Job Description
About Us
IAG Transform is part of International Airlines Group (IAG), one of the world’s leading airline groups. We provide creative and innovative solutions to drive sustainable transformation across procurement, technology, AI and AI-driven innovation for IAG’s operations.
Purpose of the role
The Head of Cyber Governance and Assurance is accountable for establishing and leading the Group-wide cyber governance, risk and assurance function across International Airlines Group (British Airways, Iberia, Vueling, Aer Lingus, LEVEL, IAG Cargo, IAG Loyalty, and IAG Transform). The role builds a risk led, threat informed and resilience focused assurance programme that integrates Cloud and IT Resilience / Disaster Recovery assurance, continuous KPI monitoring, vulnerability remediation assurance, and business continuity/crisis response readiness assurance. The Head of Cyber, Risk & Assurance is a senior leadership role within IAG Group Cyber Security & Technology, accountable for building and running an independent function that provides accurate, evidence based assurance over the Group’s cyber security and technology risk posture.
Responsibilities
- Strategy & Operating Model Leadership
Define and maintain the Group Cyber, Risk & Assurance Strategy, aligning IAG’s risk appetite, regulatory requirements, threat landscape, and business priorities. Establish a cohesive assurance operating model, integrate IT Resilience and DR assurance, strengthen KPI monitoring, and lead continuous assurance processes. - Group-Level Cyber Risk Management
Own and maintain the IAG Group Cyber Risk Register; define, maintain, and review the Group Cyber Risk Appetite Statement; conduct structured risk assessments at Group level; develop and maintain a cyber risk taxonomy; ensure timely escalation of group-level risks; engage with OpCo risk functions; enable risk informed investment decisions with quantified business impact. - Resilience, Crisis Readiness & Recovery Assurance
Provide Group-level assurance over IT/Cloud Resilience, backup/recovery capabilities, and disaster recovery test execution. Drive the evolution from periodic testing to continuous assurance, improving coverage and reducing manual effort. Oversee cyber crisis response readiness, simulation testing, and crisis playbook validation. - Policy Assurance
Assure compliance with IT and Cyber Security Policies across all OpCos. Maintain a compliance assurance program, report on OpCo policy compliance status, track exceptions, waivers and remediation plans, and ensure Group minimum standards are interpreted consistently. - Oversight, Governance & Quality Assurance
Design and own the IAG Group Cyber Assurance Framework; develop the Assurance Plan; conduct active assurance reviews; maintain a Data Accuracy and Validation Framework; employ automated data feeds and telemetry for monitoring; maintain a consolidated Findings and Remediation Tracker; provide structured feedback loops to OpCo CISOs. - Reporting & Executive Engagement
Provide Group-level reporting on assurance effectiveness and remediation progress; prepare executive dashboards and summaries; present outcomes to the Group CISO, OpCo CISOs, senior technology executives, and relevant committees; engage with Internal Audit to align audit activities with the assurance programme. - Regulatory & External Engagement
Ensure the assurance programme satisfies regulatory requirements such as NIS/NIS2, aviation regulatory requirements, and external customer due diligence needs. - Remediation Prioritisation & Risk Reduction
Partner with OpCo stakeholder areas to drive effective remediation; identify cross OpCo systemic weaknesses and propose Group-wide corrective programs.
Skills, experience and qualifications
- 10+ years of cyber assurance leadership experience in global, complex, regulated, federated organisations.
- Strong exposure to cyber assurance, IT audit, or second line risk functions.
- Proven experience in resilience assurance-crisis readiness, BCP/DR, cloud / IT resilience, and recovery validation.
- Proven track record in designing and delivering independent assurance programs, including evidence validation, structured testing, and assurance reporting in regulated environments.
- Direct experience of cyber risk management at enterprise or Group level, including risk register ownership, risk appetite setting, and Board/Committee reporting.
- Demonstrated experience challenging and independently validating data submitted by operating entities, identifying inaccuracies, and managing escalations professionally.
- Familiarity with regulatory frameworks such as NIST CSF, ISO 27001/2, PCI DSS, GDPR, NIS/NIS2/UK NIS.
- Strategic, analytical, and capable of defining long term transformational assurance roadmaps.
- Strong business acumen with the ability to connect control failures to operational risk impacts (e.g., airline operations, airport disruptions).
- Excellent storyteller with data-able to translate metrics and complex control evidence into actionable insights.
- Strong leadership, influencing and stakeholder management skills across federated and multicultural organisations.
- Advocates a “no surprises” assurance culture, independence, and transparency.
What we offer
We offer a challenging career in a dynamic industry, the opportunity to work in a multicultural environment with offices across London, Dublin, Madrid, Barcelona, and Kraków. We support work/life balance and provide benefits typical of a global organisation, including health insurance, pension, and performance bonuses.
We are an equal opportunities employer and all qualified applicants will receive consideration for employment without regard to race, colour, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law.