OT Cyber-Security GRC

Key Responsibilities: Responsibilities include but are not limited to:

1. Audits & Assurance

• Plan, coordinate and support OT security audits, assessments and self-assessments across sites and regions.

• Act as the primary interface for internal audit, external auditors, regulators and assessors on OT security matters.

• Ensure audit findings are risk-assessed, prioritised, tracked and remediated in collaboration with stakeholders.

• Maintain evidence, documentation and artefacts required to demonstrate compliance.

• Support alignment and assurance activities with applicable OT cybersecurity standards and regulations.

2. Risk Management

• Lead and maintain OT cyber risk assessments, considering security, safety, environmental, assets and regulatory impacts aligned to 62443.

• Ensure OT risks are documented, owned and aligned with risk management frameworks.

• Define and maintain risk registers, including threat, vulnerability and consequence-based risks.

• Support risk treatment planning and track risk acceptance, mitigation and residual risk decisions.

• Translate technical OT risks into clear, business-relevant risk statements for leadership and governance committees.

3. Supply Chain & Third-Party Risk Management

• Own and maintain OT security requirements for suppliers, consultants and vendors.

• Assess and manage third-party cyber risks associated with OT systems, software, hardware and remote access.

• Support secure onboarding and ongoing assurance of critical OT suppliers and service providers.

• Ensure contractual and procurement processes include appropriate OT security access, and resilience requirements.

• Monitor and respond to supply-chain-related vulnerabilities, advisories and incidents.

4. External Compliance Training & Awareness

• Own and coordinate OT security strategy for training and awareness for internal teams, contractors and relevant third parties.

• Ensure training content reflects real OT risks, regulatory expectations and operational realities.

• Support compliance-driven training obligations required by regulators, customers/contractual commitments.

• Promote a risk-aware and safety-conscious security culture across engineering and operations.

• Track and report on training and awareness completion and effectiveness where required.

5. Incident Response (IR)

• Support and govern OT-specific incident response planning and readiness.

• Ensure OT incident response procedures are aligned with safety, operational and regulatory requirements.

• Coordinate OT involvement during incidents, including forensics, reporting and post-incident reviews.

• Ensure lessons learned are captured and translated into improvements to controls and processes.

6. Business Continuity & Disaster Recovery (BCP/DR)

• Support the development and governance of OT business continuity and disaster recovery plans.

• Ensure BCP/DRP reflects realistic OT recovery scenarios, dependencies and constraints.

• Align OT recovery objectives with safety, production and regulatory expectations.

• Participate in and support BCP/DRP testing, exercises and reviews.

• Ensure cyber-related disruptions are considered within operational resilience planning.

7. Crossover Responsibilities

• Act as a central point of coordination between security, engineering, operations, legal. HSEQ and compliance.

• Maintain OT security policies, standards and procedures within the GRC domain.

• Support executive and board reporting on OT security risk, compliance status and resilience.

Drive continuous improvement of the OT security governance framework CSMS.

Knowledge, Skills and Abilities

• 5-7 years’ strong knowledge of OT cybersecurity governance, risk and compliance.  

• Strong expertise of IEC 62443 series.

• Understanding of cyber/physical risk, safety, environmental, assets and regulatory impacts.

• Experienced understanding of industrial environments, OT lifecycles and operational constraints.

• Skilled in conducting/coordinating OT security audits, assessments, compliance activities and maintaining risk registers.

• Able to support IR, BCP and DRP planning and exercising.

• Delivering and coordinating OT training and awareness strategies.

• Expert in preparing clear documentation, evidence and executive-level reporting. 

• Ability to communicate complex risk clearly to technical and non-technical audiences.

• Ability to work across global and regulated environments.

Cross-team collaboration, attention to detail, documentation discipline, risk communication & continuous improvement mindset