Cyber Security Supply Chain Risk Manager - Government Digital Service - G7 in Manchester

The Government Digital Service (GDS) is the digital centre of the government. We are responsible for setting, leading and delivering the vision of a digital modern government. Our priorities are to drive a modern digital government, by:

• joining up public sector services
• harnessing the power of AI for the public good
• strengthening and extending our digital and data public infrastructure
• elevating leadership and investing in talent
• funding for outcomes and procuring for growth and innovation
• committing to transparency and driving accountability

We are home to the Incubator for Artificial Intelligence (I.AI), the world-leading GOV.UK and at the forefront of coordinating the UK’s geospatial strategy and activity. We lead the Government Digital and Data function and champion the work of digital teams across government.

The Cyber Security Supply Chain Risk Manager is responsible for ensuring the security, integrity, and resilience of the organisation's supply chain in relation to cybersecurity risks. This role involves identifying and assessing cybersecurity risks within the supply chain, identifying suitable tender/contract security requirements/obligations to mitigate these risks, managing third-party vendor compliance with GDS’ specified security terms, and ensuring compliance/alignment with regulatory requirements and industry standards respectively. The Cyber Security Supply Chain Risk Manager will work cross-functionally with procurement, commercial, IT, risk management, engineering operations and legal departments to ensure that cybersecurity risks in the supply chain are understood and effectively managed throughout the supply chain lifecycle.

What you’ll do:

• Cybersecurity Risk Assessment: conduct and manage comprehensive risk assessments of suppliers, vendors, and partners to identify and mitigate cybersecurity threats in the supply chain
• Service Team Collaboration: support and assist Service Teams with the security aspects of their procurement needs, ensuring that appropriate information and cyber security requirements are included in tender documents, specifications and contracts; liaise with Commercial and Legal functions to ensure the requirements are included in tender and contract documentation
• Vendor Due Diligence: collaborate with procurement and legal teams to assess vendor security practices during onboarding and throughout the vendor lifecycle to ensure third-party vendors comply with the organisation’s cybersecurity policies and standards
• Supply Chain Risk Management (SCRM): develop and maintain a robust cybersecurity supply chain risk management (SCRM) program, including standardised supply chain risk logging, continuous monitoring, auditing, and evaluating third-party risk exposure individually, by category and in aggregate
• Compliance and Standards: ensure supply chain activities comply with relevant cybersecurity frameworks and regulations (e.g., NCSC Cyber Assessment Framework, GovS007, ISO 27001, GDPR/DPA), implement best practices from industry standards to secure supply chain operations
• Third-Party Contract Management: work with the legal and commercial teams to ensure cybersecurity clauses are included in supplier contracts; define key performance indicators (KPIs) and service level agreements (SLAs) around vendor cybersecurity responsibilities; periodically audit contracts for security terms, in order to understand any gaps in live contracts
• Incident Response: support the development of processes and protocols for managing third-party cybersecurity incidents, including coordinating with vendors during a breach, ensuring timely communication, and mitigating the impact on the organisation
• Vendor Cybersecurity Audits: lead or co-ordinate periodic cybersecurity audits of vendors and third parties to ensure they maintain high security standards, identify gaps and work with vendors to implement remediation plans
• Training and Awareness: provide training and support to internal stakeholders on supply chain cybersecurity risks and vendor management best practices; increase awareness of supply chain threats and trends within the organisation
• Collaboration and Communication: work closely with IT, risk, and procurement teams to communicate findings and recommended mitigations; ensure transparency and alignment between teams on cybersecurity risks and strategies
• ‘Intelligent customer’ supply chain management: contribute to the working relationship and management of inter-government supply chain, for example, internal services provided by another government department
• Supply Chain Resilience: develop strategies to ensure supply chain resilience in the face of cybersecurity threats, including supply chain mapping and diversification to mitigate risk
• Monitoring and Reporting: continuously monitor the security posture of the supply chain and provide regular reports to leadership on third-party risk exposure, incidents, and mitigation efforts

Person specification:

We’re interested in people who have:

• significant demonstrable experience in cybersecurity, supply chain management, and vendor/third-party risk management, including supply chain risk assessments and audits
• experience working with cybersecurity frameworks, risk management methodologies, and compliance requirements (e.g., NCSC CAF, ISO 27001, SOC 2), with strong information and cyber security risk knowledge and experience
• experience in managing cybersecurity for complex supply chains in sectors such as technology, healthcare, finance, or critical infrastructure, with the ability to identify and assess potential cybersecurity risks across the supply chain
• in-depth knowledge of cybersecurity principles and how they apply to supply chain and third-party risk management, including familiarity with emerging threats such as cyber-physical risks, counterfeit hardware/software, and compromised components
• strong understanding of supply chain operations, global supply chain regulations, and their intersection with cybersecurity policies, including integration of cybersecurity practices into procurement processes and supplier lifecycle/third-party vendor risk management
• knowledge of cloud service providers, managed service providers (MSPs), and other third-party IT service ecosystems, and experience working with vendor management systems, supply chain management tools, and cybersecurity risk platforms
• excellent communication and negotiation skills, with the ability to manage complex relationships with suppliers and vendors, and strong analytical skills to translate complex cybersecurity issues into actionable business terms
• indicative professional qualifications / accreditations: a degree in Information Security, Information Technology, Business, or a related discipline (or equivalent professional experience), complemented by preferred professional certifications such as CISSP, CISM, CTPRP, or CSCP, with ISO 27001 Lead Auditor or Implementer qualifications considered advantageous