security-vetting-clearance-levels#security-check-sc
Please be aware that should you be successful in this position, you will be hired to the job title of Head of Security and this job title is advertised to attract the right skills needed for the role.
The post of Head of Security has been awarded a Recruitment and Retention Premia (RRP) in response to current labour market conditions. In recognition of this, the role attracts an additional monthly RRP payment equal to 30% per annum.
Please be aware that RRP is non-contractual and subject to review
If you like what you have read and think you have the skills and experience, we need then don't delay, apply today! We get lots of applications for our roles and so we sometimes have to close our posts early. Don't miss out!
Person Specification
Knowledge
- Highly developed specialist knowledge of tools, techniques, approaches and processes of cybersecurity risk management; ability to ensure organisational network operation and minimise negative effect by cybersecurity risks.
- Detailed knowledge of and the ability to protect information and information systems while ensuring their confidentiality, integrity and availability.
- Specialist knowledge of technologies and technology-based solutions dealing with information security issues; ability to apply these in protecting information security across the organisation.
Skills & Experience
- Expert knowledge of IT security policies, standards, and procedures; ability to utilise a variety of administrative skill sets and technical knowledge to ensure cyber security compliance.
- Advanced specialist knowledge of the processes, tools and techniques of information security management, ability to deploy and monitor information security systems, as well as detect, resolve and prevent violations of IT security, to protect organisational data.
Qualifications
- Masters level degree in Cyber Security or relevant subject, or equivalent level of experience.
Disclosure and Barring Service Check
This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.
Employer details
Employer name
NHS England
Address
Wellington Place, Leeds
Leeds
LS1 4AP
Employer's website
https://www.england.nhs.uk/about/working-for/