Tony Blair Institute for Global Change
Director of Security & Compliance

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
We don’t just talk, we do. Lead the change with us. At the Tony Blair Institute for Global Change, we work with political leaders around the world to drive change. We help governments turn bold ideas into reality so they can deliver for their people. We do it by advising on strategy, policy and delivery, unlocking the power of technology across all three. And by sharing what we learn on the ground, so everyone can benefit. We do it to build more open, inclusive and prosperous countries for people everywhere. We are a global team of over 800 changemakers, operating in more than 40 countries, across five continents. We are political strategists, policy experts, delivery practitioners, technology specialists and more. We speak more than 45 languages. We are working on over 100 projects, tackling some of the world’s biggest challenges. We’re all here at TBI to make a difference. In a world of ever more complex challenges, we believe diversity of background and perspective is a strength. We pride ourselves on a culture that values and nurtures difference. We are dedicated to unlocking potential, not only for the countries we work in but also for each of our team members. No matter where you’re from or who you are, if you’re passionate about the transformative power of progressive politics, we invite you to build a better future with us.
Role Summary
TBI operates globally in politically sensitive environments, handling sensitive policy, advisory and donor information across multiple jurisdictions. Following the establishment of Cyber Essentials+ certification, a live outsourced SOC and a 24/7 monitoring posture, Digital is now entering a phase of security and compliance maturity that includes ISO 27001 ambition, AI security and governance across a rapidly expanding AI estate, and a deepened compliance posture across the regulatory regimes in which TBI operates.
The Director of Security & Compliance is a new, senior role accountable for the security, governance, risk, compliance, continuity and data protection posture of TBI. Reporting to the CTO, this role leads the Security & Compliance function - the IT Security Engineer and the outsourced SOC - and provides authoritative leadership on cyber, AI and information security across the Institute.
It is the named accountable owner for our certifications, our risk register, our continuity arrangements and the security and governance of our AI estate.
You will be an experienced security and compliance leader with deep expertise in modern cyber operations, governance frameworks (ISO 27001 in particular), risk management and the security and governance of AI in an enterprise context. You will work closely with Legal & Risk, the Director of Applications, the Enterprise Architect and the CTO to ensure our security posture enables rather than constrains TBI's mission.
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
Key Responsibilities
Security Operations
- Accountable for security monitoring, incident response, remediation and security tooling / platform management across TBI (both internal and external)
- Own the relationship with the outsourced SOC and line manage the IT Security Engineer
- Own the firm-wide security awareness programme - phishing simulation, user training and security culture (delivered through a vCISO arrangement where appropriate)
- Own the design of identity, access (RBAC) and authentication (MFA / SSO) standards, partnering with the Global Service Desk Manager who owns day-to-day operation
Governance, Risk & Compliance
- Own TBI's IT governance framework adoption and maintenance, including the supporting RAPID and accountability mapping
- Own the regulatory and standards compliance posture - GDPR, ISO 27001, Cyber Essentials+, and others - including certification maintenance, control evidence, audit readiness and statutory reporting
- Lead TBI's path to ISO 27001 certification as a strategic programme, including the definition of certification scope across emerging functions and capabilities
- Own the central Digital & Data Security risk register - identification, assessment, mitigation and ongoing maintenance - in partnership with Legal & Risk
Data Protection & Privacy
- Own the data classification framework (design and operation), data retention policies and the GDPR / data subject rights operating model
- Partner with Legal on the firm-wide data protection programme and breach notification process
Continuity
- Own disaster recovery and business continuity planning, testing and recovery - including RTO / RPO definition for critical systems and the incident communications plan
AI Security & Governance
- Own the security posture of TBI's AI estate - access and authentication for AI platforms, prompt and output data protection, prompt injection and jailbreak defence, and third-party AI vendor risk assessment (Anthropic, OpenAI, Salesforce Einstein, and others)
- Own TBI's Responsible Use Policy for AI tools across the firm
- Partner with the Director of Applications, the Enterprise Architect and the CTO to ensure all AI initiatives across TBI - including AI capability developed outside of Digital - sit within an appropriate security and governance envelope


Get help with your application
Your very own career expert that helps elevate your application to the next level.
DevSecOps
- Own DevSecOps practice: secret management, vulnerability scanning (SAST / DAST / dependency scanning), pipeline security gates, container and workload security and code-level vulnerability management
- Partner with the Director of Applications to embed security controls into the engineering practice without becoming a delivery blocker
Third-Party Risk
- Own third-party security risk assessment and ongoing vendor security monitoring, in partnership with the Head of Digital Transformation & Performance, who owns the vendor relationship and performance lifecycle
Person Specification
- Significant senior leadership experience in security and compliance roles within a mid-to-large global organisation
- Deep, demonstrable expertise in ISO 27001 - ideally as named lead on a successful certification programme - together with working knowledge of SOC 2, NIST CSF and other relevant frameworks
- Strong technical credibility across modern security operations: SIEM, EDR, IAM, vulnerability management and DevSecOps tooling
- Demonstrable expertise in GDPR and data protection in a global, multi-jurisdiction context
- Demonstrable understanding of AI security and AI governance - prompt injection, model risk, third-party AI vendor risk and the operational realities of running an AI estate at scale
- Experience designing and running risk registers and risk processes at organisational level
- Strong stakeholder credibility at executive level; able to articulate security posture in business terms and influence non-technical audiences
- Pragmatic, proportionate and able to balance security rigour with delivery velocity
- Experience managing technical security staff and outsourced security partners
- Comfortable operating in politically sensitive contexts and exercising judgement on disclosure, escalation and risk acceptance
Qualifications & Certifications
- Essential: One or more of these certifications
- CISSP (ISC)
- CISM (ISACA)
- ISO 27001 Lead Implementer
- CIPP/E or CIPM (IAPP)
- CRISC or CGEIT (ISACA)
- CCSP
- AIGP
Candidates must have the legal right to work in the UK to apply for this role. We reserve the right to close this role early if we receive a sufficient number of applications.
Closing Date: 2026-08-09
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location