Senior Cyber Security Consultant Supplier Assurance

Hybrid Working from one of our Regional Centres

Active SC Clearance required

The Team

The Government Security Centre for Cyber (Cyber GSeC) develops and provides, consultancy and advice services to government departments to build their cyber security resilience, and the cyber security posture across HMG. We work directly in support of the Government Cyber Security Strategy (GCSS).

The Cyber GSeC is hosted by, and sits with HMRC Security, which is part of the Chief Digital and Information Officer (CDIO) area of HMRC. Though the GSeC sits within these functions, it is a distinct entity that is separate from the day-to-day HMRC security function.

The Project

Cyber GSeC has developed a pilot proposition covering supplier security assurance. The aim of this pilot is to assess the feasibility of collating and storing supplier security assurance (cyber and protective) information in a central repository, which can then be accessed and shared across government to support efforts to manage and reduce several risks within HMG.

The pilot has the following objectives

• to establish a centralised repository of high-level information and evidence about a supplier’s security assurance status including their subcontractor position, against a baseline security assurance criteria. This information can be utilised by other government departments to save time and resource when they undertake their own due diligence.

• to help government to understand and reduce its supply chain risk.

You will need to:

Establish Foundations

• Identify a sponsoring department and potential major cross-government suppliers.

• Design/format the assurance criteria and ‘test’ approach with the sponsor department

• Identify a further departments to participate, arrange initial workshops and finalise suppliers for progression

Test the Approach

• Test the assurance approach with one supplier with participating departments

• Assess outcomes and improve approach as needed

• Create an interim solution to store the information gathered during the pilot

Supplier Assurance Review

• Gather open-source information on all suppliers

• Using the criteria, gathering any assurance information from participating department for all suppliers

• Consolidate findings and identify gaps

• Determine any improvements, quality and assess usefulness of information

• Scope requirements for future storage/access solution (repository).

Review

- Review pilot, lessons learned, conclusions and make recommendations

- Set out proposal for next stage, seek approval

Govern

- Contribute to project plans and reporting for the overall governance of the pilot

Deliverables

• Baseline security assurance criteria.

• Stakeholder management and relationship building at pace within a complex landscape

• Security assurance information on several suppliers, working with several departments

• Lessons learned, conclusions and recommendations

• Scope for storage/access solution (repository)

• Proposal/Next stage plan

The Role

As a Senior Cyber Security Professional leading service delivery within Cyber GSeC, you will play a key role in improving the cyber security posture of His Majesty’s Government. Championing the outcomes of the Government Cyber Security Strategy you will oversee the design, implementation, uptake, and continued improvement of Cyber Security best practice and Cyber GSeC services that provide tangible improvement to the cyber security of Lead Government Departments and their underlying ALBs. You may also be required to contribute to other outcomes of HMRC’s Cyber Security Technical Services function.

You will be assigned to one of our technical services or projects, delivering against project plans and milestones. You will be confident in your ability to engage at senior levels across the UK security community and will be expected to be involved in our engagement with a wide range of key stakeholders that may include the Government Security Group (GSG), National Cyber Security Centre (NCSC) and the Central Digital and Data Office (CDDO).

The core element of the Senior Cyber Security Professional role will be to provide targeted, expert and risk-based technical security advice and guidance across the breadth of HM Government. The successful candidate will be able to evidence their technical skills and experience in cyber security fields relevant to the services we deliver.

Responsibilities can include:

• Delivering outcomes against one of our service lines or projects in support of the Government Cyber Security Strategy (GCSS).

• The development, implementation, delivery, and continuous improvement of Cyber GSeC advice and guidance services across circa 400 government organisations, ensuring alignment to relevant cyber security standards and architectural requirements.

• Selecting suitable security techniques, tools, and test strategies to confirm compliance with relevant HMG security standards, providing suggested remediation actions.

• Leading the development of Security Principles, Policies and Technical Standards aligned to business context and riskappetites and curating communication campaigns for a wide range of stakeholders to encourage an improved cyber security stance and the uptake of Cyber GSeC services.

• Supporting the delivery of balanced and efficient cyber security risk management decisions, identifying vulnerabilities and resolutions in sophisticated technical environments.

• Recognising when security measures impact on users or business needs, providing targeted and expert advice to inform business decision making, and handle partner concerns.

• Identifying, raising, and advancing cyber risks in keeping with HMG risk appetite and delivering effective cyber services from our catalogue, while supporting Secure by Design and the security lifecycle.

• Research, identify, validate, and lead the adoption of new technologies and methodologies and engage with and contribute to a wider security technology and tooling strategy providing direction to the organisation and HMG.

Essential Criteria:

At application and interview, you must demonstrate extensive experience of:

• Minimum 5 years’ experience working as aCyber Security Consultant or IT Security Consultant, with proven supply chain security experience and current knowledge of procurement frameworks and processes.

• Demonstrate extensive senior stakeholder managementacross partner organisations, clients, and suppliers, using strong communication skills to communicate effectively at all levels to technical and non-technical audiences.

• Having a deep subject matter knowledge across key incident response specialist areas and demonstrating understanding of the technical and procedural concepts, and their application.

• Communicating with all different stakeholders to convey the relevant points about incident response and cyber security, whilst being sensitive to stakeholders’ knowledge levels, role within organisation and experience in a way that builds trust and confidence.

• Developing and managing cyber security response plans and building exercises that are credible and robust, this could also include experience of being a key member of a Cyber Incident Response Team.

• Providing sources of reference to resolve problems and help mentor team members and having suitable knowledge to answer questions directly regarding a broad range of technical matters.

• Security and privacy risks and associated threats with a solid understanding of key considerations such as confidentiality, integrity, availability, non-repudiation, and privacy.

• Successful delivery of security aspects of major projects, demonstrating professional credibility and authority.

• Crafting and conveying information security and risk management guidance aligned to corporate risk appetite across several enterprises.

• Working with leading standards such as NIST, ISO, CIS, and Cyber Essentials

• Extensive experience consulting onsecurity assurance and conducting audits

• Extensive knowledge of the HMG The Sourcing Playbook and the Government Functional Standards GovSec007: ‘Security’ and GovSec008: ‘Commercial’ for strategic direction

• Good knowledge of project management governance

• The ability to translate outline objectives into definitive deliverables.

Our Values

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, colour, national origin, sex, gender, gender expression, sexual orientation, age, marital status or disability status. We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact your designated recruiter to request accommodation.