Director Information Security

Alexander Ash are seeking a Director of Information Security to lead and institutionalise cybersecurity governance, risk management, and regulatory compliance across a large, complex, multi-market organisation.

This is a senior leadership role with end-to-end ownership of the enterprise Information Security GRC framework, partnering closely with Legal, Internal Audit, Data Privacy, Procurement, HR, Retail Operations, and Technology to embed trust, accountability, and regulatory confidence across the business.

Key Responsibilities

• Define and execute the enterprise Information Security GRC strategy aligned to corporate risk, technology transformation, and global growth
• Design the GRC operating model, team structure, and KPIs to ensure scalable and repeatable governance
• Develop and maintain Group-wide security policies, standards, and procedures aligned to ISO 27001, NIST CSF, COBIT, and business needs
• Lead cross-functional governance forums and ensure policy integration across HR, Legal, and ITSM
• Own the Information Security Risk Management Framework, including risk identification, assessment, treatment, and monitoring
• Embed security risk management into projects, change management, and third-party onboarding
• Implement risk dashboards and quantification approaches (e.g. FAIR, GRC platforms)
• Ensure compliance with global and regional regulations including UAE PDPL, KSA PDPL, EU GDPR, PCI-DSS, ISO 27001/22301
• Lead internal and external audits, certifications, customer security reviews, and regulatory inspections
• Drive closure of audit findings in partnership with Internal Audit and Legal
• Own the end-to-end Third-Party Cybersecurity Risk Management programme, including due diligence, contractual controls, and ongoing assessments
• Partner with Procurement and Legal across the vendor lifecycle
• Lead Group-wide security awareness and compliance programmes, including executive training and simulated phishing
• Tailor initiatives by role, function, and geography to drive accountability
• Own and enhance the enterprise GRC platform and integrations with ITSM, risk registers, and incident management
• Drive automation, metrics, and dashboards to improve efficiency and insight

Ideal Profile

• Senior GRC leader with experience operating at enterprise or group level
• Strong background in information security governance, risk, compliance, and audit
• Hands-on experience with global regulatory frameworks and multi-jurisdiction environments
• Proven ability to influence senior stakeholders and lead cross-functional initiatives
• Experience implementing and optimising GRC tools and reporting frameworks

This is a high-impact role for a strategic yet hands-on GRC leader looking to shape cybersecurity governance at scale.

Interested candidates are encouraged to directly reach out to [email protected]