Lead Information Assurance Manager (Lead Cyber Security Risk Manager)

Home Office Digital, Data and Technology -

Full-time (Permanent)

£54,000 min - £59,400 plus an allowance of up to £11,300

Published on

21 March 2023

Deadline

2 April 2023

The Lead Information Assurance Manager identifies, understands and mitigates cyber-related risks. They identify and evaluate security risks to information, systems and processes owned by the organisation, and proactively provide appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels. They provide risk or owners with advice to help them make well informed risk-based decisions.

The successful candidate will be working with a variety of exciting projects on Home Office critical and vital infrastructure from Homeland Security to Migration and boarders, covering cloud, networking and on premise, software and hardware technologies.

The first duty of the government is to keep citizens safe and the country secure. The Home Office has been at the front line of this effort since 1782. As such, we play a fundamental role in maintaining the security and economic prosperity of the UK.

The Home Office leads on immigration and passports, refugee protection, counter-terrorism, policing, fire services, and crime and drugs policy.
Digital Data and Technology (DDaT) enables the Home Office to keep the UK safe and secure. We design and build the services that help people apply for visas or passports; support policing and counter-terrorism operations; and protect the UK’s borders.

This is an exciting time to be at the Home Office. You’ll have a chance to shape the future and support our mission to deliver exceptional public services that work for everyone.

Our work is guided by these principles:

• we put user needs first
• we value delivery and outcomes over process
• we work in the open

Our flexible working policy ensures a healthy work-life balance. We also nurture talent and offer a broad range of learning and development opportunities that will help you flourish in your role.

We work hard to maintain a positive working culture and are committed to helping you fulfil your potential. We value diversity and provide an open, inclusive and supportive environment to help you do your best work.

You can keep up-to-date with our work on the Home Office DDaT blog.

Job description

Your main day to day responsibilities will be:

the support, planning, development, implementation and management of organisation-wide assurance processes and procedures for the management of risks to the success, confidentiality, integrity and availability of the business, especially those arising from the use of information technology, reduction or non-availability of energy supply or inappropriate disposal of materials, hardware or data. Thereby, protecting the confidentiality, integrity and availability of the organisation’s assets and business services
provide tailored expert cyber security assurance support and advice that highlights cyber security related risks to a range of stakeholders, projects, business teams and/or service owners on how to remedy identified risks. Helping them to make well-informed and auditable decisions, by proportionately applying security capabilities, using published guidance, standards, and drawing on a range of experts as well as personal expertise
independently and impartially undertake cyber security assurance risk management activities within a given area of practice or expertise, usually within established security and risk management governance structures. Lead the independent assurance analysis and derivation of business-supporting security needs, undertake cyber security related risk assessments, conduct tailored threat assessment and other risk management activities during the assurance process. Ensure cyber security assurance activities are consistent with applicable regulations and legislation. This includes planning and delivering internal cyber security reviews
develop risk management-related policy and assure the ongoing appropriateness of policy in accordance with regulation and wider organisational and government policies. Communicating effectively with senior stakeholders to ensure they recognise the importance of security considerations and respond accordingly to changes in policy and procedure
manage assurance processes across the organisation, reviewing their efficiency and effectiveness, leading recommendations for continuous improvement. Reviewing internal controls following any security breach, providing advice on how to remediate any vulnerabilities discovered. Agreeing and overseeing remedial solutions, controls and safeguards that are the most appropriate and beneficial for the organisation
assess reviews and risk assessments and ensure all identified risks are managed in accordance with Home Office risk management policies. Communicate outcomes effectively to relevant senior stakeholders across a variety of teams in ways that support effective security, risk management and decision-making, and advise senior stakeholders on their approach to risk assessment in the context of their organisational outcomes.

Note: An employee may be required to carry out other duties within the scope of the grade and within the limits of their skill, competence and training.

Other day to day activities

You will also be to carry out the following day to day activities:

participating in, contributing to and supporting collaboration initiatives and career development across multiple communities, building in-house capability via a professional community of practice
lead on continual service improvement work to analyse current processes, identify and implement opportunities to optimise them. Work collaboratively and deliver service improvements, ensuring that threats, vulnerabilities and risks to Home Office products, systems and services are identified, assessed and guarded against
support the routine risk reporting process by informing on changes in the Home Office's threat landscape and the associated impact on the Home Office's risk exposure, helping to better understand the impact and likelihood of exploitation of a threat.
lead cyber security assurance reviews, analysis and research to identify, assess and mitigate against cyber threats, vulnerabilities and risks
assist with the prioritisation of remediation work based on threat and risk likelihood and impact
own, maintain, develop and execute threat and vulnerability management process and ensure that it works holistically and coherently, whilst supporting other HO departments
lead, mentor and support others to perform to their full potential and driving succession planning
advise, guide and support multiple Home Office functions and projects, programmes and operational teams on matters relating to cyber threats, vulnerabilities and risks ensuring that specialist knowledge is kept current
undertake analysis for particularly complex or vital products, systems and services, supporting associated assurance and audit activity from a threat and risk perspective as required
support the development of the Home Office-wide cyber threat modelling process and lead the development of risk registers; ensuring that these information sets are aligned with data feeds and repositories
provide information within assurance assessments to inform threat hunting activity and aid the development of threat intelligence products
work collaboratively to provide specialist technical and organisational guidance pertaining to risks and control measures associated with emerging threats, closely liaising with stakeholders to assess where control changes are required to deal with the ever-changing threat landscape.

Person specification

Skills and Experience

You’ll have a demonstrable passion for Cyber Security, with the following skills or experience in:

Strategy and architecture:
• Security and Privacy
o Information Assurance (INAS) – Level 5

Governance, Risk and Compliance:
o Risk Management (BURM) – Level 5
o Audit (AUDT) - Level 5
o Quality Assurance (QUAS) - Level 6

• Advice and Guidance:
o Specialist Advice (TECH) - Level 5

Relationships and Engagement:
• Stakeholder management
o Stakeholder Relationship management (RLMT) - Level 5

You can find more information on sfia-online.org

Essential Criteria

Please see below for the relevant skills required for your role:

can lead and manage a team of cyber professionals to provide an effective, joined-up central threat intelligence and risk analysis function
is able to coach and mentor, developing more junior team members
communicates effectively with both technical and non-technical stakeholders, and articulates threat intelligence and risk assessments in terms of their impact to the business
building effective relationships with senior stakeholders in order to raise awareness of the importance of security issues, as well as communicating the outcome of audits and investigations sensitively
has a good understanding of the use of different communication channels and formats for different audiences, delivering excellent verbal and written communication
communicates the role of information assurance within risk management, assurance, audit and testing processes
identifies and works in line with best practice principles and uses them to contribute to the ongoing continuous improvement of existing processes and ways of working for information security and risk management
is forward thinking and can think from the perspective of potential attackers
is familiar with key threat intelligence feeds and sources (e.g. NCSC) and possesses a good level of knowledge of common cyber security threats, vulnerabilities and exploitation tactics
possesses highly developed analytical skills, with a keen eye for detail
analyses, interprets and articulates the specific risks associated with threat intelligence and identified vulnerabilities
can assimilate and collate potentially large amounts complex information from a variety of data sources and use it to provide accurate insights, produce recommendations and solutions that support senior decision-making and enhance business performance
understands how current work fits into broader DDaT contexts and strategies so that deeper underlying problems and opportunities can be addressed and managed appropriately
stays critically informed of current methodology across cyber security, threat intelligence and cyber risk management and can challenge existing ways of working.

Desirable Criteria

Ideally you will also have the following skills or some experience in:

experience in information or cyber security including threat and risk analysis for complex, high-risk and/or mission critical systems, preferably involving the Home Office, Cabinet Office, NCSC or related departments
assurance experience within a large government department or complex industry sector
leading and directing teams to enable the day-to-day delivery of services
driving continual service improvements through the measurement and challenge of services and processes, tools and capability
experience operating across tactical, operational and strategic levels with regards to threat and risk analysis, preferably while leading, running and coaching a diverse, distributed team of cyber professionals
demonstrated ability to analyse and coherently present complex threat intelligence and risk information relevant to the audience that clearly articulates business impact(s)
experience of a range of cyber risk and controls frameworks, such as NIST, ISO27001, COBIT, Cyber Essentials, Cloud Principles and general wider NCSC guidelines
ISEB Practitioner Certificate in Information Risk Management or equivalent
certification in (or willing to work towards) one or more of the following is desirable: CRISC, CISSP, and equivalent.