Jason Dear

I have worked across various sectors mainly in the field of risk management, counter fraud, information security and governance for over ten years and have been extensive line management experience for the last 18 years. My risk management experience stretches across several industries such as general enterprise risk management, security risk management, housing sector, insurance, pensions and more recently, cyber and information security risk management. Over the last year, I have overseen information protection projects and steered the overall programme covering zero trust, identity, DLP, DMARK, SOC improvements, ATP, directing SEIM coverage, RBAC processes, conditional access policies etc.

I have also written over 20 information protection policies, delivered InfoSec training programme, built an InfoSec risk management model, audited identity and conditional access policies including the approval of JML procedures relating to identity, writing the BYOD staff facing and technical policies, produced generative policies, producing the Cyber Incident Response Procedures and producing an all encompassing and comprehensive business wide cyber and InfoSec Communications Plan and Strategy. Me and my team oversee the outsourced SOC and manage our security contractors. I currently have a team that reports to me who undertake various technical work activities and projects such as migrations and upgrades and I have also trained in Microsoft Purview.

One of my latest successes is that I’ve written my own automated information security risk management software which includes automated workflows and automated reporting with dashboards.

I am currently responsible for several information security teams covering security risk, supplier security risk management, security controls and security access management. My current projects involve JML and RBAC automation, developing security baselines and implementing security governance.

Lead Security Risk Manager at TalkTalk (2025-06 – Present)

Working in a fast paced TSA regulated environment managing multiple teams of around 9 direct reports in the field of Security Access Management, governance, audit and information security.

• Participated in AI projects to onboard various AI tools for incident management and separately got Microsoft Co-Pilot
• Stakeholder management – chair and oversee security working groups and oversee security baseline standards with key business partners I.e. CGI, CCI and TechM
• Reviewed security effectiveness of SecOps tooling and CrowdStrike for web filtering and security alerts
• Spearheading a project to implement a security ISO27001 compliant GRC tool to be used across the business and to oversee the teams supporting its delivery
• Implementing security baselines with evidence attestations with all business partners
• Implementing a programme to improve efficiency and automation across teams to ensure that the business can remain safe and secure
• Leading and motivating multidisciplinary teams in the field of governance, security risk management, information protection policies, access management, ISO 27001 compliance and supplier due diligence
• Leading and improving the departmental business plan and strategic outlook as part of continuous improvement
• Process mapping operational / technical activities including higher level departmental activities and implementing improvement plans
• Supplier security risk management including supplier security reviews
• Implementing automation around security access management

Head of Information Security and Risk Management at Age UK (2023-02 – Present)

Working in a highly regulated (i.e. GDPR/DPA, Charity Commission, PCI DSS) and face paced environment as a senior leader responsible for multiple teams in information security, risk and compliance.

• Developed the business wide and partner cyber security strategy through use of threat assessments, workshops and aligning to business objectives. The strategy covered security control improvements, BYOD, DLP, web proxy improvements AI governance and employee education and communications
• Work with Microsoft Sentinel, Defender for Cloud, Defender for Endpoint, Purview and Microsoft Compliance Centre
• Fully responsible for the oversight and approval of major IT changes and InfoSec projects such as server migrations, log ingestion requirements to SEIM, SaaS solutions, DLP solutions, shadow technology solutions, cookie management solutions, Data Sharing Agreements, Security by Design Standards, Information Protection Policies etc
• From inception, developed the InfoSec Risk Management Framework and successfully implemented it with: workflows for risk identification through reporting forms, governance meetings, research and IT testing, workflows to document the risks, quantify the risks, evaluate the risk scoring and develop the controls, workflows to ensure risk ownership, accountability and signoff including risk owner signoff of controls/mitigations, processes for first and second line control testing, risk deep dives, control audits, risk escalation processes and risk monitoring and KRI's
• Carried out second line audits through using a risk-based approach to develop an annual audit plan, develop the audit Terms of Reference, execute the audit and then produce post audit reports with reporting to senior stakeholders and the board committees
• Using PowerApps and Power Automate, developed a GRC app for the management of information protection and cyber security compliance, InfoSec risk management including controls testing, and PCI DSS compliance which identifies the scope of the PCI DSS environment and maps the PCI DSS compliance requirements which can then be verified using evidence
• Developed high level Risk Appetite Statements which specifies the business attitude to risk and the level of risk the business is willing to accept within which, the risk registers are aligned to
• Oversee the Information Protection Programme which has delivered alignment to ISO27001 and NIST
• Developed a cyber security compliance assessment survey which is based on cyber essentials and other ISO standards and use used annually to verify cyber security strengths against risks
• Implemented a system of governance for Information and Cyber Security and chair various meeting groups such as second line oversight of IT function and major IT suppliers; Solutions Design and Risk Management
• Developed policies both staff facing and technical (for implementation by IT) such as the Group Information Protection Policy, Technical Vulnerability Management Policy, Firewall Management Policy, Third Party Access Policy, IT backup policy, Incident Management Policy etc
• Regularly review technical policies with the technical teams such as conditional access, identity, Zero Trust, BYOD, Incident Detection, RBAC, Network Access Control, ATP, DLP and review reports on attack surface risks and work with teams through the governance arrangements and risk management frameworks to reduce risks to within tolerance
• Reviewed the SOC arrangements and developed the business case for SOC procurement
• Developed the cyber incident response framework and procedures and work with ITSM to integrate this into ITSM
• Responded to various incidents and ensured oversight of the forensic investigation
• Regularly conduct control deep dives through site visits, observation, reviewing evidence and interviewing control/mitigation/business process owners and producing reports with recommendations
• Produced a cyber security strategy and a cyber security corporate communications plan and delivered this with team as part of a one-year education programme which has now moved into BAU
• Have experience of using various security tools such as Microsoft Azure AD, Defender, Intune and the Microsoft Security Portal. Have also implemented working groups to review compliance and identify security threats and vulnerabilities
• Oversaw the Information Protection Programme which included the procurement of various security tools to improve security posture

Head of Governance, Risk & Compliance (GRC) at Cabinet Office – Civil Service & Royal Mail Pensions (2019-07 – 2023-02)

Working as a senior leader as head of Governance Risk and Compliance including covering the PMO, counter fraud and business strategy teams and developed strong stakeholder management and leadership skills.

• Responsible for multiple teams in the field of risk management, governance, compliance, business management, counter-fraud, PMO and information management - to provide line management, strategic direction, empowering staff to make decisions through encouraging ownership of projects, ensuring inclusivity and development of staff and supporting all staff through their career pathways
• Drove excellence by empowering teams to take on projects, be accountable and to receive associated development which in turn facilitated mitigation
• Teams achieved high performing status in their annual appraisals by empowering the teams to set the standards and agree how to achieve it
• Responsible for developing (through engagement with the business directorates) the 3-5 year strategic business plan which covered customer communications, compliance, contract management, complaints and handling, IT system improvements, internal communications, HR and employee development, compliance, change management, procurement, improvements to financial systems, delivery of PMO services and delivering an effective legal function
• Developed KPI's linked to the business plan and implemented governance and assurance reporting to ensure effective delivery
• Responsible for all governance activities and the teams that operated the governance framework which included board appointments/advertising/recruitment, ministerial approvals, and running of the boards
• Successfully built and implemented an automated risk management system in consultation with external and internal stakeholders which delivers a business wide (and with major suppliers) risk model to capture and evaluate risks at all levels, to record first and second line control testing (using a web based system) and automated MI and reporting to management
• Sat on the Security (Cyber) Working Group (SWG) and advised on cyber and security matters relevant to the Cabinet Office and responsible for oversight of the security of two major government suppliers
• Responsible for the annual compliance schedule which is linked to the risk registers and details compliance activities throughout the year which is both linked to legislative monitoring and deep dive activities to ensure compliance against legislation and regulatory requirements
• Responsible for internal and external audit – coordinated audits with audit partner (Government Internal Audit Agency) and negotiated the annual audit plans and presented these to the Board, developed the audit ToR's for around 14 audits a year, defined the audit universe and developed and reported on key metrics which tie together the vast amount of information from audit outputs throughout the year
• Developed and maintained the MoU's and agreements with auditors including audit charters and management of associated budgets for auditing
• Regularly provide reports, presentations and training on GRC to various boards and Senior Leadership Teams which provide succinct and impactful general updates, escalations, remediation's, successes etc

BA (Hons) in Emergency and Disaster Management