| Job description | Job title & Main details
• Role: Head of Information Security
• Salary Range: c£105,000 plus civil service pension employer contribution of 28%
• Type of contract: Full Time, permanent.
• Location: Hybrid working. On-site, London or Newcastle minimum 2 days pw
Context and main purpose of the job:
Why are we recruiting for this role?
To drive delivery of the National Audit Office’s Information Security plan a focussed senior security professional is needed to oversee the operational and governance elements of the Information Security function, within a complex and agile organisation.
This security leadership role will work under the Information Security Director, supporting the running and maturing of the operational information security function; overseeing the detect and respond security operations function and developing the broader governance, risk and compliance capability; helping transform the NAO’s security posture and risk profile and supporting our ambition of becoming an exemplar organisation.
Who are the team?
The Head of Information Security role sits within a small group of inclusive, respectful, and agile information security professionals, responsible for enabling the business to better understand, identify and manage the threats and risks that impact the NAO’s ability to deliver on its vision and strategy.
What are the main responsibilities of this role?
The Head of Information Security will play a crucial role in protecting the NAOs information assets. This position involves overseeing both Governance, Risk, and Compliance (GRC) and Security Operations (SecOps).
The Head of Information Security will lead the operational Information Security functions, outside of Cyber Security (technical prevent control) responsibilities. It is a role critical to the success of the team, ensuring that security policies and procedures are effectively implemented and adhered to, identifying and mitigating risks, and ensuring compliance with policies and regulations; and the SecOps capability, coordinating incident response, threat detection, and vulnerability management, optimising the SecOps capability and improving the NAO’s security posture.
This role requires strong leadership, and excellent stakeholder management skills, an ability to think strategically and act tactically, and a deep understanding of both the definition and application of strong information security best practice; building on synergies between these functions to create exciting opportunities, identifying efficiencies and innovative solutions, and working closely with the Director to elevate the NAO's security maturity and embed an information security culture across the organisation.
The Head of Information Security will deputise for the Director and will have a key role in guiding the development of the NAO’s information security services, will lead investigations, develop stakeholder relationships, and identify and deliver new initiatives.
Working in close collaboration with the Director, the Head of Information Security will be responsible for the running and continual improvement of the NAO’s Information Security Management System, ensuring that the annual certifications are maintained, the underlying systems are improved, and the associated controls deliver value to the organisation.
The successful candidate will be an organised, decisive, and persuasive professional, able to deliver new and develop existing information controls within a challenging environment.
They will have an excellent knowledge of security concepts and an understanding of how to implement them effectively. They will be responsible for collating and reporting key performance metrics and will understand how to articulate the “so what?” message to stakeholders, communicating effectively with all levels of users, delivering a high level of customer service.
They will need to use their experience, initiative, creativity, research and problem-solving skills to resolve issues, implement new and develop existing controls and create thorough written briefings.
The successful candidate will be a motivated self-starter, able to keep multiple plates spinning, delegate effectively, and manage their time effectively.
They will have majored in either GRC or SecOps, and will have a thorough understanding of the complexities, opportunities and challenges inherent within both disciplines.
About the National Audit Office
The National Audit Office (NAO) is the UK’s main public sector audit body. Independent of government, we have responsibility for auditing the accounts of various public sector bodies, examining the propriety of government spending, assessing risks to financial control and accountability, and reviewing the economy, efficiency and effectiveness of programmes, projects, and activities.
We report directly to Parliament, through the Committee of Public Accounts of the House of Commons which uses our reports as the basis of its own investigations. We employ some 900 staff, most of whom are qualified accountants, trainees, or technicians. They work in one of two main areas, financial audit, or value for money (VFM) audit.
The NAO welcomes applications from everyone. We value diversity in all its forms and the difference it makes to our organisation. By removing barriers and creating an inclusive culture all our people can develop and maximise their full potential. As members of the Business Disability Forum and the Disability Confident Scheme we guarantee to interview all disabled applicants who meet the minimum criteria.
The NAO supports flexible working and is happy to discuss this with you at application stage.
Relationships:
Reporting to: Director Information Security
Internal: Close working relationships with Info Sec peers, Digital Services, development teams and the broader organisation.
External: Microsoft, OneTrust, Tenable, and other key suppliers, vendors, and peers across similar organisations.
Resources Managed: GRC and Sec Ops functions
Responsibilities:
The Head of Information Security will be responsible for the following.
Leadership
•Deputising for the Director to ensure continuity in stakeholder management, periodic reporting, work prioritisation and maintenance of both service levels and customer satisfaction.
•Regularly briefing the Director, and senior security stakeholders, ensuring that they are informed of emerging issues, new threats, changes, and opportunities to develop both security and the team.
•Support the development of colleagues’ security awareness, promoting a strong security culture within the organisation.
Security Operations
•Oversee the key technical security detect and respond controls across the organisation, ensuring that security posture is effectively managed in line with enterprise risk appetite.
•Responsible for developing vigilant security monitoring of the technology estate and the execution of agreed protocols and processes, in a consistent and timely manner when security issues arise.
•Support investigations into material information security incidents.
•Support the transition into BAU of new SecOps functions, tools, services and capabilities.
•Oversee the vulnerability management processes and co-ordinated response to vulnerability remediation.
•Responsible for ensuring that internal and external testing and compliance certifications are carried out in line with the organisation’s security plan, meeting regulatory and external certification priorities.
Security Governance
•Working closely with the Director Information Security to drive the maintenance and development of the NAO’s Information Security management systems.
•Developing existing and delivering new InfoSec policies, standards, and controls.
•Defining and co-ordinating an ongoing security awareness and training strategy.
•Maintaining, retaining, and delivering substantive improvements to our ISO27001 and Cyber Essentials Plus certifications, with the full support of the Info Sec team, Digital Services, and the broader organisation.
•Contributing to defining and refining what great Info Sec looks like, embedding the use of best practice controls across the organisation.
•Evangelise information security as an SME, across the NAO.
•Delivering great governance across the organisation’s Information Security functions, ensuring that senior stakeholders understand how effective the NAO’s information Security is.
•Leading on the identification and management of the NAO’s InfoSec risk and driving appropriate and pragmatic risk treatment solutions to conclusion.
•Ensure that information processing activities meet with or exceed relevant security principles and practices.
•Supporting the DPO in ensuring that the NAO adheres to the Data Protection Act.
Stakeholder Engagement
•Collaborate with and build relationships with key stakeholder groups, such as Information Security, HR, and Digital Services.
•Build strong relationships with stakeholder groups outside of the team to establish a strong understanding of the organisation and its needs.
Changer Delivery
•Support the broader team in delivering its change and maturity objectives ensuring that appropriate GRC and Sec Ops resources are aligned and supporting the annual Information Security Area Plan.
Key skills/competencies required:
Essential
•Strong analytical and problem-solving skills, with an attention to detail.
•Good team player who can delegate with confidence, facilitate knowledge sharing and collaborative working in multi-disciplinary teams with professional audit and technology colleagues.
•Self-starter, with energy and enthusiasm for driving good security practices, continuous improvement, and organisational change.
•5+ years’ experience as an Information Security professional with leadership experience.
•Working towards, and able to achieve within the first year, or holding a relevant professional certification, such as,
oCISSP, CISM, CRISC, CIA
•SC Security Clearance, or able to achieve SC clearance.
•In-depth technical knowledge:
oISO27001
oRisk Management
oSecurity Operations detect and respond functions.
oData Protection Act 2018 /GDPR
oCurrent IT security issues, particularly those affecting government.
•Demonstrable experience in a senior Information Security role, within a complex data focussed organisation.
Desirable
Whilst not essential for being successful in this role, the following key skills/competencies would be desirable:
•Hold one of more of the following industry accreditations:
oISO27001 LI/LA, GDPR Practitioner |
|---|
