Chief Information Security Officer (CISO)

Job Title: Chief Information Security Officer

Duration: 6 months initial

Clearance: DV

This role is within an IT Shared Service Centre, supporting a range of Government partners in the UK and overseas, enabling them to work effectively and securely. This is a rare opportunity to manage a unique service that will be delivered through leading edge digital technologies, transforming the way government operate. We're looking for someone who's experienced in the digital transformation of organisations, not someone who's content to maintain the status quo.

We use service design and agile development approaches to make rapid but meaningful improvement to user services. Therefore, you'll be guided by the fundamental principles of putting user needs first, focusing on delivery and outcomes over process, and being open and transparent.

The project is expanding to approximately 100 staff and are looking for a Chief Information Security Officer to lead and develop our cybersecurity function to assure the integrity of our leading edge technologies and our partner's data.

The CISO position requires a leader with sound knowledge of business management and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. The CISO will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. The successful candidate should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology. The CISO will be responsible for implementing and running the enterprise information security program..

Key responsibilities and accountabilities:

Establish Governance and Build Knowledge

• Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
• Provide regular reporting on the current status of the information security program to Service/Programme teams, senior leaders and the programme board as part of a strategic enterprise risk management program, thus supporting business outcomes.
• Work with the commercial office to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organisations.
• Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.
• Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
• Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.

Lead the Security Organisation

• Lead the information security function across the organisation to ensure consistent and high-quality information security management in support of the business goals.
• Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas.
• Set the Strategy
• Develop an information security vision and strategy that is aligned to organisational priorities and enables and facilitates the organisation's business objectives, and ensure senior stakeholder buy-in and mandate.
• Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organisation.
• Work effectively with business units to facilitate information security risk assessment and risk management processes, and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.

Develop the Frameworks

• Develop and enhance an up-to-date information security management framework based on the following: International Organisation for Standardisation (ISO) 2700X
• Create and manage a unified and flexible control framework to integrate and normalise the wide variety and ever-changing requirements resulting from global laws, standards and regulations.
• Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.
• Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels.

Build the Network and Communicate the Vision

• Create the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required.
• Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
• Liaise with government agencies, such as NSCS, GSG, GCHQ and other advisory bodies, as necessary, to ensure that the organisation maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
• Liaise with the service CTO team to build alignment between the security and service architectures / product owners, thus ensuring that information security requirements are implicit in these architectures and security is built in by design.

Operate the Function

• Create a risk-based process for the assessment and mitigation of any information security risk in your ecosystem consisting of supply chain partners, vendors, consumers and any other third parties.
• Work with the service centre staff to ensure that all information owned, collected or controlled by or on behalf of the organisation is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy.
• Collaborate and liaise with the data privacy officer to ensure that data privacy requirements are included where applicable.
• Define and facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.
• Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines.
• Oversee technology dependencies outside of direct organisational control. This includes reviewing contracts and the creation of alternatives for managing risk.
• Manage and contain information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation.
• Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
• Develop and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realisation that components supporting primary business processes may be outside the corporate perimeter.
• Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas.

Essential Experience:

• Demonstrable and practical experience at a senior level, in public or private sector, of working in a combination of risk management, information security and IT or OT jobs
• Demonstrable experience of setting standards and the development of procedures that deliver end-to-end, tightly monitored environments
• Experience of leading transformation programs inside/outside government
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists
• Awareness and understanding of industry standard security issues and processes, including understanding of HMG's security policy framework.
• Managing tight resource constraints, conflicting priorities and a dynamic programme would be highly beneficial
• Ability to work under pressure and to respond quickly to changing circumstances and to tight timetables
• Poise and ability to act calmly and competently in high-pressure, high-stress situations
• Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment
• Professional security management certification is desirable, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials.
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework