Cyber Security Risk Manager

Cyber Security Risk Manager

Application Deadline: 27 September 2024

Department: Cyber Security

Employment Type: Full Time

Location: Flexible

Reporting To: Head of Information & Cyber Security

Description

An opportunity has arisen to recruit a Cyber Security Risk Manager. The role will apply specialist skills and expertise at a managerial level to manage a complex range of cyber risks impacting the business, whilst acting as the subject matter expert for IT cyber security risk management activities and maintaining governance practices as defined within the cyber security risk management framework.

The role will also lead on risk assessments across our sites, manage the implementation of industry aligned risk management frameworks, work closely with IT architects to aid the design and implementation of change projects, and complete responsibilities associated with the collation and submission of NIS regulatory submissions across Great Britain, Northern Ireland and Republic of Ireland.

Key Responsibilities

Reporting to the Head of Information & Cyber Security, the key responsibilities and duties will include:

• Leading cyber security risk management activities for the EPUKI IT estate, including managing the tracking and monitoring of risks within the cyber risk register, whilst aligning risk management activities with industry frameworks such as NIST and the Cyber Assessment Framework (CAF) to aid internal posture and external regulatory compliance.
• Leading on defining and maintaining EPUKI Cyber Security policies and process instructions focused on IT assets, with consideration for the aligned EPUKI IT/OT Cyber security strategic operating model.
• Managing incident management responsibilities for IT assets and operational capabilities, including maintaining a defined framework for reporting methods and thresholds in accordance with regulatory requirements, whilst assessing and identifying trends within incident data to inform monthly risk reporting and continuous business improvement.
• Managing the development and implementation of 'secure by design' principles to aid the governance of IT architectural consultations and act as a cyber risk subject matter expert within design review forums.
• Managing the implementation of security requirements within a portfolio of IT change projects and act as a cyber risk subject matter expert within change delivery, managing risks associated with delivery and the integration of new processes or tools into business operations.
• Leading the development and implementation of cyber risk assessment tools aligned with the NCSC 'risk toolkit' methodology - including threat modelling, scenario-based analysis, quantitative and qualitative methodologies - to develop context aligned control improvements.
• Managing second line duties associated with IT vulnerability management and upholding the relationship between written and technical policy implementation, whilst lead workflows associated with urgent changes informed by threat intelligence.
• Acting as a cyber risk subject matter expert within an outsourced SOC service plan, managing the correlation between SIEM alerts, cyber risks, and continuous improvement within first line IT cyber operations.
• Acting as an approachable and trusted point of contact for Cyber Security to EPUKI staff, responding to queries and contributing to internal education, awareness, and engagement activities including physical and personnel security risk expertise where applicable.
• Providing input and risk consultancy advice to EPUKI group activities associated with regulatory requirements, including supporting the drafting of submissions to Board level forums where required.
• Acting as a Deputy Nominated Responsible Officer to Competent Authorities for GB sites.
• Assisting with the collation and submission of regulatory outputs across the GB, NI & ROI regulatory landscapes, as tasked within the Cyber Security team operating model.
• Representing the EPUKI group within energy sector industry engagements, sharing applicable industry information with EPUKI stakeholders and sharing EPUKI data with industry stakeholders where benefits can be obtained within the GB, NI & ROI energy sectors.

Skills, Knowledge and Expertise

Background

• Demonstrable experience within a related cyber security role (essential).
• Knowledge and direct experience of applying industry frameworks and guidance to business processes and 'real world' decisions (essential).
• Knowledge of current cyber threats to the UK and energy sector (essential).
• Experience operating within a team structure with examples of managing different types of stakeholder relationships across a corporate structure (essential).
• Experience within a cyber security operating model aligned with ISO27001 or NIST-CSF frameworks (desirable).
• Experience working in a cyber regulated or high assurance sector or operating model (desirable).
• Experience working in an operating model with a broad range of tasking and fast-moving workloads, including managing autonomous delivery (desirable).
• Familiarity with cloud security principles and NCSC Secure by Design principles (desirable).
• Knowledge of Network and Information Systems (NIS) regulations and the Cyber Assessment Framework [CAF] (desirable).

Behaviours

• Ability to interpret complex cyber information into actionable decisions and outcomes (essential).
• Excellent communication skills (essential).
• Tasking management (essential).

Qualifications

• Degree Educated in a relevant discipline (essential).
• Cyber Security badges or certifications (essential).
• Achieved or working towards Certified Information Security Manager (CISM) or SANS GICSP or equivalent information security practitioner level certifications (desirable).