Lead Cyber Security Auditor (Lead Cyber Security Risk Manager)

Your main day to day responsibilities will be:

• The support, planning, development, implementation and management of organisation-wide auditing processes and procedures for the management of risks to the success, confidentiality, integrity and availability of the business, especially those arising from the use of information technology, reduction or non-availability of energy supply or inappropriate disposal of materials, hardware or data. Thereby, protecting the confidentiality, integrity and availability of the organisation’s assets and business services
• Provide tailored expert audit support and advice that highlights cyber security related risks to a range of stakeholders, projects, business teams and/or service owners on how to remedy identified risks. Helping them to make well-informed and auditable decisions, by proportionately applying security capabilities, using published guidance, standards, and drawing on a range of experts as well as personal expertise
• Independently and impartially undertake auditing activities within a given area of practice or expertise, usually within established security and risk management governance structures. Lead the independent cyber security audits and derivation of business-supporting security needs, undertake cyber security related risk assessments, conduct tailored threat assessment audits and other risk management activities. Ensure activities are consistent with applicable regulations and legislation. This includes planning and delivering internal cyber security audits and reviews
• Communicating effectively with senior stakeholders to ensure they recognise the importance of security considerations and respond accordingly to changes in policy and procedure
• Manage auditing processes across the organisation, reviewing their efficiency and effectiveness, leading recommendations for continuous improvement. Reviewing internal controls following any security breach, providing advice on how to remediate any vulnerabilities discovered. Agreeing and overseeing remedial solutions, controls and safeguards that are the most appropriate and beneficial for the organisation
• Assess reviews and audit risk assessments and ensure all identified risks are managed in accordance with Home Office risk management policies. Communicate outcomes effectively to relevant senior stakeholders across a variety of teams in ways that support effective security, risk management and decision-making, and advise senior stakeholders on their approach to risk assessment in the context of their organisational outcomes.

Essential Skills 

You’ll have a demonstrable passion for Cyber Security, with the following skills or experience in:

Strategy and architecture:

• Security and Privacy

o Information Assurance (INAS) – Level 5

•  Governance, Risk and Compliance

o Risk Management (BURM) – Level 5
o Audit (AUDT) - Level 5
o Quality Assurance (QUAS) - Level 6

•  Advice and Guidance
o Specialist Advice (TECH) - Level 5

Relationships and Engagement

• Stakeholder management
o Stakeholder Relationship management (RLMT) - Level 5

The skills listed above are reflective of the Home Office DDaT Profession Skills and Competency Model (based on the industry standard SFIA framework) sfia-online.org

Essential Criteria

Please see below for the relevant skills required for your role:

• Can lead and manage a team of cyber professionals to provide an effective, joined-up central threat intelligence and risk analysis function
• Is able to coach and mentor, developing more junior team members
• Communicates effectively with both technical and non-technical stakeholders, and articulates threat intelligence and risk assessments in terms of their impact to the business
• Building effective relationships with senior stakeholders in order to raise awareness of the importance of security issues, as well as communicating the outcome of audits and investigations sensitively
• Has a good understanding of the use of different communication channels and formats for different audiences, delivering excellent verbal and written communication
• Communicates the role of information assurance within risk management, assurance, audit and testing processes
• Identifies and works in line with best practice principles and uses them to contribute to the ongoing continuous improvement of existing processes and ways of working for information security and risk management
• Is forward thinking and can think from the perspective of potential attackers
• Is familiar with key threat intelligence feeds and sources (e.g. NCSC) and possesses a good level of knowledge of common cyber security threats, vulnerabilities and exploitation tactics
• Possesses highly developed analytical skills, with a keen eye for detail
• Analyses, interprets and articulates the specific risks associated with threat intelligence and identified vulnerabilities
• Can assimilate and collate potentially large amounts complex information from a variety of data sources and use it to provide accurate insights, produce recommendations and solutions that support senior decision-making and enhance business performance
• Understands how current work fits into broader DDaT contexts and strategies so that deeper underlying problems and opportunities can be addressed and managed appropriately
• Stays critically informed of current methodology across cyber security, threat intelligence and cyber risk management and can challenge existing ways of working