Established in 1981 with a single store in the Northwest of England, the JD Group is a leading omni-channel retailer of Sports Fashion, Outdoors and Gyms with our colleagues working in stores across several retail fascias in many markets around the world.

JD Sports Fashion Plc was listed on the London Stock Exchange in 1996 and has been a FTSE100 publicly quoted company since 2019 and continues to grow in the UK and internationally.

We want to be the leading global omnichannel retailer in the sports and outdoor industry. To be a part of this successful company and help us to achieve this you will have the desire to ingrain our strategic goals of being a people-led, innovative and customer-focused organisation which provides operational excellence whilst identifying new areas of growth as part of our day to day objectives.
for IT & Cyber Policy and Governance Lead
Business Area Information Security
Job Title IT & Cyber Governance and Policy Lead
Scope and Coverage Global
Outline Purpose of Role

This role will:

• Implement and develop and own IT and cyber governance processes and forums in alignment with the IT and Information security operations and risk framework.
• Maintain and improve the IT and information security policy framework including the suite of policies and standards and associated processes.
• Help drive a robust security posture for a large, complex organisation, trading globally within a constantly evolving IT and information security threat environment.

Impact of Role

• Implement governance framework to enable enforcement and management of IT and cyber policies across the all JD entities.
• Help drive good security hygiene and the use of appropriate controls into the business culture of JD Sports.

Reports to
This role resides in the Information Security Function and reports to the Global Head of Governance, Risk and Compliance.

Direct Reports
Individual contributor with possible management of a GRC Analyst and periodic oversight of seconded resources, contingent workers and systems integrators.

Key Elements of the Role
The job holder will be responsible for developing, implementing and maintaining IT and cyber governance frameworks, policies and standards to enable the policy framework to be deployment and enforced across the technology organisation of the business. In this role, the job holder will be responsible for the following activities:

IT and Cyber Policy Framework:

• Develop a clear understanding of the organisation, its various entities (business units, subsidiaries, partners, and interdependent entities) to assess existing and applicable policy requirements.
• Maintain and develop the IT and cyber policy framework to drive continuous improvement and its usability and application.
• Establish a robust governance structure to manage and facilitate IT and cyber policy and risk management. This includes clearly defined roles, responsibilities, processes and relevant artefacts.
• Lead on alignment of governance for IT and cyber controls in line with JD Sports Policies, Standards, and security strategy.
• Definition of IT and information security policies, standards and guidelines in line with applicable and recognised best practice requirements.
• Harmonise with any differing compliance and controls requirements to establish company-wide consistent set of policies and standards use across all entities.
• Implement and maintain a robust policy development lifecycle ensure effective policy management and review in line with compliance and technological advancements and changes.
• Analyse incidents and events to Identify omissions and opportunities for improvement in according with the organisation risk exposure and appetite.
• Identify, analyse and report on key policy metrics such as policy exceptions, breaches and identify relevant risks arisen from policy exception.
• Prepare and report on governance and policy reporting to senior leadership highlighting adherence status, risks and mitigation strategies.
• Address opportunities for exploiting automation and tool sets for policy enforcement and management.

Stakeholder Engagement and Advisory:

• Communicate with internal stakeholders (technical and non-technical) and suppliers to discuss policy requirement and implementation.
• Collaborate with third-party vendors and partners to enforce consistent policy adherence within the supply chain and vendor ecosystem.
• Develop policy compliance regime in conjunction with GRC compliance and in accordance with the 3 lines of defence model.
• Work closely with HR, procurement, legal, and other departments to ensure that controls are integrated into key business processes.
• Clearly articulate policy non-compliance issues including their associated risks and providing actionable recommendations for mitigation as part of the risk management processes.
• Provide guidance and training to teams across the organization on IT and cyber policies and best practices.
• Establish strong working relationship with the internal and external stakeholders to ensure the policies are adhered to and effective as designed.
• Act as SME for all level of stakeholder across the organisation on IT and cyber governance, policies and advising adherence strategies.

Key Attributes of The Jobholder

Experience and Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, Compliance or a related field.
• 5+ years of experience in IT and cyber governance frameworks, policy development, cyber assurance, compliance or a related discipline.
• Certifications such as CISSP, CISM, CRISC, or equivalent are strongly preferred.
• In-depth understanding of cybersecurity frameworks (e.g., NIST, ISO 27001) and risk management methodologies.
• Experience with controls development and management tools, and familiarity with security controls, threat modelling, and vulnerability management.
• Experience of third-party risk management.
• Knowledge of regulatory requirements and compliance frameworks (e.g., GDPR, ITGC, PCI-DSS, etc…) related to IT, cybersecurity and risk management.
• Awareness of various operating systems including but not limited to Windows, Linux, Unix.
• Awareness of Database technologies (SQL, Oracle, DB2, Mongo) and associated controls optimised for their protection.
• Experience with cloud environments (AWS, Azure, GCP) and understanding of cloud security risks.
• Awareness of Agile environments and practices.
• Familiarity with advanced cybersecurity technologies such as SIEM, IDS/IPS, and endpoint detection solutions.

Key Skills
The job holder is expected to possess the following skill set:

• Ability to extract clarity from fast-paced, evolving scenarios by helping to clarify the inevitable ambiguity arising within a large, complex, and interdependent organisation.
• Strong analytical and problem-solving skills, with the ability to make informed risk-based decisions.
• Excellent communication skills, both written and verbal, to effectively present risks to senior leadership and non-technical audiences.
• A proven ability to work collaboratively and constructively with other managers to ensure clarity of purpose, effective communication, and mutual understanding policy frameworks and how to apply them.
• Communicate with internal stakeholders (technical and non-technical) and suppliers to discuss policy requirements and drive controls availability, provision and consumption.
• Strong mentoring, and organisational skills with experience of leading and working collaboratively within multi-disciplined teams.
• Competent, engaging communication skills and an ability to articulate goals, achievements, risks, expectations, and needs to individuals and teams at all organisational levels.
• An ability to manage and inspire diversely located team members (internal and external) to focus on common goals and timelines.

We know our colleagues work tirelessly to make JD Sports the success it is today and in turn, we offer them some amazing benefits including staff Discount On JD Group and other brands within the organisation and personal development opportunities to learn and develop at work.

Thank you for your time

JD