Lead Cyber Security Risk Manager

Your main day to day responsibilities will be:

• The support, planning, development, implementation and management of organisation-wide processes and procedures for the management of risks to the success, confidentiality, integrity and availability of the business, especially those arising from the use of information technology, hardware or data. Thereby, protecting the confidentiality, integrity and availability of the organisation’s assets and business services.
• Provide tailored expert cyber security support and advice that highlights cyber security related risks to a range of stakeholders, projects, business teams and/or service owners on how to remedy identified risks. Helping them to make well-informed decisions, by proportionately applying security capabilities, using published guidance, standards, and drawing on a range of experts as well as personal expertise
• Independently and impartially undertake risk management activities within a given area of practice or expertise, usually within established security and risk management governance structures. Lead the independent analysis and derivation of business-supporting security needs, undertake cyber security related risk assessments, conduct tailored threat assessment and other risk management activities. Ensure activities are consistent with applicable regulations and legislation.
• Develop risk management-related policy and assure the ongoing appropriateness of policy in accordance with regulation and wider organisational and government policies. Communicating effectively with senior stakeholders to ensure they recognise the importance of security considerations and respond accordingly to changes in policy and procedure
• Manage risk management processes across an organisation, reviewing their efficiency and effectiveness, leading recommendations for continuous improvement. Reviewing internal controls following any security breach, providing advice on how to remediate any vulnerabilities discovered. Agreeing and overseeing remedial solutions, controls and safeguards that are the most appropriate and beneficial for the organisation
• Assess reviews and risk assessments and ensure all identified risks are managed in accordance with Home Office risk management policies. Communicate outcomes effectively to relevant senior stakeholders across a variety of teams in ways that support effective security, risk management and decision-making, and advise senior stakeholders on their approach to risk assessment in the context of their organisational outcomes

Note: An employee may be required to carry out other duties within the scope of the grade and within the limits of their skill, competence and training.

Essential Skills

You’ll have a demonstrable passion for Cyber Security with the following skills or strong experience in:

Strategy and architecture:

• Security and Privacy
  • Information Assurance (INAS) – Level 5
• Governance, Risk and Compliance
  • Risk Management (BURM) – Level 5
  • Audit (AUDT) - Level 5
  • Quality Assurance (QUAS) - Level 6
• Advice and Guidance
  • Specialist Advice (TECH) - Level 5 

Relationships and Engagement

• Stakeholder management
  • Stakeholder Relationship management (RLMT) - Level 5

 The skills listed above are reflective of the Home Office DDaT Profession Skills and Competency Model (based on the industry standard SFIA framework) sfia-online.org

Essential Criteria

Can lead and manage a team of cyber professionals to provide an effective risk analysis function:

• Is able to coach and mentor, developing more junior team members
• Communicates effectively with both technical and non-technical stakeholders, and articulates threat intelligence and risk assessments in terms of their impact to the business
• Building effective relationships with senior stakeholders in order to raise awareness of the importance of security issues, as well as communicating the outcome of audits and investigations
• Has a good understanding of the use of different communication channels and formats for different audiences, delivering excellent verbal and written communication
• Identifies and works in line with best practice principles and uses them to contribute to the ongoing continuous improvement of existing processes and ways of working for information security and risk management
• Is familiar with key threat intelligence feeds and sources (e.g. NCSC, CiSP etc.) and possesses a good level of knowledge of common cyber security threats and vulnerabilities
• Possesses highly developed research and analytical skills, with a keen eye for detail
• Analyses, interprets and articulates the specific risks associated with threat intelligence and identified vulnerabilities
• Can assimilate and collate potentially large amounts complex information from a variety of data sources and use it to provide accurate insights, produce recommendations and solutions that support senior decision-making and enhance business performance
• Understands how current work fits into broader DDaT contexts and strategies so that deeper underlying problems and opportunities can be addressed and managed appropriately.

Desirable Criteria 

Ideally you will also have the following skills or some experience in:

• Experience in information or cyber security including threat and risk analysis for complex, high-risk and/or mission critical systems,
• Leading and directing teams to enable the day-to-day delivery of services
• Demonstrated ability to analyse and coherently present complex threat intelligence and risk information relevant to the audience that clearly articulates business impact(s)
• Experience of a range of cyber risk and controls frameworks, such as NIST, ISO27001, COBIT, ISO31000 Cloud Principles and general wider NCSC guidelines
• CRISC / CISSP / CISM / CISA or equivalent.