Head of Cyber and Information Security

Proven Leadership: Significant experience leading multi-disciplinary cyber and information security teams, with a track record of delivering complex cyber programmes and developing high-performing teams.

Security Professional Certifications: Holds one or more industry-recognised certifications such as CISSP, CISM, CCISO or equivalent executive-level security certification

Incident Response Expertise: Demonstrable experience leading security investigations and incident response, including handling malware outbreaks, data loss events, and network intrusions.

Strategic Influence: Experience in setting and executing cyber and information security strategy, with the ability to engage, influence, and advise stakeholders at all levels, including senior executives and board members.

Risk and Compliance Management: Strong background in managing information and cyber security risks, with a proactive approach to identifying emerging threats and developing strategic mitigation plans.

Strategic Leadership

• Champion a security-first culture across MHRA, modelling Civil Service values and fostering professional development within the Information Security community.

• Develop and implement MHRA’s cyber security strategy in alignment with the Government Cyber Security Strategy, GovS 007, and NCSC guidance.

• Evaluate and continuously assess MHRA’s cyber security maturity, defining and delivering a roadmap to achieve target resilience levels.

• Identify and prioritise areas for cyber security investment, building business cases and securing executive support.

• Promote secure innovation by embedding security into agile delivery and emerging technologies, enabling safe experimentation and scaling.

Operational Delivery

• Lead the Cyber and Information Security team within DTG, ensuring effective budget management, workforce planning, and capability development.

• Oversee the cyber programme and operational security functions, ensuring delivery against strategic objectives and measurable outcomes.

• Direct cyber defence operations including threat detection, monitoring, incident response, and integration of threat intelligence.

• Provide technical assurance for new and legacy systems, embedding Secure by Design principles and architectural risk assessments.

• Define and maintain MHRA’s security architecture framework, ensuring alignment with enterprise architecture and secure development lifecycle practices.

• Promote cyber security awareness and behavioural change across MHRA, embedding good security practices at all levels.

Governance, Risk and Assurance

• Advise the SIRO, Security Risk Working Group, Board and senior department heads on cyber risk, threat landscape, and incident response readiness.

• Maintain oversight of MHRA’s Information Security Management System (ISMS), ensuring compliance with ISO/IEC 27001:2022, NCSC CAF, and other relevant standards.

• Lead assurance activities including internal audits, control testing, and third-party assessments to validate the effectiveness of security controls.

• Supporting the development and implementation of KRIs/KPIs to measure cyber risk exposure, control effectiveness, and compliance maturity.

Stakeholder and Supplier Engagement

• Act as the primary point of contact for cyber security matters across MHRA and with external partners including NCSC, DHSC, NHSE, and ALBs.

• Establish and manage a third-party risk management framework, including due diligence, contractual controls, and ongoing monitoring of supplier security practices.

• Ensure third-party suppliers meet MHRA’s security expectations and contractual obligations, delivering high-quality outcomes on time and within budget.