Head of Cyber Security & Privacy
Role Purpose
The Head of Cyber Security & Privacy is accountable for implementing and maintaining information security across Nando’s UKI's operations, protecting customers and Nandocas whilst enabling the business to operate securely. This role ensures security policies, standards and practices agreed with and set by the Group CISO are effectively embedded across restaurants, digital platforms, supply chain and support functions within the Nando’s UKI.
The role is a mixture of working with peers and the CISO to set standards and policies and assuring those in market. This individual is also the Data Protection Officer for Nando’s UKI.
Reporting & Accountability
Reports to: UKI Technology Director
Works closely with: Group CISO (for guidance, standards, and frameworks).
Accountable for: UKI cyber security posture, compliance and assurance.
Works closely with the UKI Chief Risk Officer
Works closely with the Head of Product & Delivery- Technology Platforms.
Key Responsibilities
Security Implementation & Operations
Understand Group security Architecture and Implement Group information security policies and standards across Nando’s UKI. Understand how Group policies add to UKIs threat vectors and plan accordingly
Manage day-to-day security operations including monitoring, threat detection and incident response.
Coordinate with the Security Operations Centre on Nando’s UKI-specific threats and incidents.
Maintain the Nando’s UKI cyber security risk register and escalate significant risks.
Conduct security assessments of Nando’s UKI systems, suppliers and processes.
Act as approver for the Data Protection Impact Assessment process.
Incident Response
Act as Nando’s UKI incident commander for cyber security incidents
Coordinate response with Group CISO for major incidents
Document and report incidents following Group standards
Implement lessons learned and track remediation actions
Nando’s UKI Stakeholder Engagement
Build relationships with Nando’s UKI leadership (Tech, People, Ops, Risk, Legal, Supply Chain)
Ensure security is embedded in Nando’s UKI initiatives, projects and training.
Support the Nando’s UKI CEO to understand and prioritise cyber security
Translate technical security risks into business impact for Nando’s UKI stakeholders
Security Culture & Awareness
Deliver security awareness training to Nando’s UKI teams using Group materials
Make security engaging and relevant to restaurant teams and support office staff
Act as the face of security in the Nando’s UKI - visible, approachable and credible
Communicate security in line with Nando's values and tone of voice
Maintain knowledge of the evolving threat landscape, relevant regulatory requirements, and industry standards applicable to Nando’s (e.g. ISO 27001 and NIST)
Keep abreast of emerging risks related to technology, data privacy, and cyber security
Actively engage with reputable industry bodies, publications, and peer networks, and apply relevant insights to continuously assess whether the organisation's security posture, policies, and controls remain fit for purpose.
Third-Party & Vendor Management
Assess security risks of Nando’s UKI-specific suppliers and vendors
Work with Procurement to ensure security requirements in supplier contracts
Monitor ongoing compliance of third parties with security standards
Escalate significant third-party risks to Group CISO
Compliance & Audit
Ensure and demonstrate Nando’s UKI compliance with Group security policies and relevant legislation (e.g. GDPR, local data protection laws)
Coordinate Nando’s UKI participation in security audits and assessments
Maintain evidence and documentation for compliance reporting
Support Group CISO with regulatory reviews affecting the Nando’s UKI
Architecture & Projects
Review and approve security requirements for Nando’s UKI technology initiatives
Ensure secure configuration of Nando’s UKI systems and infrastructure
Work with Group CISO to implement identity and access management standards
Support secure deployment of the Global Nando's Platform in the Nando’s UKI
Data Security
Implement data classification and data lifecycle management practices
Ensure sensitive data is appropriately protected across the Nando’s UKI
Monitor and report on data security metrics
Investigate and remediate data security incidents
Skills & Qualifications
Essential
5+ years experience in information security, with at least 2 years in a leadership role
Strong practical knowledge of security operations, incident response and risk management
Experience implementing security frameworks (NIST CSF, ISO 27001 or similar)
Ability to influence stakeholders without direct authority
Excellent communication skills - can explain technical risks to non-technical audiences
Understanding of GDPR and data protection principles
Experience working in multi-site or retail/hospitality environments
Desirable
Relevant certifications (CISSP, CISM, Security+, CEH or similar)
Experience with cloud security (AWS, Azure, GCP)
Up to date knowledge of security tools (SIEM, EDR, vulnerability management)
Understanding of secure development practices
Experience in a franchised or multi-site organisation
What Success Looks Like
Year 1:
Nando’s UKI leadership understands and actively supports security priorities
Clean audit outcomes against Group security standards
Security embedded in all major Nando’s UKI projects and initiatives
Effective incident response demonstrated through exercises and/or real incidents
High engagement rates with security awareness programmes
Ongoing:
Nando’s UKI consistently meets Group security metrics and KPIs
Strong working relationship with Group CISO and other Nando’s UKI Heads of Security
Proactive identification and mitigation of Nando’s UKI-specific risks
Security seen as an enabler rather than a blocker
Positive feedback from Nando’s UKI stakeholders on security support and guidance
#LI-DNI
