IAG Transform
Head of Cyber, Risk & Assurance

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
About Us
We are part of International Airlines Group (IAG), one of the world’s leading airline groups and owner of some of the biggest brands in the sky. IAG Transform provides creative and innovative solutions to drive sustainable transformation by delivering procurement and airline services, as well as group-wide systems across IAG. Each operating company benefits from the Transform centralised model, driving efficiencies, automation, and economies of scale.
Purpose of the Role
The Head of Cyber Governance and Assurance is accountable for establishing and leading the Group-wide cyber governance, risk and assurance function across the International Airlines Group (British Airways, Iberia, Vueling, Aer Lingus, LEVEL, IAG Cargo, IAG Loyalty, and IAG Transform). This role builds a risk‑led, threat‑informed and resilience‑focused assurance programme, integrating:
- Cloud and IT Resilience / Disaster Recovery assurance (including Third Parties)
- Continuous KPI monitoring
- Vulnerability remediation assurance
- Business continuity and Crisis response readiness assurance
The Head of Cyber, Risk & Assurance is a senior leadership role within IAG Group Cyber Security & Technology, accountable for building and running a rigorous, independent function that provides the IAG and the Group CISO with accurate, evidence based assurance over the Group's cyber security and technology risk posture.
Your Responsibilities
Strategy & Operating Model Leadership
- Define and maintain the Group Cyber, Risk & Assurance Strategy, aligning IAG’s risk appetite, regulatory requirements, threat landscape, and business priorities.
- Establish a cohesive assurance operating model within the Group
- Integrate IT Resilience and DR assurance, ensuring the right capabilities and processes are in place to achieve the required maturity and provide reliable confidence.
- Strengthen KPI monitoring by establishing ongoing measurements that highlight resilience gaps and emerging risks.
Group-Level Cyber Risk Management
- Own and maintain the IAG Group Cyber Risk Register, ensuring it accurately reflects the aggregated risk landscape across all OpCos, is grounded in threat intelligence, and is aligned to IAG's enterprise risk framework.
- Define, maintain, and periodically review the Group Cyber Risk Appetite Statement in collaboration with the Group CISO, ensuring it is quantified, measurable, and linked to business impact.
- Conduct regular structured risk assessments at Group level, incorporating cross OpCo systemic risks, shared dependencies (e.g. shared platforms, IAG Connect network, Avios loyalty infrastructure), and third-party supply chain risks.
- Develop and maintain a cyber risk taxonomy that enables consistent risk identification, classification, and escalation across all OpCos.
- Ensure that Group-level risks are escalated in a timely and structured manner, with clear risk owners, mitigating actions, and residual risk assessments.
- Engage with OpCo risk functions to understand local risk profiles and ensure material risks are surfaced to Group level — without duplicating OpCo accountabilities.
- Drive quantification of cyber risk in business and financial terms (e.g. operational disruption cost, regulatory fine exposure, reputational impact), enabling risk-informed investment decisions by the IAG Executive Committee.
Resilience, Crisis Readiness & Recovery Assurance
- Provide Group-level assurance over IT/Cloud Resilience, backup/recovery capabilities, and disaster recovery test execution.
- Ensure resilience controls are measurable, tested routinely, and aligned with IAG's operational needs (airline operations, airports, ground operations, cargo, loyalty services).
- Drive the evolution from periodic testing to continuous assurance, improving coverage and reducing manual effort.
- Oversee assurance of cyber crisis response readiness, simulation testing, and crisis playbook validation
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
Policy Assurance
- Maintain an ongoing program of policy compliance assurance across all OpCos, verifying that entities have implemented and embedded Group policies within their local control environments.
- Work closely with the Head of CTO to ensure assurance activity is aligned to policy maturity stages and identifies deviations in a structured manner.
- Report on OpCo policy compliance status, tracking formal exceptions, waivers, and remediation plans.
- Ensure Group minimum standards are consistently interpreted and applied across OpCos.
Oversight, Governance & Quality Assurance
- Design and own the IAG Group Cyber Assurance Framework, defining assurance levels, methodologies, evidence standards, and sampling approaches — aligned to the risk-tiered assurance levels used across the Group (self-certified through to full IAG / External Assurance review).
- Establish and manage an annual Assurance Plan that prioritises OpCo assessments based on risk profile, historical compliance performance, threat landscape, and regulatory obligations.
- Conduct active assurance reviews of OpCo-submitted compliance data, KPIs, and control attestations — not merely accepting self-certified evidence but independently validating it through structured testing, evidence sampling, interviews, and technical review.
- Maintain and operate a Data Accuracy and Validation Framework: implement systematic checks to verify that metrics and compliance positions reported by OpCos to the Group are consistent, accurate, and not subject to selective or misleading reporting.
- Identify and escalate instances where OpCo-reported data is inaccurate, incomplete, or inconsistent with independently obtained evidence — maintaining a clear escalation path to the Group CISO.
- Operate the Group's risk-tiered Assurance Level model, ensuring the appropriate level is applied proportionate to risk.
- Develop a continuous assurance monitoring capability, using automated data feeds, telemetry, and tooling to maintain an up-to-date view of control effectiveness between formal assurance cycles.
- Maintain a consolidated Findings and Remediation Tracker — tracking all identified control gaps, assigned risk owners, target remediation dates, and evidence of closure across all OpCos.
- Provide structured feedback loops to OpCo CISOs and security leads, ensuring findings are understood, accepted, and actioned within agreed timescales.
Reporting & Executive Engagement
- Provide clear, aggregated Group-level reporting on assurance effectiveness and remediation progress.
- Prepare executive-level dashboards and assurance summaries.
- Present assurance outcomes to the Group CISO, OpCo CISOs, senior technology executives, and, when needed, Audit & Risk Committees.
- Engage with Internal Audit to ensure cyber related audit activities are aligned with the assurance programme and avoid duplication or blind spots.
Regulatory & External Engagement
- Ensure the assurance programme satisfies regulatory requirements (e.g. NIS/NIS2, aviation regulatory requirements or external customer due diligence needs).
Remediation Prioritisation & Risk Reduction
- Partner with OpCo stakeholder areas to drive effective remediation.
- Identify cross‑OpCo systemic weaknesses and propose Group-wide corrective programs.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
Your Skills, Experience and Qualifications
- 10+ years of cyber assurance leadership experience, with strong exposure to global, complex, regulated, federated organisations.
- Demonstrated experience leading cyber assurance, IT audit, or second‑line risk functions.
- Proven experience in resilience assurance—crisis readiness, BCP/DR, cloud / IT resilience, and recovery validation.
- Proven track record of designing and delivering independent assurance programs — including evidence validation, structured testing, and assurance reporting — in a complex, regulated environment.
- Direct experience of cyber risk management at enterprise or Group level, including risk register ownership, risk appetite setting, and Board/Committee reporting.
- Demonstrable experience challenging and independently validating data submitted by operating entities, identifying inaccuracies, and managing escalations professionally.
- Familiarity with regulatory frameworks (e.g. NIST CSF, ISO 27001/2, PCI DSS, GDPR, NIS/NIS2/UK NIS)
- Strategic, analytical, and able to define long‑term transformational assurance roadmaps.
- Strong business acumen with the ability to connect control failures to operational risk impacts (e.g., airline operations, airport disruptions).
- Excellent storyteller with data—able to translate metrics and complex control evidence into actionable insights.
- Strong leadership, influencing and stakeholder management skills across federated and multicultural organisations.
- Advocates “no surprises” assurance culture, independence, and transparency.
What We Offer
- The chance to enjoy a challenging career in an exciting, fast-moving environment in a dynamic industry.
- The opportunity to work in a multi-cultural environment with great offices in many locations.
- We support our people in maintaining work/life balance, as well as providing the many benefits one would expect from a global organisation, including health insurance, pension and performance bonuses.
- We are an equal opportunities employer and all qualified applicants will receive consideration for employment without regard to race, colour, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law
IAG Transform
IAG Transform is a part of International Airlines Group (IAG). IAG is one of the world’s largest airline groups with 600+ aircraft carrying more than 122 million customers to 260 destinations across 91 countries each year. IAG brings together leading airline brands Aer Lingus, British Airways, Iberia, Level, Vueling. These are supported by IAG Loyalty that spans all its airlines and beyond, offering the global currency Avios and including BA Holidays, and IAG Cargo which delivers vital goods and produce around the world. These businesses are complementary to its core airline businesses.
As the first airline group globally to commit to net zero by 2050, sustainability is a core part of IAG’s strategy. IAG Transform plays a critical role in driving transformation across IAG and the aviation industry, through expertise and capabilities in procurement, technology, AI, innovation, and transformation. We are based in London, UK, with a presence in Dublin, Madrid, Barcelona and Kraków.
With us, your work will create real impact, from everyday improvements to breakthrough change that reshapes the way the world flies.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location