Security and Risk Specialist

As a subject matter expert, you’ll take ownership of IT risk and security controls across E.ON UK, ensuring our technology, suppliers, and systems meet the highest standards of security, compliance, and resilience. Working in a complex multi-supplier environment, you’ll assess and manage IT risks end-to-end, ensuring appropriate mitigation plans are in place and executed effectively. You’ll act as a trusted advisor across the business, providing leadership, guidance, and challenge at all levels – including acting on behalf of the CTO when required.

Key Responsibilities

• Lead the management of IT security risks and controls across E.ON UK, including supplier compliance, audits, certifications, and accreditations.
• Define, implement, and maintain robust security controls across a complex multi-supplier technology environment.
• Assess, document, and treat security risks, ensuring appropriate mitigation plans are developed and delivered.
• Act as a security and risk champion across Digital Technology, providing guidance, coaching, and support to teams and suppliers.
• Chair and represent E.ON in supplier security working groups and the wider E.ON security community, including engagement with CERT.
• Set standards for security documentation, reviewing supplier outputs and ensuring alignment with best practice.
• Scope, commission, and interpret penetration testing activities, translating findings into business-focused risk and remediation plans.
• Effective management of security vulnerabilities by working with suppliers to identify, evaluate and remediate
• Work closely with Information Security, Internal Controls, Audit Services, and senior stakeholders to ensure continuity and consistency of controls.
• Coach and support junior team members, contributing to capability and knowledge development across the function.

Essential
• At least 5 years’ experience in IT security and architecture.
• Strong experience working with cloud computing technologies.
• Knowledge and practical experience of ISO 27001 and ISO 27002, including operating within an ISMS.
• Proven track record of delivering security improvement initiatives and security awareness programmes.
• Experience applying industry best practice frameworks such as NCSC, NIST, OWASP, SAMM, or SABSA.
• Ability to provide security consultancy across multiple projects, advising on risk, treatment options, and controls.
• Demonstrable experience conducting information security risk assessments, threat modelling and guiding others on effective risk management.
• Experience scoping and managing penetration testing for internal and third-party solutions.
• Excellent written and verbal communication skills, with the ability to translate technical risk into business language.

Desirable
• Experience working in a multi-site, multi-vendor environment.
• Knowledge of vulnerability management tools such as Qualys or Wiz.
• Professional security qualifications (e.g. CISSP, ISSAP, CISM, CRISC).
• Experience providing third-party security assurance during supplier selection and contract management.
• Experience implementing or auditing ISO 27001, ideally as a lead auditor or implementer.