Cyber Security Manager

We’re looking for a Cyber Security Manager to be the cornerstone of IT security for npower Business Solutions (nBS), the Industrial & Commercial arm of E.ON UK.

Based in Nottingham or Solihull, this permanent role (with FTC options considered) sits at the heart of our transformation - establishing and operating a robust Information Security Management System (ISMS), embedding best practices across our evolving BusDevSecOps culture, and providing expert guidance on everything from secure architecture and fraud prevention to emerging governance frameworks.

Operating within the E.ON Group’s overarching cyber security framework, you’ll navigate a complex multi‑supplier ecosystem and lead the security agenda as we transition from a traditional service model to a modern product and DevSecOps environment.

This role blends deep governance expertise with hands-on technical acumen, advising stakeholders at all levels, including the C‑suite.

What you’ll be doing

• Own cyber security, IT risk and controls for nBS - ensuring effective governance, risk management, and audit readiness are embedded and operating smoothly.
• Lead threat and risk assessments to ISO 27005, producing consolidated risk reports, defining KRIs, and managing remediation plans through their lifecycle.
• Develop, implement and mature the ISMS aligned to ISO 27001, Smart Energy Code (SEC) and emerging standards including ISO 42001 (AI Management) and the Cyber Assessment Framework (CAF) / CRA.
• Promote heightened cyber risk awareness across nBS - running drop‑in sessions, roadshows, and targeted C‑suite engagement.
• Act as a trusted adviser on strategies, controls, and architectural patterns to mitigate external threats, providing pragmatic guidance to product teams and leadership.
• Drive compliance and certification across key regulations and standards: Smart Energy Code (SEC), Retail Energy Code (REC), PCI DSS, GDPR, Cyber Essentials, and the Cyber Assurance Framework - including planning and supporting internal control testing, and acting as primary liaison with internal/external auditors.
• Be the security cornerstone in our product and DevSecOps transition - guiding secure architecture, secure coding practices, threat modelling, and integrating controls throughout the SDLC.
• Manage third‑party security posture across our multi‑supplier ecosystem -covering onboarding, contractual controls, auditing, and ongoing reviews for SaaS, integration, and infrastructure providers.
• Own legislation and compliance engagement for PCI DSS, DPA/GDPR, SEC, REC, CRA/CAF, and related UK initiatives (e.g., the Cyber Resilience Bill, the evolving UK Cyber Security Bill).
• Scope and coordinate penetration tests - managing delivery with relevant teams and ensuring findings are triaged, tracked, and resolved in line with nBS’s risk appetite.
• Champion a culture of security - delivering coaching and presentations from engineering squads to the C‑suite, ensuring security is a value‑add, not a blocker.

Essential

• Proven track record of taking companies through audits and certifications -planning, readiness, engagement, and successful outcome delivery (e.g., SEC/REC, Cyber Essentials, SOC 2 Type II, PCI DSS, ISO 27001).
• A strong understanding of the UK energy sector’s regulatory landscape, particularly Smart Energy Code (SEC) and Retail Energy Code (REC), with at least 5 years’ experience in Smart.
• Credibility and presence at senior level, with the confidence to engage and influence the C‑suite.
• Experience operating in a complex, multi‑supplier environment - including onboarding, auditing, and ongoing review of third‑party security posture.
• Hands‑on ISMS expertise - establishing, operating, and maturing an ISMS aligned to ISO 27001.
• Strong technical acumen - secure architecture design, practical security guidance within DevSecOps or Agile settings, and integrating controls through the SDLC.
• Significant experience in IT risk management - conducting assessments (e.g., ISO 27005), managing risks end‑to‑end, and defining meaningful KRIs.
• Demonstrated subject matter expertise in at least two of: ISO 27001, ISO 42001, Data Protection Act / GDPR, SOC 2 Type II.
• Experience ensuring compliance with security policies, controls and procedures; comfortable with frameworks such as the Cyber Assurance Framework (CAF) and Cyber Essentials.
• Familiarity with evolving UK initiatives and audits: Smart Energy Code, UK Cyber Security Bill, FUSA audits (or equivalent functional safety/security assessments), Cyber Resilience Bill.

Desirable

• Certifications: CISSP (must‑have); CISM; ISO 27001 Lead Auditor or Lead Implementer.
• Experience building ways of working in a DevSecOps environment (tooling, pipelines, IaC guardrails, policy‑as‑code).
• Understanding of legal frameworks relevant to data protection, cyber resilience, and operational compliance in energy markets.

If you’re ready to shape the cyber security backbone of a leading energy business and thrive in a fast‑moving, product‑led environment, we’d love to hear from you.