Principal Security Architect

Marcusdonald

Job Location:

London - UK

Monthly Salary: Not Disclosed

Posted on: 30+ days ago

Vacancies: 1 Vacancy

Job Summary

Job Description

Role Profile

Role details

Role Title	Principal Security Architect
Level	Level 3
Directorate	DDSS
Location	London / Glasgow / Cardiff
Number of positions & contract types	1 Contractor (T&M) Inside IR 35
Approach	External
Security Clearance	SC

Ofgem works on behalf of energy consumers to ensure that every household and business in the UK can rely on a safe affordable and environmentally sustainable energy supply. We are playing a vital part in accelerating the transition to Net Zero and a carbon neutral energy system - a goal that everyone wants to achieve. Whatever your role you will be playing your part in creating new energy solutions that are great for customers and great for the environment.

Ofgem has a culture of inclusion that encourages supports and celebrates the diverse voices and experiences of our colleagues. It fuels our innovation and helps ensure we can best represent the consumers and the communities we serve. Everyone is welcome - as an inclusive workplace our employees are comfortable bringing their authentic selves to work.

This role aligns with the Cyber Security role in the Government Security Profession Capability Framework.

Purpose

A Security Architect advises and enables technical teams to make security decisions. They provide advice and guidance to ensure common tools and patterns are used effectively to deliver secure systems and implement proportionate controls to enable business outcomes.

The role of the Corporate Systems Refresh (CSR) Security Architect is to ensure that the information systems that the CSR Programme develops and deploys are designed and developed in compliance with the required security standards and best practice.

Key Responsibilities

Lead the Security Assurance and Compliance of the CSR Programme with setting a strategy that can be used in the long term and across the services that are impacted by the delivery of this programme
Develop vision principles and strategy for the CSR Programme and the technologies that it impacts
Recommend security design for the CSR Programme or technologies it impacts up to an organisational or inter-organisational level solving unprecedented issues and problems
Influence key CSR Programme architectural decisions and interact with senior stakeholders across organisations to reach and influence a wide range of people across larger teams and communities
Lead and assure processes and provide SME thought leadership on tooling and dynamic and static analysis during the CSR Programme life cycle
Lead the Security Architecture assurance that is aligned with Cyber Assurance Framework (CAF) and NCSC Guidance.

Skills

Skill	Level	Description
Security Architecture	Expert	Designs and reviews system architectures for a broad range of complex or uncommon requirements to identify security weaknesses and recommend mitigations Designs (or significantly influences) the technical design of a system to enforce security properties that have been derived from first principles to meet a complex or uncommon set of requirements Follows a methodical and repeatable approach to reviewing the security of a system architecture and can describe that approach Advises on security architecture implications of technological trends when applied to existing systems such as migration to the cloud. Can explain how those technologies change the security approach required Contributes to new and innovative security architecture guidance for others to re-use May have one or more technology specialisms where they are regarded as an expert in how their specialism supports security architecture design (e.g. telecoms Cloud microservice architectures identity)
Applied Security Capability	Expert	Considers complicated non-obvious security needs e.g. where the connections between business need the technology that supports that need and how it might be impacted are important to work out Works closely with those who own business needs deduces their tolerances with regard to things they care about and turns those into meaningful security statements that can be applied. This might be either complicated and specific or simple scenarios with broad applicability Delivers security advice that is contextualised and appropriate for the strategic customer need Avoids providing point solutions or advice that does not address the overall key need. Looks at the wider system including sociotechnical considerations (e.g. the role the user plays in meeting the desired security outcomes) Provides security advice that extends beyond particular technologies of which the candidate is familiar and draws upon and directs appropriate expertise to solve the bigger security problem. Ensures the overall technical coherence and quality of advice Together with assurance experts develops and applies novel approaches to assurance of CSR Programme products/systems/services Understands and applies different approaches to product implementation and operational assurance. Uses each appropriately to derive a genuine understanding of confidence that the overall business objective is protected Provides technical leadership for specific experts (be they pen-testers product or behavioural assurance for example) in the context of a specific technical assurance or confidence challenge Effectively communicates difficult risk and security concepts in accessible ways that can be clearly understood by business leaders. Contributes to and develops risk communication strategies
Information risk assessment and risk management	Working	Leads programme stakeholders in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios Understands and can apply the fundamental principles of risk assessment risk management processes and decision-making
Threat Understanding	Working	Interprets sources of threat information for the local environment and applies knowledge of the external environment Maintains understanding of local and strategic threat environments and trends affecting the landscape and can apply to inform and provide context Uses local and strategic threat information in decision-making and planning Communicates tailored threat information to relevant local stakeholders within the organisation

Key Outputs and Deliverables

Acts as the owner of the CSR Programme Security Architecture.
Advise and support the Data Enterprise and Integration Architects on the security aspects of designs and end solutions.
Assure security aspects of plans designs and delivery solutions provided by 3rd Party Suppliers.
Chair the CSR Programme Work Group and represent the CSR Programme on the Digital Data and Security Services (DDSS) Security Working Group (SWG).
Support and advise the CSR Programme on all security aspects throughout the life cycle of the programme.
Develop and maintain the security aspects of the Programme Delivery Schedule
Maintain the CSR Programme risk register assessing the security privacy and resilience risks likely to affect delivery of business operations; forward work plan; and corporate functions. Manage all mitigating actions to reduce residual risk to acceptable levels consistent with Ofgems risk appetite for security privacy and resilience.
Manage changes in the CSR Programme in conjunction with colleagues develop a control improvement strategy programme and activities which are then managed through to conclusion with security assurance oversight.
Regular reporting on key performance indicators and governance meetings.

Key Stakeholder Relationships

Internal

Directors Associate Directors and all colleagues within the CSR Programme and the wider Ofgem business teams and 3rd parties working for Ofgems business teams and corporate functions to manage the delivery of the CSR Programme to the required quality cost and timescales including the provision of HR IT and physical security operations

External

Security privacy and resilience professionals across Central Government
SIAs and LEAs as appropriate particularly those involved in helping to deliver the CSR Programme through NCSC and Cabinet Office programmes.

Role Criteria

Essential

Chartered via the UK CSC or CISSP or equivalent (lead criteria).
Deep technical understanding of IT infrastructure / Software development and management of these components.
Experience of engaging advising and influencing at all levels of an organisation whilst projecting credibility and self-assurance specifically relating to intelligence analysis and risk management.
Experience of developing and implementing a pragmatic approach to assessing the security privacy and resilience risks affecting sensitive assets including engaging stakeholders to create shared understanding of the risks.
Experience of managing the implementation of strategic plans tracking progress on risk reduction and benefits delivery; and managing changes to plans line with identified delivery risks and issues.

Experience of negotiating and managing 3rd party contracts and acting as an intelligent customer ensuring that security privacy and resilience are negotiated into the agreed contract terms and conditions.

Desirable

Experience of defining and gaining approval for a viable agile and pragmatic security privacy and resilience strategy capable of responding to and anticipating changes to the assessed threats risks and business environment.
Experience in analysing incidents across a complex environment

Experience of developing a business case for change that identifies the business benefits of a defined security privacy and resilience strategy

Behaviours

Communicating and Influencing

Leadership

Making Effective Decisions

Required Experience:

Staff IC

Job Description Role ProfileRole details Role Title Principal Security Architect Level Level 3 Directorate DDSS Location London / Glasgow / Cardiff Number of positions & contract types 1 Contractor (T&M) Inside IR 35 Approach External Security Clearance SC Ofgem works on behalf of energy consumers...