Position Summary:
The MoJ Information Security Team sits at the heart of the Ministry of Justice, enabling good security practices through the provision of security policies, guidance and education, by understanding cyber security risks from all parts of the Ministry of Justice and providing assurance to the departmental SIRO, the Permanent Secretary and other senior stakeholders that these risks are being effectively managed in the delivery of MoJ objectives.
The role of the Cyber Security Risk and Assurance Associate is to lead the programme of cyber security assurance for their assigned area of the organisation, highlighting non-compliance with required standards and providing appropriate challenge to the owners of cyber security risks arising from control gaps.
The Cyber Security Risk and Assurance Lead may also mentor and support others in good risk management practices to enable them to manage residual risk well, identify trends resulting from risk and assurance activities and use these to initiate and lead improvements to processes, policies and guidance, and own the resolution of tactical requests to the team.
All members of the team are expected to help develop the MoJ Security Function as a centre of excellence for the department and to contribute to building a brilliant and diverse team that is a welcoming place for all.
Key Responsibilities:
- May include line management responsibilities for more junior team members.
- Align risk decisions and advice with relevant regulation, policy and standards to provide proportional, practical advice that is tailored to the local environment, and advise on any residual risk. Escalate risks to more senior stakeholders when needed and take responsibility for closure of follow up actions.
- Play a leading role working with Justice Digital and Information Assurance colleagues (or supervise third party suppliers) to gather evidence of the performance of technical services and organisational processes against security baselines, controls and requirements, using key performance indicators.
- Analyse relevant data to provide an informed opinion on the quality of evidence provided and effectiveness of controls in place, with a focus on business-critical services and associated operational areas.
- Monitor the efficiency and effectiveness of security processes across the organisation, and lead continuous improvement efforts, including improving methods of escalation or reporting where necessary.
- Lead the implementation and delivery of security assurance processes, including GovAssure and supplier assurance activities for their assigned area, to support the overarching assurance programme. Lead on the communication of assessment and assurance outcomes to stakeholders in ways that support effective security, risk management and decision-making, and advise stakeholders on their approach to risk assessment in the context of their business outcomes.
- Contribute to submissions and reports for senior MoJ officials and play a leading role in efforts needed to respond to requests and advisories received from government partners.
- Play a leading role in building the network of security partners across government and national technical authorities, and within industry.
- Provide input into the development and enablement of security policy and security culture by collaborating with the Security Policy, Culture, Awareness and Education team through insights on trends identified from security assurance activities. Assure the ongoing appropriateness of policy in accordance with regulation and wider departmental and government policies. Lead risk-related work and enable compliance and governance.
- Lead on ensuring that Cyber Security risks for the business area are appropriately documented and reflect outcomes of the assurance work to enable senior stakeholders to make appropriate evidence-based decisions.
- Identify and report on trends arising from assurance assessments in their assigned area of the organisation and make sure appropriate remediation plans are in place and being actively managed.
Required Education & Experience:
- You will demonstrate an understanding of cyber security and technology, showing willingness to continue to grow your awareness of current and emerging technologies and their impact on existing security practices.
- You will be able to communicate well and confidently with a variety of stakeholders, up to board level, and relay technical information to a non-technical audience.
- You will display attention to detail and discretion in dealing with confidential topics and senior stakeholders.
- You will need to be analytical and inquisitive, probing for information where appropriate to understand business context and reasoning. You will be a trusted partner for your areas of the organisation and demonstrate an understanding of how to appropriately challenge security decisions, including those made by senior stakeholders.
- You will possess excellent analytical and problem-solving skills, adopting a positive approach and displaying flexibility of mind when encountering new situations.
- You will need experience of working well within a security, technology or risk team, and preferably be able to demonstrate successful prior experience of leading, mentoring and motivating a small team. You will be able to demonstrate examples of your own motivation to grow your leadership and management skills and abilities.