Cyber Security Manager - National Savings and Investments - G7 in Scotland

NS&I is one of the largest savings organisations in the UK with more than 24 million customers and over £240 billion invested. We are both a government department and an Executive Agency of the Chancellor of the Exchequer. Our origins can be traced back more than 150 years to 1861. A small company with a big reach, we offer a range of benefits including flexible working, a 9-day fortnight scheme, a performance-related variable pay bonus, a generous pension scheme and great opportunities for development. We care for colleagues, respect one another, invest in our people and manage talent effectively. We are currently working in a hybrid way with colleagues expected to work at their chosen office location for 40% of their working month.

The Cyber Security Manager position is a critical role within the NS&I Risk Directorate. The role supports the Senior Cyber Security Manager in providing assurance that our service providers are operating effective cyber security control environments. Cyber security is a scientific field, encompassing scientific principles and methodologies from multiple disciplines, including computer science, mathematics, engineering, and behavioural sciences. The complexity of cyber security arises from the diverse and evolving nature of threats, technologies, regulations, and human factors involved. Addressing these complexities requires a holistic approach that combines technical expertise, strategic planning, organisational commitment, and continuous adaptation to emerging threats.

The Cyber Security Manager is responsible for being the primary contact for NS&I’s service providers and providing NS&I with assurance that the service providers are managing the complexities and ensuring cyber security risks are mitigated to acceptable levels. The Cyber Security Manager will be proficient in forging and sustaining trust-based relationships with Senior Management across NS&I and service providers/B2B clients that help to build a security focused culture between NS&I and providers and B2B customers.

Person specification

• Extensive experience of overseeing the performance of service providers and holding them to account for the delivery of critical cyber security services through governance forums.
• Demonstrable success in delivering written and oral presentations on cyber security and management risk to senior internal and external stakeholders.
• Substantial experience of assuring evidence against the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and ISO27001.
• Proven experience of conducting cyber security risk assessments, developing cyber security risk mitigation plans linked to business objectives, and presenting to a senior management audience.
• Experience in developing cyber security performance metrics linked to business objectives to inform senior management of the performance of the cyber security control environment.
• Significant experience in responding to or managing security incidents/breaches, overseeing patching/vulnerabilities or hardening systems including detection, response, recovery, and post-incident analysis.
• Extensive experience of implementing security solutions surrounding cloud transformation, data management, data storage.
• Strong analytical skills, including the ability to review, challenge and utilise complex technical information to provide advice and guidance to senior management.

Essential Technical Skills

• Ability to analyse complex technical information in order to provide advice and guidance to senior management.
• Strong knowledge of IT architectures and methodologies, including cloud environments.
• Significant experience of understanding of security technologies, solutions, and systems such as:

• Firewalls
• Intruder Detection Systems (IDS) / Intruder Protection Systems (IPS)
• Content Delivery Networks (CDN)
• Advanced Endpoint Protection
• Anti-Virus/Malware Solutions
• Security Information and Event Management (SIEM)
• Security Orchestration Automation and Response (SOAR)
• Data Loss Prevention (DLP) tooling
• Vulnerability Management Scanners
• Public Key Infrastructure (PKI)
• Symmetric and Asymmetric Cryptography

• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a service (SaaS)
• Cloud Access Security Brokers (CASB)
• Zero Trust Architecture Principles
• Micro-segmentation

• Threat modelling (OWASP Top 10, PASTA, STRIDE, MITRE)
• Threat intelligence
• Threat Hunting

Essential Qualifications

• Certified Information Security Manager (CISM) or Certified Information Systems Practitioner (CISSP)

Desirable knowledge, experience, and skills

• Experience in designing and assuring secure network architectures, application security, and enterprise security solutions.
• Experience in designing, managing, and optimising Security Operations Centre’s, including threat monitoring, detection, and response from an assurance perspective.
• Experience reviewing and overseeing penetration testing and vulnerability assessments and managing remediation processes from an assurance perspective.
• Experience in threat intelligence analysis and integrating threat intelligence into security operations and strategic planning.

Security clearance

Security Clearance (SC)

Qualifications

In order to be considered for this role you must confirm that you hold one of the following qualifications: Certified Information Security Manager (CISM) or Certified Information Systems Practitioner (CISSP).