The purpose of the Information Security function, is to bring the organization’s operational, technical and information security risks under explicit management control through the Information and Security Management System and SOC services.
Within this position the successful Head of Information Management and Security (IM&S) will take ownership of all operational, technical and information security management processes including:
- Information and security risk management
- Information and security operational incident management
- Direct Management and development of 24×7 SOC Team
- Incident Investigation including Root Cause Analysis, SIEM, SOAR, EDR
- Act as security Incident Manager for major security incidents (internal and external)
- Information security assurance activities
- Quality & Compliance
- Maintain ISO 9001/27001 and Cyber Essentials accreditations
- Maintain any internal and external security standards
- Maintain customer confidence and participate in external questionnaires/audits
- Testing of operational systems and processes for security hygiene quality control purposes
- Support a variety of business and commercial activities including SoW and Proposals
- Oversee and manage outcomes of internal and client penetration testing reports
- Provide Information and Security Training to all staff (and clients as required)
- Provide vCISO Service to clients as a consultative role (billable and non-billable activity)
- Accountable and responsible for Security Tooling & Training
- security factors such as HMG policy and good practice
- assurance requirements
- technical requirements
- selection of security technologies and controls
- physical security requirements
- Leadership and strategic direction for the function, ranging from planning and budgeting to motivational, promotional and training activities expounding the value of information management and security
- Liaison with and offer strategic direction to related governance functions (such as Physical Security/Facilities, Risk Management, IT, HR, Legal and Compliance) plus senior and middle managers throughout the organization as necessary, on information management and security matters such as routine security activities plus emerging security risks and control technologies
- Leads the design, implementation, operation and maintenance of the Information Security Management System based on the ISO 9001 & 27000 series standards, including certification against ISO 9001 & ISO 27001
- Forms a “center of excellence” for information security management, for example offering internal management consultancy advice and practical assistance on information security risk and control matters throughout the organization and promoting the commercial advantages of managing information security risks more efficiently and effectively
- Leads or commissions the preparation and authorizes the implementation of necessary information security policies, standards, procedures and guidelines, in conjunction with the ISO Committee
- Leads the design and operation of related compliance monitoring and improvement activities to ensure compliance both with internal security policies etc. and applicable laws and regulations
- Advises and provides assistance to any staff looking for guidance on security related matters – either as a customer facing role or technical sales consultant
- Leads internal audits on all functions related to the Information Security Management System
- Leads or commissions information security risk assessments and controls selection activities
- At least 5 years of full-time work experience in information security management and/or related functions (such as IT audit and IT Risk Management)
- Information security management qualifications such as CISSP or CISM or equivalent
- Absolutely trustworthy with high standards of personal integrity (demonstrated by an unblemished career history, complete lack of criminal convictions etc.), and willing to undergo vetting and/or personality assessments to verify this if necessary
- Hands-on team leadership and management experience, ideally coupled with a suitable management qualification.
- Typically, a background in technical IT roles such as IT architecture, development or operations, with a clear and abiding interest in information security.
- Excellent analytical and problem-solving abilities to identify and fix security risks.
- To build understanding and awareness of security issues throughout the organization, they must have excellent communication and presentation skills
- Good team working skills to develop security solutions in collaboration with other information technology professionals
- Significant experience in IS environment with extensive and “hands on” experience of IS project working and IS Support.
- In depth knowledge of the requirements of ISO27001 standards and the practical applications of them in the IS environment.
- An understanding of the available tools and technologies available to protect and monitor IS.
- MSc in Information Security or related field
- Qualified ISO27001 Lead Auditor/Implementer
- Certified Information Security Manager (CISM)
- Certified Information Security Auditor (CISA) Certified Information Systems Security Professional (CISSP)