Business Information Risk Analyst in London

The Business Information Risk Analyst’s (BIRA) role is responsible for supporting the Chief Information Security Office (CISO) service to BDO’s business streams to effectively manage information security risk. The role will play a key part in ensuring the effectiveness of BDO’s information security risk management framework, procedures, and information security controls. The BIRA role is a focal point for effective engagement between business streams and the CISO team. It is a trusted adviser to business stakeholders and provides broad knowledge of the firm’s security strategies, policies, standards, processes, and road maps to enable streams to understand and meet information security requirements. The BIRA will assess information security risk with the business and ensure that those risks are being managed by the risk owners. Decisions to accept, reduce, share, or avoid risks are communicated to appropriate visibility and governance committees. This role reports to a Business Information Risk Officer (BIRO).

Principal accountabilities:

• Utilise BDO’s information security risk management tools, procedures and control framework to understand and manage risk posture for each business stream.
• Maintain and monitor the Risk Register to ensure actions are appropriate, completed by agreed target dates and engage regularly with stakeholders.
• Support the business streams to identify and maintain registers of information assets including infrastructure, systems, software, devices and data.
• Build and maintain effective relationships with risk owners, risk managers and other stream stakeholders.
• Develop collateral and appropriate materials to support engagement with business stakeholders, explain key information security concepts and build awareness of information security risk and BDO’s control framework.
• Proactively identify and support risk owners and managers to manage and review IS risks and issues for streams.
• Support the business to assess the criticality of assets and services.
• Ensure that BDO policy and contractual obligations, and in turn compliance, is understood for each business stream.
• Identify and communicate metrics and reporting requirements to stakeholders that demonstrate security controls are effective.
• Support creation of corrective actions and plans to manage improvement or change where necessary.
• Creation and maintenance of a “security toolkit” with templates of key processes and controls, communicated in language that is relevant and understandable to all audiences.
• Provide targeted security awareness, education, and risk briefings.
• Support the delivery of supplier security and client security due diligence activities.
• Assist with maintenance of the knowledge base of common information security questions and responses to ensure timely and accurate responses to the business.
• Manage workload via Azure DevOps ensuring tasks allocated to the analyst are completed within agreed timeframes and progress is reported to owners of the outcomes.
• Proactively identify and escalate any factors that may impact the time, cost, or quality of allocated outcome before the impact is experienced by ensuring communication is clear and effective at all stages of the deliverable to the outcome owners.

Knowledge & experience:

• Knowledge and experience of information security risk management frameworks and procedures.
• Experience of applying formal risk identification, assessment, and quantification methods.
• Experience of stakeholder engagement and management to achieve defined outcomes.
• Highly self‑motivated with keen attention to detail.
• The ability to build good relationships at all levels and influence stakeholders.
• Excellent verbal, written and interpersonal communication skills. Ability to communicate technical subjects to both technical and non‑technical audiences, flexing style to suit the needs of the audience.
• Ability to work with others effectively, with third parties, internal teams, promoting knowledge sharing within and across teams.
• Good understanding of security frameworks including ISO27001/2, Cyber Essentials Plus, CIS Top 20, Data Protection Act 2018, OWASP Top 10.
• Have or be working towards relevant industry certification such as CISSP, CISM, CRISC or similar.
• Good understanding of governance and decision making in complex organisations.
• Knowledge and experience of continuous improvement processes and approaches.
• Experience of documenting, developing and improving information security processes and procedures.

Personal characteristics:

• Strong team player able to collaborate effectively with colleagues and management while exhibiting initiative and independence.
• Good analytical skills with a proactive approach to problem solving.
• Good presentational & information sharing skills.
• Demonstrated ability to prioritise and manage competing work assignments in a time‑sensitive environment on own initiative and in consultation with people management.
• Keen to learn and develop existing information security skills and take ownership of own learning and development with support from the wider team and the firm.