Lead Information Assurance Manager (Lead Cyber Security Risk Manager)
Home Office Digital, Data and Technology -
The Lead Information Assurance Manager identifies, understands and mitigates cyber-related risks. They identify and evaluate security risks to information, systems and processes owned by the organisation, and proactively provide appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels. They provide risk or owners with advice to help them make well informed risk-based decisions.
The successful candidate will be working with a variety of exciting projects on Home Office critical and vital infrastructure from Homeland Security to Migration and boarders, covering cloud, networking and on premise, software and hardware technologies.
The first duty of the government is to keep citizens safe and the country secure. The Home Office has been at the front line of this effort since 1782. As such, we play a fundamental role in maintaining the security and economic prosperity of the UK.
The Home Office leads on immigration and passports, refugee protection, counter-terrorism, policing, fire services, and crime and drugs policy.
Digital Data and Technology (DDaT) enables the Home Office to keep the UK safe and secure. We design and build the services that help people apply for visas or passports; support policing and counter-terrorism operations; and protect the UK’s borders.
This is an exciting time to be at the Home Office. You’ll have a chance to shape the future and support our mission to deliver exceptional public services that work for everyone.
Our work is guided by these principles:
• we put user needs first
• we value delivery and outcomes over process
• we work in the open
Our flexible working policy ensures a healthy work-life balance. We also nurture talent and offer a broad range of learning and development opportunities that will help you flourish in your role.
We work hard to maintain a positive working culture and are committed to helping you fulfil your potential. We value diversity and provide an open, inclusive and supportive environment to help you do your best work.
You can keep up-to-date with our work on the Home Office DDaT blog.
Your main day to day responsibilities will be:
- the support, planning, development, implementation and management of organisation-wide assurance processes and procedures for the management of risks to the success, confidentiality, integrity and availability of the business, especially those arising from the use of information technology, reduction or non-availability of energy supply or inappropriate disposal of materials, hardware or data. Thereby, protecting the confidentiality, integrity and availability of the organisation’s assets and business services
- provide tailored expert cyber security assurance support and advice that highlights cyber security related risks to a range of stakeholders, projects, business teams and/or service owners on how to remedy identified risks. Helping them to make well-informed and auditable decisions, by proportionately applying security capabilities, using published guidance, standards, and drawing on a range of experts as well as personal expertise
- independently and impartially undertake cyber security assurance risk management activities within a given area of practice or expertise, usually within established security and risk management governance structures. Lead the independent assurance analysis and derivation of business-supporting security needs, undertake cyber security related risk assessments, conduct tailored threat assessment and other risk management activities during the assurance process. Ensure cyber security assurance activities are consistent with applicable regulations and legislation. This includes planning and delivering internal cyber security reviews
- develop risk management-related policy and assure the ongoing appropriateness of policy in accordance with regulation and wider organisational and government policies. Communicating effectively with senior stakeholders to ensure they recognise the importance of security considerations and respond accordingly to changes in policy and procedure
- manage assurance processes across the organisation, reviewing their efficiency and effectiveness, leading recommendations for continuous improvement. Reviewing internal controls following any security breach, providing advice on how to remediate any vulnerabilities discovered. Agreeing and overseeing remedial solutions, controls and safeguards that are the most appropriate and beneficial for the organisation
- assess reviews and risk assessments and ensure all identified risks are managed in accordance with Home Office risk management policies. Communicate outcomes effectively to relevant senior stakeholders across a variety of teams in ways that support effective security, risk management and decision-making, and advise senior stakeholders on their approach to risk assessment in the context of their organisational outcomes.
Note: An employee may be required to carry out other duties within the scope of the grade and within the limits of their skill, competence and training.
Other day to day activities
You will also be to carry out the following day to day activities:
- participating in, contributing to and supporting collaboration initiatives and career development across multiple communities, building in-house capability via a professional community of practice
- lead on continual service improvement work to analyse current processes, identify and implement opportunities to optimise them. Work collaboratively and deliver service improvements, ensuring that threats, vulnerabilities and risks to Home Office products, systems and services are identified, assessed and guarded against
- support the routine risk reporting process by informing on changes in the Home Office's threat landscape and the associated impact on the Home Office's risk exposure, helping to better understand the impact and likelihood of exploitation of a threat.
- lead cyber security assurance reviews, analysis and research to identify, assess and mitigate against cyber threats, vulnerabilities and risks
- assist with the prioritisation of remediation work based on threat and risk likelihood and impact
- own, maintain, develop and execute threat and vulnerability management process and ensure that it works holistically and coherently, whilst supporting other HO departments
- lead, mentor and support others to perform to their full potential and driving succession planning
- advise, guide and support multiple Home Office functions and projects, programmes and operational teams on matters relating to cyber threats, vulnerabilities and risks ensuring that specialist knowledge is kept current
- undertake analysis for particularly complex or vital products, systems and services, supporting associated assurance and audit activity from a threat and risk perspective as required
- support the development of the Home Office-wide cyber threat modelling process and lead the development of risk registers; ensuring that these information sets are aligned with data feeds and repositories
- provide information within assurance assessments to inform threat hunting activity and aid the development of threat intelligence products
- work collaboratively to provide specialist technical and organisational guidance pertaining to risks and control measures associated with emerging threats, closely liaising with stakeholders to assess where control changes are required to deal with the ever-changing threat landscape.
Skills and Experience
You’ll have a demonstrable passion for Cyber Security, with the following skills or experience in:
Strategy and architecture:
• Security and Privacy
o Information Assurance (INAS) – Level 5
Governance, Risk and Compliance:
o Risk Management (BURM) – Level 5
o Audit (AUDT) - Level 5
o Quality Assurance (QUAS) - Level 6
• Advice and Guidance:
o Specialist Advice (TECH) - Level 5
Relationships and Engagement:
• Stakeholder management
o Stakeholder Relationship management (RLMT) - Level 5
You can find more information on sfia-online.org
Please see below for the relevant skills required for your role:
- can lead and manage a team of cyber professionals to provide an effective, joined-up central threat intelligence and risk analysis function
- is able to coach and mentor, developing more junior team members
- communicates effectively with both technical and non-technical stakeholders, and articulates threat intelligence and risk assessments in terms of their impact to the business
- building effective relationships with senior stakeholders in order to raise awareness of the importance of security issues, as well as communicating the outcome of audits and investigations sensitively
- has a good understanding of the use of different communication channels and formats for different audiences, delivering excellent verbal and written communication
- communicates the role of information assurance within risk management, assurance, audit and testing processes
- identifies and works in line with best practice principles and uses them to contribute to the ongoing continuous improvement of existing processes and ways of working for information security and risk management
- is forward thinking and can think from the perspective of potential attackers
- is familiar with key threat intelligence feeds and sources (e.g. NCSC) and possesses a good level of knowledge of common cyber security threats, vulnerabilities and exploitation tactics
- possesses highly developed analytical skills, with a keen eye for detail
- analyses, interprets and articulates the specific risks associated with threat intelligence and identified vulnerabilities
- can assimilate and collate potentially large amounts complex information from a variety of data sources and use it to provide accurate insights, produce recommendations and solutions that support senior decision-making and enhance business performance
- understands how current work fits into broader DDaT contexts and strategies so that deeper underlying problems and opportunities can be addressed and managed appropriately
- stays critically informed of current methodology across cyber security, threat intelligence and cyber risk management and can challenge existing ways of working.
Ideally you will also have the following skills or some experience in:
- experience in information or cyber security including threat and risk analysis for complex, high-risk and/or mission critical systems, preferably involving the Home Office, Cabinet Office, NCSC or related departments
- assurance experience within a large government department or complex industry sector
- leading and directing teams to enable the day-to-day delivery of services
- driving continual service improvements through the measurement and challenge of services and processes, tools and capability
- experience operating across tactical, operational and strategic levels with regards to threat and risk analysis, preferably while leading, running and coaching a diverse, distributed team of cyber professionals
- demonstrated ability to analyse and coherently present complex threat intelligence and risk information relevant to the audience that clearly articulates business impact(s)
- experience of a range of cyber risk and controls frameworks, such as NIST, ISO27001, COBIT, Cyber Essentials, Cloud Principles and general wider NCSC guidelines
- ISEB Practitioner Certificate in Information Risk Management or equivalent
- certification in (or willing to work towards) one or more of the following is desirable: CRISC, CISSP, and equivalent.
We'll assess you against these behaviours during the selection process:
- Making Effective Decisions
- Changing and Improving
- Communicating and Influencing
We'll assess you against these technical skills during the selection process:
- Strategy and architecture
- Governance, Risk and Compliance
- Advice and Guidance
- Relationships and Engagement