Cyber and IT Risk Manager

Vacancy: Cyber and IT Risk Manager

The Purpose of the Cyber & IT Risk Manager is to complement and enhance Johnson Matthey’s cyber security and IT/OT risk posture by identifying, assessing, analysing and communicating IT and cyber-security risks, and both the existence and efficacy of controls relating to those risks. The role is responsible for ensuring that the organisation understands, prioritises and appropriately manages its cyber and IT risks, with clear ownership and action plans being defined and progressed.

Johnson Matthey, a FTSE 250 company, is a global leader in sustainable technologies specialising in catalysis, precious metal products, chemicals and process technology. With operations in over 30 countries, we employ more than 13,000 people. Johnson Matthey uses science to make the world cleaner and healthier. Over the past two centuries we have built our reputation and place as a global leader through quality, integrity, and innovation. Today, more than 93% of the group's sales come from products and services which provide sustainability benefits through the positive impact they have on the environment, resource efficiency and human health, but that’s not enough. We have ambitious plans for growth and need talented individuals to help shape and lead us into our next century.

• Develop, implement, schedule and drive a cyber and IT risk management program which includes regular assessment, prioritisation, and review of remediation and mitigation activities, with clearly defined management ownership.
• Ensure that the risk management program is aligned with business priorities and risk appetite, assessing and clearly communicating those risks in a non-technical, easily digestible manner that ensures all stakeholders can make informed decisions on these risks.
• Ensure that risks are assessed, recorded and communicated at the appropriate level of detail for both the audience and their effective mitigation, including maintaining a clear view of the linkages to enterprise-level (principal) risks and what actions drive a reduction in those risks. Ensure a clear risk hierarchy.
• Engage with senior leaders across both IT and business units to drive pragmatic action plans for mitigation, including supporting the development of business cases.
• Developing and maintaining risk management processes, procedures, and tools to ensure timely identification, assessment, and mitigation of risks.
• Own and manage the security impact assessment process, ensuring that JM gains early visibility of potential risks associated with proposed changes. Ensure that this process is linked to the wider risk management process, with appropriate visibility provided to relevant stakeholders.
• Own and manage the third-party risk management process, ensuring an effective prioritisation and tiering model is in place to identify and assess third parties that pose the most significant risk to JM. Ensure a clear third-party risk reporting capability is in place to enable JM to make appropriate decisions regarding its third-party risk profile.
• Developing, maintaining and operating cyber and IT controls assurance processes, including being responsible for the JM ITGC framework and ensuring system owners understand their responsibilities.
• Conduct thorough assessments of control environments, systems, processes, and practices to identify control gaps, including those associated with audit actions, customer and stakeholder requirements. Ensure effective action is taken to resolve any issues and identify root causes and remediations that can be addressed through continual improvement.
• Act as point of contact and co-ordination for cyber and IT-related audits, ensuring accurate information is provided and collating inputs from relevant teams.
• Keep up to date with regulatory and legislative developments relating to cyber and IT, identifying and assessing any changes that are relevant to JM and developing recommendations and action plans, communicating these as necessary to senior management.

• Experience and knowledge of cyber and IT controls and supporting associated audits
• Technical and/or practical experience of:

Cyber security controls/capabilities and relevant standards e.g. ISO27001

IT controls implementation and assurance, including but not limited to IT general controls

Enterprise software capabilities and technologies, including but not limited to ERP, CRM, enterprise operating systems (e.g. Windows/Linux)

Relevant legislation such as NIS2, GDPR and Computer Misuse Act

Relevant industry standards such as MITRE and NIST

Risk management best practices

• Demonstrable experience in technology security-related roles, with demonstrable experience of identifying and managing information security risks in complex or critical scenarios
• IT and/or cyber-security risk management experience
• Knowledge and experience of writing technical reports, documentation, policies and standards accurately and to designated timescales.
• Understanding of enterprise IT infrastructure and architectures

We offer a competitive compensation and benefits package including bonus, excellent pension contributions and 25 days annual leave (varies for shift-based roles).

At JM, an inclusive culture is integral to our values and ambitions for the future. We are committed to ensuring that everyone can bring their full self to work and thrive in their career. Welcoming everyone to JM, regardless of their unique characteristics, experiences or thoughts allows us to bring many different voices and experiences together to tackle the world's biggest challenges. Being truly inclusive means that all colleagues feel valued for their differences, views and contributions, and feel a sense of belonging at JM.

Johnson Matthey is open for discussion on part time, job share and flexible working patterns

Closing date for applications: This job advertisement will be posted for a minimum of 2 weeks, early application is advised.

For any queries or should you require any reasonable adjustments to support your application please contact globalrecruit@matthey.com.

To submit your application, please click the "Apply" button online.

All applications are carefully considered and your details will be stored on our secure Application Management System. This is used throughout Johnson Matthey for the selection of suitable candidates for our vacancies as they arise. Johnson Matthey respects your privacy and is committed to protecting your personal information.

For more information about how your personal data is used please view our privacy notice: Johnson Matthey Privacy Notice. By applying for this role and creating an account you are agreeing to the notice.

Johnson Matthey Plc is an equal opportunities employer and positively encourages applications from suitably qualified and eligible candidates regardless of sex, race, disability, age, sexual orientation, marriage or civil partnership, pregnancy or maternity, religion or belief.