Head of IT Security

Mecsia is a leading UK provider of technical inspection, maintenance, and engineering services, aiming to transform the industry with a 'Local Service, National Reach' approach. The company has grown significantly through organic expansion and strategic acquisitions, including seven business units serving large clients in different sectors including Commercial offices, healthcare and educational facilities. Under private equity ownership since 2020, Mecsia has expanded to approximately 1,200 employees, including 700 engineers. In 2024, Mecsia was acquired by Synova, recognised as PE house of the year for four of the last seven years, who supports an ambitious growth strategy through service excellence and further acquisitions.

The Head of IT Security is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. This role leads the organization’s cybersecurity initiatives, risk management, and compliance efforts, ensuring alignment with business objectives.

This role combines strategic security leadership with hands‑on oversight of tooling, suppliers, controls, and assurance activities. The position will act as the organization’s day‑to‑day security authority, working closely with IT, engineering, operations, and third‑party security partners.

One of the main ambitions of the Group is to get all Group companies to Cyber Essentials Plus level and to obtain ISO 27001 accreditation. The Head of Information Security will lead and drive this initiative.

The role is particularly focused on Microsoft‑centric security architectures, outsourced SOC management, and security governance and compliance (GDPR, Cyber Essentials Plus, ISO 27001).

• Security strategy & governance
  • Define, maintain, and execute Mecsia’s information security strategy, aligned with business growth and risk appetite
  • Own security policies, standards, and control frameworks across the group
  • Provide regular security risk reporting to the CIO and senior leadership team
  • Act as the organization’s primary security design authority
• Microsoft security platform ownership
  • Own and optimise the Microsoft security stack, including:
  • Microsoft Defender (Endpoint, Identity, Office 365, Cloud Apps)
  • Entra ID (Conditional Access, Identity Protection)
  • Intune/MDM for mobile and endpoint security
  • Ensure security controls are proportionate for a mixed workforce (mobile‑only users and desktop/laptop users)
• SOC & third‑party security management
  • Act as service owner for the outsourced 24/7 SOC (Microsoft Sentinel‑based)
  • Define use‑cases, alerting thresholds, escalation paths, and response playbooks
  • Oversee supplier performance, SLAs, and continuous improvement
  • Coordinate incident response across internal teams and external partners
• Security architecture and policy oversight for Cato SASE
  • Ensure effective integration between network security, identity, endpoint, and SIEM tooling
  • Work closely with infrastructure and cloud teams to ensure secure‑by‑design solutions
• Compliance, assurance & risk
  • Own and maintain compliance with:
    • GDPR (in collaboration with Legal / DPO where applicable)
    • Obtain and maintain Cyber Essentials Plus accreditation
    • Obtain and maintain ISO 27001 accreditation (ISMS operation, audits, continuous improvement)
  • Manage risk registers, DPIAs, supplier security assessments, and audit findings
  • Lead internal and external audits and remediation activities
  • Own and test incident response plans, playbooks, and escalation models
  • Coordinate response to security incidents, including regulatory and customer communications where required
  • Support business continuity and disaster recovery planning from a security perspective
• Trusted advisor & stakeholder engagement
  • Act as a trusted advisor to IT, operations, and senior management
  • Provide pragmatic security guidance to non‑technical stakeholders
  • Lead security awareness and training initiatives across the organization

• Proven experience in an Information Security Manager / Cyber Security Manager role
• Strong hands‑on experience with Microsoft 365 security tooling, especially Defender and Sentinel
• Experience working with outsourced SOC services and MSSPs
• Solid understanding of GDPR, including DPIAs and incident reporting
• Practical experience delivering and maintaining Cyber Essentials Plus
• Experience operating or contributing to an ISO 27001 ISMS
• Strong knowledge of identity, endpoint, network, and cloud security principles
• Experience supporting environments with mobile‑first and frontline workers

• Experience in multi‑entity or acquisitive organizations
• Familiarity with SASE platforms (especially Cato Networks)
• Knowledge of NCSC / NIST / CIS security frameworks
• Experience working in regulated or safety‑critical environments

• CISSP, CISM, or equivalent
• Microsoft Security certifications (SC‑200, SC‑300, SC‑400, etc.)

• Pragmatic and risk‑based (not “checkbox security”)
• Comfortable balancing strategic leadership with operational oversight
• Able to influence without authority and work cross‑functionally
• Calm and structured under pressure during incidents
• Strong written and verbal communication skills

• Bonus / performance incentives
• Pension and benefits

We are an Equal Opportunity Employer and do not discriminate against any employee or applicant for employment because of race, colour, sex, age, national origin, religion, sexual orientation, gender identity, status as a veteran, and basis of disability.

I agree with having my data stored for 36 months.

When you apply, we may conduct a background check using public databases and websites and utilising a web search engine. Your CV may be retained for a maximum period of one year.

Stay up to date with our latest news and job offers.