Principal Cyber Security Governance & Risk Leader

The Government Digital Service (GDS) is the digital centre of government. We are responsible for setting, leading and delivering the vision for a modern digital government. Our priorities are to drive a modern digital government by:

• joining up public sector services
• harnessing the power of AI for the public good
• strengthening and extending our digital and data public infrastructure
• elevating leadership and investing in talent
• funding for outcomes and procuring for growth and innovation
• committing to transparency and driving accountability

We are home to the Incubator for Artificial Intelligence (I.AI), the world-leading GOV.UK and at the forefront of coordinating the UK’s geospatial strategy and activity. We lead the Government Digital and Data function and champion the work of digital teams across government. We’re part of the Department for Science, Innovation and Technology (DSIT) and employ more than 1,000 people all over the UK, with hubs in Manchester, London and Bristol.

The Information Security team at GDS protects the people, services and information used to deliver critical government digital infrastructure such as GOV.UK and One Login. We do this by supporting a secure software development lifecycle, setting and checking proportional organisation policies and building a positive, no-blame security culture across the organisation.

The Government Digital Service is where talent translates into impact. From your first day, you’ll be working with some of the world’s most highly-skilled digital professionals, all contributing their knowledge to make change on a national scale. Join us for rewarding work that makes a difference across the UK. You'll solve some of the nation’s highest-priority digital challenges, helping millions of people access services they need.

As a Cyber Security Governance and Risk Management Principal, you’ll:

• lead cyber and information security risk management, assurance, and architectural advisory for major applications and digital services during alpha, beta, and early live phases
• deliver critical security assessments and IT Health Checks, providing expert assurance across portfolio projects, with a focus on SaaS tooling compliance against NCSC Cloud Security Principles
• facilitate and oversee Security Working Groups throughout all key development and deployment stages, ensuring risks are tracked, logged, and reported to the Head of Cyber Risk and Assurance, with actionable recommendations provided
• produce formal risk assessments and risk treatment plans (RTPs) for all digital services and associated tooling, ensuring robust protection in accordance with business risk appetite
• develop, review, and advise on Secure by Design policies/practices, including safe use of AI, secure coding, and regulatory compliance frameworks (e.g., OWASP, DPIA, GovAssure)
• coordinate cross-platform activities and enable secure delivery of new GDS services, including supporting incident management and continuous improvement of live service security practices
• routinely provide monthly (and ad-hoc) risk briefings to senior leaders, evidencing assurance, identifying risks outside tolerance, mapping exposure, and recommending mitigations and controls
• mentor and train digital service teams and wider Information Security staff, sharing best practices and building internal capability for risk assessment and management
• support implementation and ongoing usage of risk management tooling, ensuring all details are uploaded promptly and appropriately, such as the SureCloud risk register
• engage proactively with senior internal and external stakeholders, promoting security culture and enabling confident delivery aligned with organisational priorities
• future line management activities as the team grows

Person specification

We’re interested in people who have:

• demonstrable experience delivering high-quality, detailed cyber security risk assessments and assurance in large, fast moving, complex digital environments, ideally government or critical infrastructure
• in-depth understanding of cyber risk management, threat modelling, security architectural advice, and formal IT Health Checks, including experience with SaaS environments and cloud security principles
• experience interpreting and applying relevant cyber security standards, regulatory frameworks, and secure by design principles within a multi-disciplinary digital team
• a self-starter, using your considerable experience and skills to work independently and with confidence
• track record of building cross-functional relationships and leading multi-platform security initiatives, with the ability to brief, influence, and advise senior stakeholders
• strong written, verbal, and interpersonal communication skills, able to distil complex findings into actionable recommendations for non-technical and executive audiences
• evidence of personal commitment to continuous learning and sharing of best practices, with experience mentoring, coaching, or enabling capability-building in others
• ability to assess the implications and risks of emerging technologies (such as AI, SaaS, cloud services) and proactively recommend security interventions
• knowledge of Civil Service values: respect, collaboration, inclusivity, and commitment to public service, with a strong focus on organisational culture
• relevant industry qualifications and accreditations e.g., CISSP or hold a Master’s Degree in a relevant discipline