eCAF/NIS Application Consultant

Location: Glasgow HQ/hybrid style working (3 days pw in office)

Duration: 12 month initial contract

Rate: Negotiable, inside IR35, PAYE or UMB

Job Purpose Statement

Cyber security is one of the defining topics of our age, and cyber risk represents one of the most significant strategic risks to the UK's critical national infrastructure. At Scottish Power Energy Networks (SPEN) you will have the opportunity to approach this risk head on. SPEN have invested significantly in an ambitious security transformation programme to transparently reduce risk, achieve compliance with NIS regulations and deliver a cyber resilient business.

The Cyber Assessment Framework (CAF) / NIS Programme will enhance cyber resilience, compliance and assurance across the organisation's IT applications estate in line with NIS Regulations and the UK Cyber Assessment Framework (CAF).

Reporting into the COE Leadership, the Application Consultant role is a critical role in ensuring delivery against the strategic security vision and development and maintenance of associated security standards and documentation across COE owned applications. The role will ensure that applications are protected, resilient and prepared against cyber incidents. This role will be dedicated to implementation of cyber security solutions, configurations and tools. You will be responsible for proposing, planning and managing changes to align with SPENs security strategy and comply with industry regulations such as NIS. This role may require occasional working out of normal hours as implementation schedules require.

Accountability Statements

The Applications Consultant works closely with project managers, business analysts, end users and external vendors to ensure that applications meet the functional and non-functional requirements of the business while also ensuring that we continue to support and develop our applications with minimal impact on business as usual.

Key accountabilities include:

• Inputs to the COE Cyber Programme Plan, identifying new security capabilities for applications to support overall NIS compliance.
• Takes responsibility for the development of these capabilities into fully defined cost-effective security services at application level.
• Feed into the SPEN security strategy. Ensuring alignment between security architecture frameworks and standards with overall business strategy.
• Customer focused with a demonstrable track record of building strong and collaborative relationships with all key stakeholders inside and outside of the organisation.
• Ensure that security architecture supports each stage of the delivery of new projects as indicated by the 'Secure by Design' process.
• Supports the creation of security design documents and architecture artefacts.
• Interfaces with the relevant Design Authorities, providing security guidance to teams.
• Ensure consideration of asset management and data security best practice in relation to NIS regulations.
• Drive the adoption of secure designs, patterns and best practices.
• Keeps abreast of the latest intelligence from sources of cyber threat information and briefs stakeholders with actionable information.

Skills, Knowledge & Experience Required:

• Experience of Secure by Design Solutions Application Design and architecture.
• Experience of cyber security, monitoring and reporting tools and solutions.
• Experience of understanding and managing aspects of cyber risk, including the assessment, analysis, and reporting of cyber risk in a business context.
• Experience in defining and/or implementing security controls across multiple layers of the IT architecture stack.
• Highly developed problem solving and delivery skills with the ability to analyse complex issues, recommend appropriate solutions and manage calls with many vendors and teams to deliver these.
• Excellent communication skills, with an ability to distil technical issues into a form that can be digested by non-technical managers.
• Technical Delivery expert, with demonstratable experience in Agile and DevOps.
• Good knowledge and understanding of the IT lifecycle and experience of the business and its suite of applications.
• Knowledge and experience of Service Management/ITIL to ensure the operational service is maintained and managed effectively and efficiently.
• Understanding of release management tools, version control systems, and CI/CD pipelines.
• Familiarity with cloud environments (e.g., AWS, Azure).

Minimum Criteria (Mandatory)

• Experience of Secure by Design Solutions Application Design and architecture.
• Experience of cyber security, monitoring and reporting tools and solutions.
• Experience of understanding and managing aspects of cyber risk, including the assessment, analysis, and reporting of cyber risk in a business context.