Cyber Security Governance and Risk Management Principal

Job description

As a Cyber Security Governance and Risk Management Principal, you'll:

• lead cyber and information security risk management, assurance, and architectural advisory for major applications and digital services during alpha, beta, and early live phases
• deliver critical security assessments and IT Health Checks, providing expert assurance across portfolio projects, with a focus on SaaS tooling compliance against NCSC Cloud Security Principles
• facilitate and oversee Security Working Groups throughout all key development and deployment stages, ensuring risks are tracked, logged, and reported to the Head of Cyber Risk and Assurance, with actionable recommendations provided
• produce formal risk assessments and risk treatment plans (RTPs) for all digital services and associated tooling, ensuring robust protection in accordance with business risk appetite
• develop, review, and advise on Secure by Design policies/practices, including safe use of AI, secure coding, and regulatory compliance frameworks (e.g., OWASP, DPIA, GovAssure)
• coordinate cross-platform activities and enable secure delivery of new GDS services, including supporting incident management and continuous improvement of live service security practices
• routinely provide monthly (and ad-hoc) risk briefings to senior leaders, evidencing assurance, identifying risks outside tolerance, mapping exposure, and recommending mitigations and controls
• mentor and train digital service teams and wider Information Security staff, sharing best practices and building internal capability for risk assessment and management
• support implementation and ongoing usage of risk management tooling, ensuring all details are uploaded promptly and appropriately, such as the SureCloud risk register
• engage proactively with senior internal and external stakeholders, promoting security culture and enabling confident delivery aligned with organisational priorities
• future line management activities as the team grows

Person specification

We’re interested in people who have:

• demonstrable experience delivering high-quality, detailed cyber security risk assessments and assurance in large, fast moving, complex digital environments, ideally government or critical infrastructure
• in-depth understanding of cyber risk management, threat modelling, security architectural advice, and formal IT Health Checks, including experience with SaaS environments and cloud security principles
• experience interpreting and applying relevant cyber security standards, regulatory frameworks, and secure by design principles within a multi-disciplinary digital team
• a self-starter, using your considerable experience and skills to work independently and with confidence 
• track record of building cross-functional relationships and leading multi-platform security initiatives, with the ability to brief, influence, and advise senior stakeholders
• strong written, verbal, and interpersonal communication skills, able to distil complex findings into actionable recommendations for non-technical and executive audiences
• evidence of personal commitment to continuous learning and sharing of best practices, with experience mentoring, coaching, or enabling capability-building in others
• ability to assess the implications and risks of emerging technologies (such as AI, SaaS, cloud services) and proactively recommend security interventions
• knowledge of Civil Service values: respect, collaboration, inclusivity, and commitment to public service, with a strong focus on organisational culture

Indicative professional qualifications / accreditations

• relevant industry qualifications and accreditations e.g. , CISSP or hold a Master’s Degree in a relevant discipline

Benefits

Alongside your salary of £69,675, Government Digital Service contributes £20,184 towards you being a member of the Civil Service Defined Benefit Pension scheme. Find out what benefits a Civil Service Pension provides.

There are many benefits of working at GDS, including:

• flexible hybrid working with flexi-time and the option to work part-time or condensed hours
• a Civil Service Pension with an average employer contribution of 28.97%
• 25 days of annual leave, increasing by a day each year up to a maximum of 30 days
• an extra day off for the King’s birthday
• an in-year bonus scheme to recognise high performance
• career progression and coaching, including a training budget for personal development
• a focus on wellbeing with access to an employee assistance programme
• job satisfaction from making government services easier to use and more inclusive for people across the UK
• advances on pay, including for travel season tickets
• death in service benefits
• cycle to work scheme and facilities
• access to an employee discounts scheme
• 10 learning days per year
• volunteering opportunities (5 special leave days per year)
• access to a suite of learning activities through Civil Service learning

Any move to Government Digital Service from another employer will mean you can no longer access childcare vouchers. This includes moves between government departments. You may however be eligible for other government schemes, including Tax Free Childcare. Determine your eligibility at https://www.childcarechoices.gov.uk 

Office attendance
The Department operates a discretionary hybrid working policy, which provides for a combination of working hours from your place of work and from your home in the UK. The current expectation for staff is to attend the office or non-home based location for 40-60% of the time over the accounting period.
DSIT does not normally offer full home working (i.e. working at home); but we do offer a variety of flexible working options (including occasionally working from home).

Things you need to know

Artificial intelligence

Artificial intelligence can be a useful tool to support your application, however, all examples and statements provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, as your own) applications may be withdrawn and internal candidates may be subject to disciplinary action. Please see our candidate guidance (opens in a new window) for more information on appropriate and inappropriate use.

Selection process details

The standard selection process for roles at GDS consists of:

• a simple application screening process - We only ask for a CV and cover letter of up to 750 words. Important tip - please ensure that your cover letter includes how you meet the skills and experience listed in the “person specification” section above
• a 75 minute video interview. As part of the interview process there will be a presentation task. Details around the presentation task will be shared with shortlisted candidates

Depending on how many applications we get, there might also be an extra stage before the video interview, for example a phone interview or a technical exercise.

In the event we receive a high volume of applications, we will conduct the initial sift against the lead criteria which is:

• Demonstrable experience delivering high-quality, detailed cyber security risk assessments and assurance in large, fast moving, complex digital environments, ideally government or critical infrastructure.

In the Civil Service, we use Success Profiles to evaluate your skills and ability. This gives us the best possible chance of finding the right person for the job, increases performance and improves diversity and inclusivity. We’ll be assessing your technical abilities, skills, experience and behaviours that are relevant to this role.

For this role we’ll be assessing you against the following Civil Service Behaviours: 

• changing and improving
• seeing the bigger picture
• communicating and influencing
• delivering at pace

We’ll also be assessing your experience and specialist technical skills against the following skills defined in the Government Security Profession’s Cyber Security Risk Manager Principal Professional Career framework (see pages 122-125 inclusive) for the Cyber Security Governance and Risk Management Principal role.

• Information risk assessment & risk management
• Applied security capability
• Protective security
• Threat understanding

Want to know more about who Government Digital and Data are? Click Here

Recruitment Timeline

Sift completion: 5th June

Panel interviews: W/c 15th June

Candidates that do not pass the interview but have demonstrated an acceptable standard may be considered for similar roles at a lower grade.

A reserve list will be held for a period of 12 months, from which further appointments can be made.

The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see the Civil Service People Plan and the Civil Service D&I Strategy.

Please note that this role requires SC clearance, which would normally need 5 years’ UK residency in the past 5 years. This is not an absolute requirement, but supplementary checks may be needed where individuals have not lived in the UK for that period. This may mean your security clearance (and therefore your appointment) will take longer or, in some cases, not be possible.

For meaningful checks to be carried out, you will need to have lived in the UK for a sufficient period of time, to enable appropriate checks to be carried out and produce a result which provides the required level of assurance. Whilst a lack of UK residency in itself is not necessarily a bar to a security clearance, and expectation of UK residency may range from 3 to 5 years. Failure to meet the residency requirements needed for the role may result in the withdrawal of provisional jobs offers.

Sponsorship

DSIT cannot offer Visa sponsorship to candidates through this campaign. DSIT holds a Visa sponsorship licence but this can only be used for certain roles and this campaign does not qualify.

Feedback will only be provided if you attend an interview or assessment.