Cyber Security Consultant

Senior Cyber Security Consultant – Asset Identification and Management

Hybrid Working from one of our Regional Centres

Active SC Clearance required

The Team

The Government Security Centre for Cyber (Cyber GSeC) develops and provides, consultancy and advice services to government departments to build their cyber security resilience, and the cyber security posture across HMG. We work directly in support of the Government Cyber Security Strategy (GCSS).

The Cyber GSeC is hosted by, and sits with HMRC Security, which is part of the Chief Digital and Information Officer (CDIO) area of HMRC. Though the GSeC sits within these functions, it is a distinct entity that is separate from the day-to-day HMRC security function.

The Project

Assets Identification & Management has been identified as a priority service for delivery by Cyber GSeC, given its position as the cornerstone of many other pillars of departmental operational and security resilience.

Phase 1 of the project will delivery practical 'how to', real world guidance and a maturity framework for asset identification and management within HMG departments, including principles, activities and supporting templates, case studies, and signposts to examples of good practice and other knowledge hubs, such as NCSC, NIST, etc. The project team will create or curate materials to provide quick wins. A self-service delivery model for departments will be formed.

You will need to:

Undertake Current State Assessment with Candidate Departments

• Undertake collaborative reviews with candidate departments to confirm maturity states and form detailed baseline of Asset Identification and Management practices
• Select priority target asset management approaches for practical guidance development. Proposed focus areas (detailed under Deliverables) are: Real World Modelling, Where to Start, Real World Integration, and Gaining Senior Business Sponsorship

Develop Practical Guidance (Iterative)

• Develop practical, targeted Asset Identification and Management guidance
• Publish guidance frequently and iteratively with pilot departments for refinement and objectives alignment

Complete Initial Guidance Publication and Iterative Review

• Work with departments to embed practical guidance, measure improvements or planned improvements against original baseline
• Further refine the service offering in preparation for Phase 2

Deliverables will be artefacts pertaining to the following

Real World Modelling: Creating model systems to show how assets are recorded, the definition/assessment of criticality and relationships to the information asset register and other asset registers can be maintained.

Where to Start: Providing guidance to departments in undertaking top-down critical business functions assessment and how to re-use and dependency map available low-level asset information.

Real World Integration: Provide practical guidance on integrating asset management into incident management, supplier management, procurement, risk management, business continuity, disaster recovery and change management.

Gaining Senior Business Sponsorship: Materials to show departmental boards and business owners the benefits of unified asset management implementation.

The Role

As a Senior Cyber Security Professional leading service delivery within Cyber GSeC, you will play a key role in improving the cyber security posture of His Majesty's Government. Championing the outcomes of the Government Cyber Security Strategy you will oversee the design, implementation, uptake, and continued improvement of Cyber Security best practice and Cyber GSeC services that provide tangible improvement to the cyber security of Lead Government Departments and their underlying ALBs. You may also be required to contribute to other outcomes of HMRC's Cyber Security Technical Services function.

You will be assigned to one of our technical services or projects, delivering against project plans and milestones. You will be confident in your ability to engage at senior levels across the UK security community and will be expected to be involved in our engagement with a wide range of key stakeholders that may include the Government Security Group (GSG), National Cyber Security Centre (NCSC) and the Central Digital and Data Office (CDDO).

The core element of the Senior Cyber Security Professional role will be to provide targeted, expert and risk-based technical security advice and guidance across the breadth of HM Government. The successful candidate will be able to evidence their technical skills and experience in cyber security fields relevant to the services we deliver.

Responsibilities can include:

• Delivering outcomes against one of our service lines or projects in support of the Government Cyber Security Strategy (GCSS).
• The development, implementation, delivery, and continuous improvement of Cyber GSeC advice and guidance services across circa 400 government organisations, ensuring alignment to relevant cyber security standards and architectural requirements.
• Selecting suitable security techniques, tools, and test strategies to confirm compliance with relevant HMG security standards, providing suggested remediation actions.
• Leading the development of Security Principles, Policies and Technical Standards aligned to business context and risk appetites and curating communication campaigns for a wide range of stakeholders to encourage an improved cyber security stance and the uptake of Cyber GSeC services.
• Supporting the delivery of balanced and efficient cyber security risk management decisions, identifying vulnerabilities and resolutions in sophisticated technical environments.
• Recognising when security measures impact on users or business needs, providing targeted and expert advice to inform business decision making, and handle partner concerns.
• Identifying, raising, and advancing cyber risks in keeping with HMG risk appetite and delivering effective cyber services from our catalogue, while supporting Secure by Design and the security lifecycle.
• Research, identify, validate, and lead the adoption of new technologies and methodologies and engage with and contribute to a wider security technology and tooling strategy providing direction to the organisation and HMG.

Essential Criteria

At application and interview, you must demonstrate extensive experience of:

• Minimum 5 years' experience working as a Cyber Security Consultant or IT Security Consultant, with proven supply chain security experience and current knowledge of procurement frameworks and processes.
• Demonstrate extensive senior stakeholder management across partner organisations, clients, and suppliers, using strong communication skills to communicate effectively at all levels to technical and non-technical audiences.
• Having a deep subject matter knowledge across key incident response specialist areas and demonstrating understanding of the technical and procedural concepts, and their application.
• Communicating with all different stakeholders to convey the relevant points about incident response and cyber security, whilst being sensitive to stakeholders' knowledge levels, role within organisation and experience in a way that builds trust and confidence.
• Developing and managing cyber security response plans and building exercises that are credible and robust, this could also include experience of being a key member of a Cyber Incident Response Team.
• Providing sources of reference to resolve problems and help mentor team members and having suitable knowledge to answer questions directly regarding a broad range of technical matters.
• Security and privacy risks and associated threats with a solid understanding of key considerations such as confidentiality, integrity, availability, non-repudiation, and privacy.
• Successful delivery of security aspects of major projects, demonstrating professional credibility and authority.
• Crafting and conveying information security and risk management guidance aligned to corporate risk appetite across several enterprises.
• Working with leading standards such as NIST, ISO, CIS, and Cyber Essentials
• Extensive experience consulting on security assurance and conducting audits
• Ability to align activities and deliverables with CAF objectives and strategic pillars of the Government Cyber Security Strategy
• Good knowledge of project management governance
• The ability to translate outline objectives into definitive deliverables
• Deep understanding of asset classification, dependency mapping and taxonomy design.
• Expertise with asset management frameworks (CAF, ITIL, GovAssure, ISO55000).
• Knowledge of how asset management supports wider cyber security outcomes.
• Proven capability in developing self-service documentation, maturity models and templates.
• Strong stakeholder engagement and workshop facilitation skills.
• Awareness of government cyber security standards, IAOs and information governance
• Experience implementing asset management within government departments.
• Knowledge of traditional CMDB or inventory systems.
• Understanding of how manual registers support incident response and risk management.

Please ensure your CV clearly demonstrates how you meet this essential criteria

Desirable Qualifications

It is desirable that candidates hold some relevant qualifications.

Relevant IT Security qualifications include (but are not limited to):

• NCSC Certified Cyber Professional (CCP)
• Certified Information System Security Professional (CISSP)
• Certified Cloud Security Professional (CCSP)
• Certified Information Security Manager (CISM)

Please note that active SC Clearance is required for this position.