Cyber Policy Lead

Job Description

Overview

Cyber Policy Lead – Division: Operations, Cyber and Information Resilience. This Senior Associate, Regulatory position is based in Edinburgh, Leeds, or London with a salary range of £53,800-£65,000 nationally and £59,200-£70,000 in London, determined by skills and experience. The role sits within the Policy & Risk team in the Governance and Human Risk function and focuses on managing and maintaining the Cyber & Information Resilience Policy Framework, including associated standards, procedures and guidance.

Responsibilities

• Maintain and refresh the cyber policy framework by managing policy and standards updates in line with agreed review/refresh cycles and making out-of-cycle updates where material changes are required.
• Modernise and simplify the policy & standards suite, exploring improved formats such as “standards on a page” to increase usability and adoption across the organisation.
• Serve as the FCA-wide point of contact for policy requirements, handling BAU and project-related queries and providing clear, consistent interpretations of published requirements.
• Manage and track policy non-compliance and exceptions, including owning and modernising the Policy Waiver process and ensuring issues are surfaced and understood by relevant stakeholders.
• Conduct policy gap analysis and horizon scanning, identifying emerging risks, regulatory/industry changes and required updates to keep the framework current and effective.
• Support the articulation of the organisation’s Cyber Risk Appetite through the policy framework, ensuring requirements align to risk tolerance and are understood across the business.
• Enable a new self-service policy model for low-risk projects, helping define requirements and controls that balance agility with the FCA’s risk appetite.
• Provide reporting and governance support by assisting the Risk lead with controls performance measurement and supporting the GHR Manager/CISO with reporting on cyber issues, audit/risk engagements and organisational non-compliance; additionally supporting specialist investigation teams and HR with policy interpretation where needed.

Skills Required

• Minimum experience in designing, drafting and maintaining policies, standards and procedures across their full lifecycle.
• Solid working knowledge of industry standards such as ISO 27001, NIST Cybersecurity Framework (CIS) and CIS Controls.
• Security domain knowledge – understanding of technical security controls including network security, cloud security, identity and access management and vulnerability management.
• Working knowledge of information management practices and data privacy legislation.
• Proven record in stakeholder management at all levels, including director level, and in delivering organisational change.
• Risk identification, articulation and management experience.

Benefits

• 25 days annual leave plus bank holidays.
• Non-contributory pension (8-12% depending on age) and life assurance at eight times salary.
• Private healthcare with Bupa, income protection and 24/7 Employee Assistance.
• 35 hours of paid volunteering annually.
• Hybrid model – minimum 40% of time in the office each month, with a 50% expectation for senior leaders and 60% for directors and executive directors.
• Flexible benefits scheme designed around your lifestyle.

EEO Statement

We are committed to fostering a diverse and inclusive culture that is free from discrimination and bias, celebrates difference and supports colleagues to deliver at their best. We welcome diverse working styles and aim to find flexible solutions that suit both the role and individual needs, including part-time and job sharing where applicable. If you require adjustments due to a disability or condition, we will tailor support. As a Disability Confident Employer, people or individuals with disabilities and long-term conditions who meet the minimum criteria will progress to the next stage of the recruitment process.