Cyber Security Business Analyst

We are seeking a Cyber Security Business Analyst with a strong utilities background to support the delivery of cyber security programmes across our water sector operations. This role acts as the critical bridge between technical cyber security teams, operational stakeholders, and business leadership – translating complex cyber security requirements into actionable project artefacts, process improvements, and business cases. The Cyber BA will support initiatives spanning IT and OT security, regulatory compliance, cyber maturity improvement, and digital transformation, ensuring that cyber security requirements are clearly defined, understood, and delivered.

Key Responsibilities

• Elicit, document, and manage cyber security business and technical requirements across IT and OT domains.
• Facilitate workshops with stakeholders including control engineers, IT architects, operations managers, and regulators to gather and validate requirements.
• Produce high-quality business analysis artefacts: Business Requirements Documents (BRDs), Functional Specifications, process flow diagrams, user stories, and gap analysis reports.
• Support the development and delivery of cyber security programmes, including NIS compliance, NCSC CAF assessments, and OT security improvement programmes.
• Conduct gap analysis between current-state cyber posture and regulatory/framework requirements (NIST CSF, IEC 62443, NIS Regulations).
• Develop business cases and options appraisals for cyber security investments, quantifying risk reduction and business benefit.
• Manage requirements traceability throughout the project lifecycle, ensuring cyber controls are delivered as specified.
• Support change management activities, ensuring operational teams understand cyber security process and system changes.
• Liaise with technology vendors and system integrators to validate that delivered solutions meet documented requirements.
• Contribute to cyber risk reporting, KPI dashboards, and programme status reporting for senior stakeholders and the Board.

Essential Experience & Skills

• Proven experience as a Business Analyst on cyber security programmes within utilities or regulated industries.
• Strong understanding of cyber security concepts: risk management, network security, identity and access management, incident response, and compliance.
• Experience working with cyber security frameworks: NIST CSF, ISO 27001, or NCSC CAF.
• Excellent requirements gathering and documentation skills across both IT and OT environments.
• Ability to translate technical cyber security concepts into business language for non-technical stakeholders.
• Experience producing gap analyses, business cases, and options appraisals for cyber security investments.
• Familiarity with GDPR, NIS Regulations, and sector-specific regulatory requirements in the water or energy sector.
• Proficiency in standard BA tooling: Visio/Lucidchart for process mapping, Jira/Azure DevOps for requirements management, Microsoft Office suite.
• Strong facilitation, communication, and stakeholder management skills.

Desirable Experience

• Direct experience within the water sector (treatment, distribution, wastewater) or equivalent CNI utility.
• Understanding of OT/SCADA environments and the unique challenges of cyber security in operational technology.
• Exposure to OFWAT regulatory processes and capital investment programmes (AMP cycles).
• Experience supporting NIS Regulations compliance assessments or NCSC CAF submissions.
• BCS International Diploma in Business Analysis or equivalent.
• CISMP, CompTIA Security+, or equivalent cyber security qualification.

Qualifications

• Degree in Business, Computer Science, Information Systems, or related field (or equivalent experience).
• BCS, IIBA (CBAP), or equivalent Business Analysis certification desirable.
• Cyber security awareness qualification (CISMP, Security+, or similar) advantageous.