VP Information Security

The Deputy CISO is the CISO's principal delegate and second-in-command, accountable for day-to-day execution of the global cyber security program, team leadership and for elevating security influence across the enterprise. The role ensures cohesive strategy, robust operations, and clear business alignment in a complex logistics environment, including WMS/TMS platforms and warehouse robotics, IoT, and OT. The Deputy CISO strengthens succession planning, executive decision-making, and senior business partnering across the organisation.

Operates in a global role, based at either of our UK corporate HQs (London or Northampton).

Key Responsibilities:

Strategy

• Support the CISO in translating the enterprise risk appetite into an actionable, outcome-driven security strategy; and support the multi-year roadmap and quarterly OKRs.
• Chair the executive security governance forums and drive enterprise security governance mechanisms.

Architecture & Engineering

• Oversee Security Architecture and Engineering; ensure "secure-by-default" across cloud, application, data, identity, and infrastructure landscapes.
• Establish IDAM function with clear RACI and coherent operating model.
• Govern the security tooling strategy and operating model (build vs. buy vs. MSSP); maximize value from SIEM, SOAR, IAM, PAM, EDR, DLP, DSPM, and CTI platforms.

Security Operations & Incident Response

• Accountable for SOC performance (24 7 detection, response, threat hunting), DFIR, purple-team/assurance, ransomware preparedness, and crisis playbooks.
• Maintain executive incident communications, regulator notifications, and post-incident improvements.
• Act as escalation point for any security related service failures or major incidents.

Threat and Vulnerability Management

• Support the TVM team in continuously reducing vulnerability levels in the organisation.
• Recommend procedural improvements and reporting to drive constant improvement.
• Drive secure-by-design into applications and ensure all applications and the wider estate are sufficiently tested for signs of vulnerability.

Governance, Risk & Compliance (GRC)

• Ensure audit readiness, control effectiveness (key SOX/ITGC, NIST/ISO mappings), and remediation governance; lead policy lifecycle and attestations.
• Oversee the enterprise risk process (RCSA, KRIs), executive reporting, and board risk briefings.
• Improve third-party risk management (carriers, 4PL/3PL partners, SaaS/IaaS providers) and regulatory alignment

Business Partnering & PMO

• Ensure the Business Partnering function embeds security in product/platform roadmaps and regional operations (Americas/EMEA/APAC).
• Oversee the InfoSec PMO: portfolio selection, prioritization, benefits tracking, and transparent delivery reporting to business and technology leaders.

People, Culture & Leadership

• Provide day-to-day management of InfoSec senior leaders (four directors/senior directors) and their teams; build succession paths, mentorship, and leadership development.
• Sponsor Security Awareness & Culture programs and executive engagement; promote inclusive, high-performance behaviors.

The role has enterprise-wide accountability for the execution of the global cyber security program, ensuring effective risk management, operational resilience, and alignment with business strategy. It influences executive decision-making, enterprise risk posture, and regulatory outcomes across a complex global logistics environment.

You will operate in a complex and evolving threat landscape, requiring continuous improvement of security processes, tooling, and operating models. You will address ambiguous and high-impact challenges across technology, risk, and business domains with enterprise-wide implications.

The role engages extensively with the CISO, regulators, and senior business and technology leaders. It is responsible for executive-level incident communications, regulatory engagement, and influencing security outcomes across regions and functions.

You will provide leadership to senior InfoSec leaders and their teams, supporting performance, development, and succession planning across the global security organisation.

Experience and Qualifications Required:

• 15+ years in information security with progressive leadership; 8+ years leading multi-disciplinary teams across SecOps/IR, GRC, Engineering/Architecture and Business Partnering.
• Demonstrated success interfacing with boards/executive committees; executive incident leadership and public/regulatory communications.
• Deep experience in either GRC or technical cyber security.
• Experience in managing and leading global cross-functional and cross regional tech teams.
• Experience in Continuous improvement, six sigma or other improvement tools to drive business performance and create value
• Strong understanding and maturing of IT operating models in matrixed, global environments.
• Demonstrated success in driving technology standardization and transformation programs.
• Bachelor's degree in computer science, engineering, or a related field; advanced degree preferred.
• CISSP (or CISM)
• Other security certifications.

• Travel requirement - up to 20%

GXO is a leading provider of cutting-edge supply chain solutions to the most successful companies in the world. We help our customers manage their goods most efficiently using our technology and services. Our greatest strength is our global team - energetic, innovative people of all experience levels and talents who make GXO a great place to work. GXO is an equal opportunity employer. We celebrate, support and thrive on diversity and are committed to creating an inclusive environment for all employees. We believe that diversity and inclusion in our business is critical to our success as a global company, and we seek to recruit, develop and retain the most talented people from a diverse candidate pool. We are an Armed Forces friendly organisation and Disability Confident Leader as part of the Disability Confident Scheme (GIS) and actively welcome applications from people with disabilities.

The above statements are intended to describe the general nature and level of work being performed by people assigned to this classification. They are not intended to be construed as an exhaustive list of all responsibilities, duties, and skills required of personnel so classified. All employees may be required to perform duties outside of their normal responsibilities from time to time, as needed. Review GXO's candidate privacy statement