Information Security Risk Officer Recruitment
Exec Capital recruits senior Information Security Risk Officers for UK financial services firms, regulated businesses, healthcare organisations, critical national infrastructure operators and corporates managing significant information assets. The Information Security Risk Officer role is structurally distinct from the Chief Information Security Officer (broader security leadership at C-suite level) and from the Information Security Manager (operational security delivery). The role focuses specifically on information security risk — identifying, quantifying, monitoring and reporting on the information risks the organisation faces, and overseeing the framework that ensures security controls are proportionate to those risks. It is increasingly a regulatory-driven appointment, particularly in FCA-regulated firms operating under SYSC 8 outsourcing rules, the PRA operational resilience framework, and where applicable DORA and NIS2.
We recruit at senior specialist, director and Head of Information Security Risk level across the UK market. Our network spans the regulated financial services community, professional services firms, healthcare organisations and corporate functions where information security risk has become a board-level priority.
About the Founder
Adrian Lawrence FCA — Exec Capital
Adrian Lawrence is the founder and managing director of Exec Capital, a UK executive recruitment firm specialising in C-suite, director and senior leadership appointments. Adrian is a Fellow of the Institute of Chartered Accountants in England and Wales and holds an ICAEW practising certificate in his own name. Exec Capital is a registered ICAEW practice (Co. No. 15037964) and operates alongside sister firms FD Capital and NED Capital across the UK senior recruitment market.
Speak to Adrian: 020 3834 9616 · recruitment@execcapital.co.uk
The Senior Information Security Risk Role
The Information Security Risk Officer sits at the intersection of information security, enterprise risk management and regulatory compliance. Where the Chief Information Security Officer owns the security strategy and the broader security function, and the Information Security Manager runs security operations day to day, the Information Security Risk Officer owns the risk framework itself — the methodology by which information risks are identified, assessed, monitored and reported, and the assurance framework that demonstrates security controls are proportionate to those risks.
Reporting structure. The Information Security Risk Officer typically reports to the CISO with a dotted line to the Chief Risk Officer in larger organisations. In FCA-regulated firms, the role often has direct engagement with the Risk Committee on information risk reporting and may attend Risk Committee meetings to present technology and information risk updates. In smaller organisations the role reports directly to the CRO or to the COO where there is no dedicated CISO appointment.
Team and scope. The role typically operates as a senior individual contributor or leads a small information risk team. The function works closely with the wider security team (operations, architecture, engineering), the broader enterprise risk function, internal audit, the data protection officer, the technology function and where applicable the supplier management and procurement function. Information Security Risk Officers in financial services routinely engage with the FCA on technology and operational risk matters, both directly and through their CISO and CRO.
Risk Frameworks and Methodologies
The senior Information Security Risk Officer is expected to operate fluently across the recognised risk management frameworks applicable to information security:
ISO 27005 Information Security Risk Management. The international standard specifically for information security risk management, sitting alongside ISO 27001 (the broader information security management system standard). ISO 27005 sets out methodology for risk identification, analysis, evaluation, treatment and monitoring specific to information assets.
NIST Cybersecurity Framework (CSF). The US National Institute of Standards and Technology framework, widely adopted in UK regulated firms as the practical reference for cybersecurity risk management. NIST CSF organises cybersecurity activity into Identify, Protect, Detect, Respond and Recover functions, providing a common language across the security and risk community.
ISO 31000 Risk Management. The general risk management standard that provides the meta-framework into which information security risk fits. Senior Information Security Risk Officers must demonstrate the ability to align information security risk management with enterprise risk management practice.
COBIT and IT governance frameworks. The Information Systems Audit and Control Association’s framework for IT governance and management. COBIT provides the control objectives and maturity assessment methodology used in many information risk programmes, particularly in regulated and audit-engaged organisations.
Risk quantification approaches. Senior Information Security Risk Officers increasingly engage with quantitative risk methodologies including FAIR (Factor Analysis of Information Risk) and adapted Monte Carlo approaches that translate technical information risk into financial impact terms for board reporting purposes.
Threat intelligence integration. The role engages with threat intelligence outputs from the National Cyber Security Centre (NCSC), industry-specific Information Sharing and Analysis Centres (ISACs) and commercial threat intelligence providers, translating threat intelligence into adjustments to the firm’s risk profile and control investment priorities.
Regulatory Framework and FCA SYSC 8 Context
Information security risk has become a regulatory-driven discipline in UK financial services and adjacent regulated sectors:
FCA SYSC 8 outsourcing requirements. The Financial Conduct Authority rules on outsourcing require firms to assess and manage the information security risks associated with third-party providers, including cloud service providers, fund administrators, technology vendors and other supplier relationships. The Information Security Risk Officer typically owns the third-party information risk assessment framework.
PRA operational resilience rules. The PRA operational resilience framework requires firms to identify Important Business Services, set Impact Tolerances and demonstrate ability to remain within those tolerances during severe but plausible disruption. Information security risk is a primary driver of operational disruption and the framework places direct expectations on information risk management.
DORA (Digital Operational Resilience Act). The EU regulation imposing detailed digital operational resilience requirements on financial services firms, including ICT risk management framework requirements, ICT-related incident reporting, digital operational resilience testing, third-party ICT risk management and information sharing arrangements. UK firms with EU operations or EU-facing services must demonstrate DORA compliance.
NIS2 Directive. The EU Network and Information Systems Directive (Network and Information Security Directive 2) applies to operators of essential services and digital service providers across the EU, with UK equivalents through the Network and Information Systems Regulations 2018 (UK NIS). The role increasingly involves NIS2 compliance for firms with EU operations.
Data protection intersection. Information security risk overlaps with UK GDPR and Data Protection Act 2018 compliance. The Information Security Risk Officer typically works closely with the Data Protection Officer on personal data security risk specifically, with clear delineation of responsibilities to avoid overlap or gaps.
Sector-specific frameworks. Different regulated sectors apply additional information risk requirements — the NHS Data Security and Protection Toolkit for healthcare, the Telecommunications Security Act for telecoms operators, the CAF (Cyber Assessment Framework) for critical national infrastructure operators engaged with NCSC.
Skills, Profile and Salary Benchmarks
Profile. Senior Information Security Risk Officers typically combine seven to twelve years of experience across information security, risk management, audit or technology consulting roles. The strongest candidates have direct experience operating information risk frameworks in regulated firms, with documented engagement with regulators (FCA, PRA) on information risk matters.
Credentials. Common professional qualifications include CISM (Certified Information Security Manager) and CRISC (Certified in Risk and Information Systems Control) from ISACA, CISSP (Certified Information Systems Security Professional) from (ISC)², CISA (Certified Information Systems Auditor), ISO 27001 Lead Auditor and Lead Implementer certifications, and where relevant FAIR practitioner certification for risk quantification work.
Technical depth. The role requires meaningful technical fluency in security architecture, cloud security models, identity and access management, network security and the security implications of modern application architectures. Pure risk management backgrounds without technical credibility rarely succeed at senior level in this role.
Regulatory engagement experience. Direct experience engaging with the FCA, PRA, ICO and where applicable other regulators on information risk and operational resilience matters. The ability to respond to supervisory letters, manage examinations on technology and operational risk, and represent the firm in regulatory consultations is essential at senior level.
Board and executive communication. The role increasingly involves direct engagement with Risk Committees and where applicable Board committees on information risk matters. The ability to translate technical security risk into commercial impact terms for board-level discussion is a critical skill that separates senior Information Security Risk Officers from technical specialists.
Indicative UK salary benchmarks:
- Senior Information Security Risk Manager (5-10 years): £80,000 to £130,000 base
- Senior Specialist / Director level (10-15 years): £120,000 to £180,000 base
- FTSE 250+ / regulated firm senior: £150,000 to £220,000 base
- Head of Information Security Risk (large bank / insurer): £180,000 to £280,000 base
Annual bonus arrangements typically range from 15% to 40% of base salary depending on sector and firm. Material Risk Taker remuneration regulation applies in regulated firms where the role is in scope, with deferral, malus and clawback provisions affecting the realised value of variable compensation. Searches at senior level typically run twelve to twenty weeks given the technical depth required and the limited senior talent pool in this specialism.
Discuss Your Information Security Risk Search
Whether you are appointing a Senior Information Security Risk Manager, building out a dedicated information risk team, replacing a Head of Information Security Risk or expanding risk capability for DORA, NIS2 or operational resilience programmes — call us to discuss how Exec Capital can help.
Email: recruitment@execcapital.co.uk · All conversations confidential
Related Services
Chief Information Security Officer Recruitment | How to Hire a Chief Information Security Officer | CISO Regulatory Drivers Guide | Chief Risk Officer Job Description | Operational Risk Director Recruitment | Credit Risk Manager Recruitment | Risk Manager Asset Management Recruitment | Compliance Officer Asset Management Recruitment | Financial Services Executive Recruitment | Executive Job Descriptions
Accredited Member of GBC 
Carbon Offset via TreeNation