Lead, Risk and Information Protection

Lead, Risk and Information Protection
Oil and Gas client, Contract position with possibility of extension

Role Overview
We are seeking an experienced Lead, Risk and Information Protection professional to own and drive governance, risk, compliance, and information protection across a complex IT and OT environment. This role plays a critical part in safeguarding information assets, strengthening cybersecurity maturity, and enabling secure digital transformation in a large, operationally critical organization.
The role requires independent decision-making, a strong risk-based mindset, and close collaboration with technology, business, audit, and external partners.

Key Accountabilities

Governance, Risk & Compliance (GRC)

• Develop, implement, and maintain a comprehensive cybersecurity governance framework aligned with industry best practices, regulatory requirements, and organizational objectives.
• Define and maintain cybersecurity policies, standards, and procedures, ensuring continuous compliance with legal, regulatory, audit, and internal requirements.
• Lead Business Impact Analysis (BIA) and Risk Assessments (RA), ensuring continuous improvement aligned with threat models and best practices.
• Identify, evaluate, mitigate, and report information security risks, and maintain accurate risk registers and audit records.
• Act as the primary focal point for internal and external audits, coordinating assessments and evidence provision.
• Stay current with emerging cyber threats, trends, and technologies and assess their impact on the organization.

Information Protection

• Lead information and data protection practices in collaboration with Legal, HR, IT, and business teams.
• Advise IT and digital projects on information protection controls throughout the full project lifecycle.
• Oversee data classification, data labeling, and data loss prevention processes, and follow up on identified anomalies.
• Develop and maintain incident response plans for data breaches and information security incidents.
• Guide and coordinate business continuity and disaster recovery strategies, including IT disaster recovery testing and evidence management.

Security Awareness & Training

• Design, implement, and continuously improve a comprehensive cybersecurity awareness program.
• Deliver annual cybersecurity awareness initiatives including training, phishing simulations, campaigns, and events.
• Promote a strong cybersecurity culture through regular communications, metrics, and reporting.
• Define and manage a metrics framework to measure employee compliance and program effectiveness.

Cybersecurity Program Leadership

• Develop and execute a strategic cybersecurity roadmap covering both IT and OT environments.
• Lead cybersecurity programs and initiatives of medium to high complexity, managing scope, milestones, and delivery.
• Provide regular reporting to management on progress, risks, and outcomes.
• Manage resources including team members, budget, vendors, and technology.
• Lead and mentor the team, fostering a collaborative and high-performance culture.

Role Scope & Dimensions

• 1 direct report
• Vendor and contract management across multiple service providers
• Coverage of enterprise IT (on-prem, cloud, remote) and OT environments
• Involvement in all major business and digital projects
• Organization-wide responsibility for all forms of information (digital, physical, verbal, and data)
• Delivery of awareness programs for onshore and offshore employees

Qualifications & Experience Required:

• Bachelor’s or Master’s degree in Computer Science, Information Technology, or a related discipline
• Prior experience in information security roles within large enterprise environments (1,000+ users, multi-location)
• Strong experience in cybersecurity governance, risk management, and compliance
• Professional certifications: CISSP and/or CISM (mandatory)
• Proven expertise in risk, business impact, control, and vulnerability assessments
• Strong analytical, communication, and stakeholder management skills
• Fluency in English (written and spoken)

Technical Knowledge:

• Security frameworks and standards (ISO 27001, NIST)
• Enterprise IT and OT security technologies and controls
• Incident response, vulnerability and patch management
• Information classification, data protection, DLP
• Disaster recovery and business continuity
• SIEM, XDR, IDS/IPS, firewalls, endpoint and network security tools

Desirable:

• Oil & Gas, manufacturing, or industrial sector experience
• Industrial cybersecurity certification (e.g., GICSP or equivalent)
• Knowledge of industrial cybersecurity standards
• Program and project management exposure
• Vendor management experience, including SLAs and KPIs
• Strong business acumen and understanding of operational risk

Our role in supporting diversity and inclusion

As an international workforce business, we are committed to sourcing personnel that reflects the diversity and values of our client base but also that of Orion Group. We welcome the wide range of experiences and viewpoints that potential workers bring to our business and our clients, including those based on nationality, gender, culture, educational and professional backgrounds, race, ethnicity, sexual orientation, gender identity and expression, disability, and age differences, job classification and religion. In our inclusive workplace, regardless of your employment status as staff or contract, everyone is assured the right of equitable, fair and respectful treatment.