• About us

Risk Ledger is developing a network of connected organisations, all working together to defend against cybersecurity attacks in the supply chain.

Organisations rely on us to establish trust, through sharing their security maturity and visualising the risks posed by their supply chain ecosystem. And we’re already trusted by customers like ASOS, Snyk, BAE Systems and the NHS.

We are putting together an amazing and talented team from a diverse set of backgrounds and skillsets to drive us towards our vision. Risk Ledger is built on the respect we have for one another and our users, united by our shared values and mission.

Every one of us is still learning: it’s how we grow as individuals. We’re curious. We’re ambitious. And we’re humble and honest. At Risk Ledger, we aim high to find the best solutions we can and always put our users first.

This role:

The Head of Information Security has a bucket load of responsibility to protect the business, inform key risk-based decisions, and operate confidently and expertly with the clear understanding that their actions underpin every operational function and, ultimately, the organisation’s commercial success.

Security is at the heart of what we do, so every member of our team is passionate about making life as difficult as possible for attackers across the globe, and that extends to our own internal systems and work environment. You will be leading the way, evolving and maintaining our own world-class defences as we scale.

And if something doesn’t go to plan, this role will be accountable alongside the executive team to contain, control and disrupt any threat–and restore normal operations.

Responsibilities will include:

• Championing our security culture–training our team to be the best form of defence.
• Conducting threat analyses and ongoing risk assessments to anticipate and design effective controls that really make a difference.
• Work collaboratively with the Product and Engineering teams to maintain the technical controls that keep our service and production data safe.
• Maintain the security configurations applied to our devices and SaaS services: protect colleagues with minimal friction to enable them to get their job done; monitor access provisions to ensure we are maintaining the principle of least privilege.
• Ensure our security controls are clearly communicated both internally and externally through: internal documentation, and through our own Risk Ledger profile; external communication with stakeholders, clients and suppliers about how we manage and maintain our security controls.
• Supporting our product development by: collaborating with the Product and Engineering teams to support their development of service features and the Framework used by thousands of organisations, including developing a relationship between the controls framework and contemporary contextual cybersecurity risks.
• Developing and operating our ISMS, and all that this entails: You will also be responsible for maintaining our ISO 27001 and Cyber Essentials certifications–and other security-related compliance accreditations as may be required.

We are a scaling business, staying lean wherever possible, which means currently, responsibility for the provision & management of the technology needed for the business to function effectively sits with the Head of Information Security, with support from a handful of individuals across the business.

On day one, you will have Risk Ledger’s current Security Engineer reporting into you, but you will have autonomy to define the needs & evolution of the function however you see fit, in line with business need.

We are an ambitious bunch at Risk Ledger, always learning and pushing boundaries to change the way cyber security is managed in the supply chain. Our own internal security is pivotal to this. We won’t compromise and don’t expect you to either.

We’re looking for someone who:

• Has 5 or more years experience as a qualified Head (or Deputy Head) of Information Security role, seasoned with scale-up organisation challenges. {CISSP, CISM}
• Has solid experience of assuring compliance with cyber security and data protection regulations within the UK and globally (e.g. GDPR, NIS Directive, EBA Guidelines).
• Has a comprehensive understanding of what it takes to comply with cyber security industry standards and frameworks in practise (e.g. ISO 27001, NIST CSF, SP 800-53, NCSC CAF, Cyber Essentials).
• Has a thorough understanding of cyber security threat and risk with the ability to think like an attacker and design controls that make a real difference.
• Has proven ability to enable a business to move fast, working with colleagues to define solutions that allow us to achieve objectives, whilst also keeping us safe.
• Has good research and analytical skills utilising a variety of sources: online research, industry forums, threat intel feeds etc. using these to maintain oversight of current and future threats and opportunities to mitigate them.
• Has an enthusiastic ‘roll up your sleeves’ mentality, confidently getting into the weeds with the technologies that we’re using to problem-solve with colleagues.
• Is feedback-driven with a positive attitude and ability to listen, learn, and iterate.

The perks

• Competitive base salary
• Generous EMI equity package
• 3% employer match on pension
• ✈️25 days annual leave + bank holidays
• Additional 30 days of unpaid leave per year to use as you wish
• Ad-hoc company-wide paid time off - last year we gave everyone a week of ‘rest leave’ in August to recharge post our fundraising
• Private healthcare with AXA Insurance - including enhanced mental wellbeing coverage
• Hybrid working policy, typically 2-3 days in the office
• Enhanced family (parental) leave - gender-neutral policy, 12 weeks paid leave
• 5 days Caretaker’s leave
• Enhanced occupational sick pay
• £500 wfh budget
• All the learning resources and books you want to aid in your personal development
• Regular socials to unwind and have some fun