Chief Information Security Officer

Amey is a leading provider of full life-cycle engineering, operations, and decarbonisation solutions, for transport infrastructure and complex facilities.

Working for us, you’ll be delivering sustainable infrastructure solutions that enhance life and protect our shared future.

Our people are driven by a set of strong values, based on safety, insight, and collaboration.

The Opportunity

We have a fantastic opportunity for a permanent Chief Information Security Officer (CISO) to join Amey’s group functions.

As Chief Information Security Officer you will lead global cyber security and privacy across the Amey Group, with a primary focus on security (approximately 70%) and strategic accountability for privacy (approximately 30%). You will define and implement long-term strategies aligned with business objectives, regulatory expectations, and customer trust. This includes articulating the security value proposition, contributing to the governance of AI and emerging technologies, and embedding secure-by-design and privacy-by-design principles.

Operating as a trusted partner to customers, regulators, and the Board, the CISO/CPO safeguards IT systems, cloud services, products, and data while enabling digital transformation and innovation. The role is accountable for all security activities, with operational security and SOC services delivered through the IT function and external partners.

Establishing a target operating model, governance frameworks, and a strategic roadmap to ensure cohesive implementation of security and privacy strategies, supporting business enablement, risk management, and resilience across all markets and functions.

Key responsibilities:

• Define and deliver multi-year cyber-security and privacy strategies aligned to corporate objectives and customer trust requirements.
• Ensure ongoing compliance with applicable data protection laws and maintain constructive relationships with regulators.
• Develop a security and privacy controls framework; obtain and maintain ISO 27001, Cyber Essentials Plus, and other relevant certifications.
• Oversee the development, maintenance, and enforcement of security and privacy policies across the organisation.
• Define and report on key metrics to the board and executive leadership on the effectiveness of security and privacy programmes.
• Own the enterprise risk register for cyber security and privacy; define KPIs, lead cyber resilience initiatives and tabletop exercises in coordination with Crisis Management, BCP, and ITDR.
• Oversee the integration of PIAs and DPIAs into project lifecycles to ensure privacy risks are identified and mitigated early.
• Maintain strategic relationships with partners and suppliers that support the information security and privacy programme; oversee third-party risk assurance activities including due diligence, contract reviews, and ongoing monitoring.
• Monitor threat intelligence sources and conduct horizon scanning to identify emerging risks and technology trends.
• Lead all security activities across the organisation, with operational delivery of SOC and security services managed through the IT function and external partners.
• Embed secure-by-design and privacy-by-design principles across IT and product teams; oversee SDLC, penetration testing, and coordinated disclosure.
• Direct 24×7 SOC operations, threat hunting, red/blue teaming, and crisis response through internal and external teams.
• Collaborate with data and legal teams to ensure alignment on data lifecycle, classification, and retention policies.
• Sponsor security in bids, executive briefings, and incident communications; provide attestation artefacts and roadmap transparency.
• Partner with technology and business leaders to embed security into digital initiatives, cloud strategies, and emerging technologies.
• Represent the organisation in government, industry, and client forums to elevate its profile in information security and resilience.
• Manage the security and privacy budget; recruit, mentor, and retain high-performing teams.

What you will bring to us:

• Extensive experience in a senior information security leadership role within a global or multi-region organisation.
• Demonstrable track record of defining and delivering security and privacy strategies, target operating models, and building high-performing teams.
• Strong knowledge of security and privacy frameworks, including NIST, ISO/IEC 27001, Cyber Essentials, and applicable data protection legislation UK Data Privacy, GDPR, etc.
• Proven experience in leading enterprise-wide risk management, incident response, and resilience programmes across complex environments.
• Experience contributing to the governance of emerging technologies, including AI, and integrating security into digital transformation and innovation initiatives.
• Skilled in engaging with executive leadership, regulators, and external stakeholders to influence strategic direction and build trust.
• Excellent communication and presentation skills, both verbal and written
• Skilled in navigating ambiguity and driving outcomes in fast-paced, evolving environments.
• Strong analytical skills, including critical thinking and deductive reasoning.
• Degree in a relevant field (e.g., Information Security, Computer Science, Law, Business) is desirable but not essential; equivalent experience will be considered.
• Recognised professional certifications such as CISSP, CISM, CIPM, CIPT, CISA, or CRISC are strongly preferred.
• Additional certifications in data protection (e.g., IAPP CIPP/E, BSC Practitioner Certificate in Data Protection) are advantageous.

What we can offer you:

At Amey, we recognise that our biggest asset is our people. That is why when you join us, we offer flexibility, career development, a choice of benefits and support that help you through all life’s ups and downs. It’s the reason why Investors in People put us among the top 1% of employers.

Work-life Balance –

Work-life balance and flexibility are key for our success. We empower our people to make choices that are right for them, with hybrid, part-time and flexible work patterns. And with a network of offices across the UK, we are open to discussing working options that suit you.

Wellbeing –

Health cash plan, 24 GP, support and assistance programmes, wellbeing ambassadors and Wellbeing Wednesday, dental vouchers

EDI-

At Amey we celebrate our people and all that they are. This is reflected in our Affinity Group networks, providing a community of support and connection, a safe space to share experiences, learn from one another and generate ideas – Women @ Amey, Neurodiversity, Armed Forces, Multicultural Network, Pride, Diversability and Parents & Carers.

Social Value –

You’ll get 2 Community Involvement Days each year to volunteer for a charity of your choice and further opportunities to support fundraising initiatives.

Plus, a range of other great perks and benefits including:

• Pension – Generous Pension scheme which we will contribute to
• Holidays - Minimum 25 days holiday + Bank Holidays
• Bonus – up to 20% of base salary
• Car / Car allowance
• Life assurance – 4 x base salary
• Healthcare – private family cover via BUPA
• Choices - Our flexible benefits scheme is tailored by you, including buying additional annual leave, cycle2work scheme, charity giving and gym membership.
• Save with Amey - Our online voucher portal gives you access to thousands of discounts from leading retailers to help you save on shopping, days out, or nights in.