Principal Security and Information Professional

Available Locations: Bristol, Cardiff, East Kilbride, Edinburgh, Manchester, Telford, Worthing

HMRC Security is part of HMRC's Chief Digital Information Office (CDIO) and plays a vital role in assessing business and reputational risks across one of the largest IT estates in Europe. Within HMRC Security, Cyber Security Technical Services (CSTS) and the Government Security Centre for Cyber (Cyber GSeC) are integral teams responsible for ensuring that all colleagues have the capability to fulfil their security responsibilities and develop the skills needed to detect, prevent, and respond to evolving security risks and threats.

Our vision is to be recognised as a centre of expertise and excellence, working collaboratively across government to deliver holistic, customer-centric cyber security services. This includes consultancy support that adapts to emerging technologies and the ever-changing threat and risk landscape.

In this role, you will be part of a multidisciplined team and a supportive security community both within HMRC and across government. You will play a leading role in enabling HMRC to manage security, data protection, and information risks effectively across business areas. Working in partnership with senior stakeholders, you may provide strategic insight and advisory support on a wide range of topics including cyber, physical and personnel security, data protection, and information management.

At HMRC, we are committed to creating a great place to work for all our colleagues – an inclusive and respectful environment that reflects the diversity of the society we serve. We aim to maximise the potential of everyone who chooses to work with us, offering a range of flexible working patterns and support to help you build a fulfilling career.

Key Responsibilities

• Providing strategic advisory support to senior stakeholders on cyber, physical, personnel, data protection and information management risks, enabling informed decision-making and embedding proportionate controls.

• Leading as a security and information professional, championing and sharing best practice and embedding government security culture and directing a team with responsibility for setting direction, coaching, quality assurance and performance management.

• Promoting a culture of continuous improvement by driving high performance, encouraging shared ownership of outcomes and influencing others to work corporately in support of broader HMRC objectives.

• Acting as a key representative within senior leadership teams across lines of business, contributing to strategic planning, business alignment, risk governance and regulatory compliance.

• Translating security and information policy into practice, supporting implementation of policies and controls tailored to business priorities and risk appetite.

• Promoting a strong organisational culture around security, data protection and information management through stakeholder engagement and leadership.

• Bringing business insight back into central teams, shaping service improvement, policy development and transformation.

• Acting as an escalation point for complex or high-risk issues, including incidents, assurance matters, or strategic challenges.

• Contributing to CSTS leadership, including potential involvement in the CSTS Senior Leadership Team (SLT), and supporting identification of capability needs across the wider function.

• Representing HMRC in cross-government or cross-departmental forums, helping influence broader policy and delivery approaches.

Essential Criteria:

• Demonstrated ability to influence and advise senior stakeholders at board level.

• Proven experience in shaping or translating security and/or information management policy and risk into business-aligned action.

• Strong leadership experience with strategic direction setting capabilities.

• Exceptional integrity and judgement in handling sensitive information.

• Clear and confident communicator with experience producing high-quality written and verbal outputs tailored to senior audiences.

• Significant experience advising on security and/or data protection and information risks within large, complex, and high-risk environments. This may include providing strategic and operational guidance, influencing senior stakeholders and shaping organisational approaches to managing cyber, physical, personnel, and information security risks.

• You
must
also hold, or be willing to work towards, one of the Qualifications listed below.

Desirable Criteria:

• Familiarity with relevant frameworks such as NIST, CAF, ISO 27001 or the ICO Accountability Framework.

• Knowledge of legislative requirements as UK GDPR, DPA 2018, Public Records Act, CRCA.

• Knowledge of risk and assurance methodologies, including threat identification, risk assessment, and control design.

• Experience working across organisational or departmental boundaries to support shared risk, policy, or governance goals.

• Applied understanding of Secure by Design principles, incident response processes, or regulatory compliance requirements.

• Background in leading or contributing to policy development, governance models or service improvement initiatives in the security or data/information domain.

• Working knowledge of HMRC's operating environment, business areas or technical estate (or a similar large public sector organisation).