Head of Governance, Risk and Compliance - CISO function - BPL

London, United Kingdom

Apply for job

Key information

Date live: 02/06/2026

Business Area: GTB SLT

Area of Expertise: Technology

Contract: Permanent

Reference Code: JR-0000114850

It’s happening at Barclays.

Be a part of a place where challenges are measured in billions, qubits and nanoseconds. Build your career in an environment where we’re advancing machine learning, leveraging blockchains, and harnessing FinTech. Working in Barclays technology, you’ll reimagine possibilities: learning and innovating to solve the challenges ahead, delivering for millions of customers.
We are shaping the future of financial technology.
Why not join us and make it happen here?

Where will you be located?

Explore location

The Head of GRC leads the pillar responsible for ensuring the organisation understands, manages, and can demonstrate compliance with its security risk and regulatory obligations. This includes owning the PCI DSS compliance programme, managing FCA and ICO regulatory engagement, maintaining the security risk register, and ensuring third-party risks are assessed and managed. The role bridges the gap between technical security delivery and regulatory/business expectations, translating the organisation’s declared risk appetite into measurable tolerances, control objectives, and compliance evidence. This is a critical leadership position that requires someone comfortable operating at both strategic and operational levels. The ideal candidate will have a financial services background, regulation expertise as well as practical experience and the credibility to engage effectively with the FCA, external auditors, and the QSA.

Key Responsibilities

Own the security policy framework, ensuring policies are current, proportionate, and aligned to PCI DSS, FCA expectations, UK GDPR, and DORA requirements.
Maintain and operate the security risk register, ensuring risks are assessed consistently using a defined methodology, owned explicitly, and reported accurately to the CISO and Executive Leadership Team (ETL).
Manage the relationship with external auditors, the Qualified Security Assessor (QSA), and 2nd/3rd Line of Defence (LoD) on all security and technology risk matters.
Own the third-party security assurance process, ensuring all vendors, partners, and card scheme integrations are risk-assessed with a tiered approach proportionate to data access and criticality.
Chair the monthly Cyber and Tech Risk and Controls Forum, presenting risk posture, compliance status, and material findings to the CISO, CIO and ELT.
Design and maintain the control framework, mapping controls to PCI DSS, FCA, UK GDPR, and DORA requirements, and ensuring control effectiveness is tested on a continuous cycle.
Produce KRI dashboards and risk reporting for CISO, CIO, and ELT consumption, ensuring risk is communicated in business terms.
Lead regulatory and audit engagement on security matters, coordinating regulatory review and audit interactions and proactively managing stakeholder relationships.
Own the risk assessment calendar, ensuring both cyclical and event-driven assessments are executed on schedule with appropriate rigour.
Manage the risk acceptance process, ensuring risk acceptance decisions are documented, time-bound, approved at the appropriate authority level, and reviewed before expiry.
Manage and develop the GRC team, building capability across risk assessment, compliance, and third-party assurance disciplines.

Key Deliverables

Security risk register, reviewed and updated monthly with full audit trail in the GRC platform.
PCI DSS compliance roadmap and continuously maintained evidence repository.
Monthly Cyber and Tech risk and compliance report for CISO and ELT.
Quarterly KRI dashboard and risk trend analysis for Risk Committee reporting.
Annual third-party security assurance plan with tiered assessment calendar and completion tracking.
Control framework mapping document (controls mapped to PCI DSS 4.0 / FCA / UK GDPR / DORA requirements).
Risk assessment calendar (cyclical and event-driven) with capacity planning.
Risk acceptance authority matrix and active acceptance register.

Required Skills and Experience

CISM, CRISC, or CISSP certification.
Experience with DORA (Digital Operational Resilience Act) compliance requirements and implementation.
ISO 27001 Lead Auditor or Lead Implementer certification.
PCI QSA or Internal Security Assessor (ISA) qualification.
Previous experience in FinTech, Digital Banking, Payment Acquiring organisation.
Experience with Visa GACS and Mastercard SDP acquirer compliance programmes.
Significant experience of progressive experience in information security governance, risk, and compliance, with at least 5 years leading a GRC team in a regulated environment.
Strong understanding of UK GDPR and the role of security controls in meeting data protection obligations, including breach notification requirements and data protection impact assessments.
Experience designing and operating security control frameworks mapped to multiple regulatory requirements simultaneously (e.g., a single framework serving PCI DSS, FCA, and GDPR).
Understanding of cloud-native architectures and their implications for compliance and risk management.
Proven ability to translate technical security risks into business language for executive audiences.
Experience managing internal and external audit relationships, regulatory examinations, and QSA assessments.
Understanding of risk quantification methodologies and experience producing risk reporting that supports investment decisions.
Proven people management experience, developing analysts and building team capability in a growing organisation.
Experience with GRC tooling and platforms (e.g., Drata, Vanta, ServiceNow GRC, OneTrust, or equivalent).

Barclays’ payments acceptance business provides critical infrastructure to the UK economy, processing billions of pounds of payments annually for both small businesses and domestic and international corporate clients.

In April 2025, we announced a long-term partnership with Brookfield Asset Management to grow and transform the payments acceptance business by broadening the range of services offered, enhancing the experience for both existing and prospective clients. Leveraging extensive client relationships and deep experience of UK payments, we will create an environment of continuous innovation - activated by Brookfield’s global private equity expertise in payments, technology, operational transformation and corporate carve-outs - to ensure the business is strategically positioned for long-term growth.

Barclays will invest approximately £400m in the new business, the majority of which will be incurred during the first three years. Performance-linked incentives will drive greater alignment between the partners, underpinning the long-term commitment to the transformation. Barclays and Brookfield will work to create a standalone entity over time, continuing to use the Barclaycard Payments (BPL) brand and acting as the sole payments acceptance services provider to Barclays’ clients for a minimum of ten years.

For more information on our partnership with Brookfield, please visit Barclays.com.

Purpose of the role

To provide a primary liaison service between the business, technology, and security functions. In order to ensure the confidentiality, integrity and availability of information, and support the mitigation of security risk.

Accountabilities

Collaboration with stakeholders to understand their security requirements in business processes and IT projects, to enhance overall risk management.
Execution of risk assessments to identify and prioritise potential cybersecurity threats that could impact the banks operations and data and guide the implementation of mitigation strategies and communicate findings to relevant findings to relevant senior stakeholders.
Collaboration with business units to develop and implement security policies and procedures for the banks operations aligned to the risk management framework.
Management of the implementation, testing and monitoring of security controls across the banks IT systems to ensure the effectiveness of controls and mitigation of risk.
Execution of training content and sessions to educate employees, enhance cybersecurity awareness and provide guidance on safe online practices.
Management of complex cybersecurity incidents by collaborating with IT teams and response experts to effectively resolve cases through analysis, expertise support and project supervision.
Identification of emerging cybersecurity trends, threats, and new technologies to address potential risks by advocating the adoption of new security solutions.

Director Expectations

To manage a business function, providing significant input to function wide strategic initiatives. Contribute to and influence policy and procedures for the function and plan, manage and consult on multiple complex and critical strategic projects, which may be business wide..
They manage the direction of a large team or sub-function, leading other people managers and embedding a performance culture aligned to the values of the business. Or for an individual contributor, they lead organisation wide projects and act as deep technical expert and thought leader, identifying new ways of working and collaborating cross functionally. They will train, guide and coach less experienced specialists and provide information affecting long term profits, organisational risks and strategic decisions..
Provide expert advice to senior functional management and committees to influence decisions made outside of own function, offering significant input to function wide strategic initiatives.
Manage, coordinate and enable resourcing, budgeting and policy creation for a significant sub-function.
Escalates breaches of policies / procedure appropriately.
Foster and guide compliance, ensure regulations are observed that relevant processes in place to facilitate adherence.
Focus on the external environment, regulators, or advocacy groups to both monitor and influence on behalf of Barclays, when appropriate.
Demonstrate extensive knowledge of how the function integrates with the business division / Group to achieve the overall business objectives.
Maintain broad and comprehensive knowledge of industry theories and practices within own discipline alongside up-to-date relevant sector / functional knowledge, and insight into external market developments / initiatives.
Use interpretative thinking and advanced analytical skills to solve problems and design solutions in often complex/ sensitive situations.
Exercise management authority to make significant decisions and certain strategic decisions or recommendations within own area.
Negotiate with and influence stakeholders at a senior level both internally and externally.
Act as principal contact point for key clients and counterparts in other functions/ businesses divisions.
Mandated as a spokesperson for the function and business division.

All Senior Leaders are expected to demonstrate a clear set of leadership behaviours to create an environment for colleagues to thrive and deliver to a consistently excellent standard. The four LEAD behaviours are: L – Listen and be authentic, E – Energise and inspire, A – Align across the enterprise, D – Develop others.

All colleagues will be expected to demonstrate the Barclays Values of Respect, Integrity, Service, Excellence and Stewardship – our moral compass, helping us do what we believe is right. They will also be expected to demonstrate the Barclays Mindset – to Empower, Challenge and Drive – the operating manual for how we behave.

Barclays welcomes applications from all candidates and is committed to ensuring reasonable adjustments (accommodations) are put in place to allow for a fair and inclusive recruitment process. For more information and how to request one, please review Adjustments to the recruitment process.

We’re a global, vital and highly respected financial organisation with an inspiring Purpose. Operating in 39 countries and employing around 100,000 people across the world, we help communities, individuals and businesses thrive. And we’ve created financial solutions and technology that the world now takes for granted. A career with us can offer incredible variety, depth and breadth of experience, and the chance to learn from some of the best minds in technology and finance.

To find out more about Barclays' strategy please click here.

We are an equal opportunity employer and opposed to discrimination on any grounds. It is the policy of Barclays to ensure equal employment opportunity without discrimination or harassment on the basis of race, colour, creed, religion, national origin, alienage or citizenship status, age, sex, sexual orientation, gender identity or expression, marital or domestic/civil partnership status, disability, veteran status, genetic information, or any other basis protected by law.

Barclays is required by law to confirm that you have the Legal Right to Work in any role that you apply for. If you currently hold a work visa sponsored by Barclays, or you would require sponsorship from Barclays, you must declare this as part of your application. Sponsored visas are role and entity specific and any changes must be reviewed. It is important that you ensure you are working on the correct visa at all times. Failure to accurately disclose your visa status or Legal Right to Work may result in your application or any employment offer being withdrawn at any time.

Who succeeds in
Tech at Barclays?

For a career with us, you need to be prepared to take big steps forward, curious to face the challenges ahead, and driven to focus on the outcomes. We need people with the Barclays mindset to make it happen here.

What you'll get in return

Competitive holiday allowance

Life assurance

Private medical care

Pension contribution

Our technology

Supporting our 48 million customers and clients worldwide takes a lot of forward thinking. It means harnessing technology to support the economy. It means making a difference to people’s lives. And it requires the maintenance and development of a global, technological infrastructure. At Barclays, technology helps us keep transactions moving, manages data, and protects our customers. Join a world where your work creates unique moments of impact. Make it happen here.

This is Barclays London

Our global HQ is in Canary Wharf, at the heart of London’s financial district. There are over 10,000 colleagues here – a hugely diverse workforce made up of the world’s best financial and tech talent. If you love the buzz of city life, this is the place to be.

Cycle or run to work? We’ve got everything you need – from cycle hire and parking areas to new showering and changing facilities.

CoSpace is our drop-in co-working space, where networks are built, problems are solved collectively and our community is strengthened.

Our Wellness Suite includes a well-equipped gym and exercise studios, and provides personal training sessions and massage therapy.

Our new trading floors enhance communication, integrate sustainability, and support health and wellbeing through innovative design and British-sourced furniture.

This is Barclays London

Supporting active commuters

Cycle or run to work? We’ve got everything you need – from cycle hire and parking areas to new showering and changing facilities.

Time to connect

CoSpace is our drop-in co-working space, where networks are built, problems are solved collectively and our community is strengthened.

Wellbeing in focus

Our Wellness Suite includes a well-equipped gym and exercise studios, and provides personal training sessions and massage therapy.

Advanced trading floors

Our new trading floors enhance communication, integrate sustainability, and support health and wellbeing through innovative design and British-sourced furniture.

Working flexibly

We’re committed to providing a supportive and inclusive culture and environment for you to work in. This environment recognises and supports your personal needs, alongside the professional needs of our business. If you'd like to explore flexible working arrangements, please discuss this with the hiring manager. Your request will be reviewed in-line with the requirements of the role/business needs of the team.

Hybrid working

We have a structured approach to hybrid working, where colleagues work at an onsite location on fixed, ‘anchor’, days, as set by the business area. Please discuss the working pattern requirements for the role you are applying for with the hiring manager. Please note that working arrangements may be subject to change on reasonable notice to ensure we meet the needs of our business.

Barclays is built on an international scale.

Our geographic reach, our wide variety of functions, businesses, roles and locations reflect the rich diversity of our worldwide customer base. All of which means we offer incredible variety, depth and breadth of experience. And the chance to learn from a globally diverse mix of colleagues, including some of the very best minds in banking, finance, technology and business. Throughout, we’ll encourage you to embrace mobility, exploring every part of our operations as you build your career.

Find more information

Make it happen at Barclays

Our teams are always evolving - creating new solutions that make a real difference for customers and clients. Watch the video to hear how our colleagues describe their careers at Barclays and imagine where yours could take you.