Information Security Specialist

Why are we recruiting?

In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investment aimed at enhancing the NAO's security maturity our Information Security team is expanding. This is your chance to join a dynamic organisation with clear strategic objectives and help advance our data use and embrace new technologies securely.

We're not just growing-we're evolving. As part of a forward-thinking organisation with a strong mandate to harness data and embrace cutting-edge technologies, our InfoSec team is central to enabling and securing the NAO's digital future.

We're on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you'll find real scope to make an impact-both within InfoSec and across the wider organisation.

• Be part of a diverse and expanding team that thrives on challenge and innovation.
• Work in a complex, data-rich environment where your insights will shape national-level outcomes.
• Help embed security into every layer of our digital transformation-from strategy to code.

This is more than a job. It's a chance to help define the future of security at the NAO and be part of a high performing, and fun team.

What are the main responsibilities of this role?

This role will sit in a hybrid function, bridging the running and continual improvement of technical controls, procedural documentation, and compliance certification.

The Information Security Specialist is a new role, critical to supporting the rapid security maturity improvements and will develop over time gaining responsibilities as new or improved capabilities are delivered into the function.

This is a new role which will develop over time, with plenty of opportunities to be shaped by the individual in post. They will be involved in many new and diverse change and development programmes which will require an open and agile approach to delivering great, innovative security

Compliance and Process:

• Management of the Cyber Essentials and CE+ certification process.
• Maintaining ISO27001:2022 compliance.
• Establish and run the review and improvement of the NAO's Disaster Recovery plans.
• Ensuring our technical policies stay relevant and fit for purpose, and maintaining them in line with ISO27001 requirements, NCSC best practise, and alignment with HMG standards.
• Support in develop and implement a Product Assurance framework with the GRC team. Own the process to deliver meaningful assurance as we integrate new products into the environment.
• Reviewing and managing the Information Asset Inventory assessments, assessing the technical control performance across our technology estate.
• Supporting in training requirements across the organisation.
• Ownership of regular reporting for senior stakeholders.
• Supporting GRC in driving NIST maturity, taking ownership of assigned areas.

Technical:

• Own the Data Loss Prevention controls developing new controls and refining existing.
• Facilitate eDiscovery activities.
• Own InfoSec's DR Incident Response plans and testing
• Supporting in management of Data Loss Incidents
• Maintain and develop Privilege Management controls
• Support in all technical workstreams. Initial focus on IAM and Email and Communications projects, working closely with the project leads.
• Ownership, delivery and development of phishing simulations and training

Risk Management:

• Proactively identify, evaluate, and assess threats and risks that may impact the NAO's ability to deliver on its vision and strategy.
• Contribute to the maintenance of the Information Security Risk Register.
• Support the delivery of appropriate and proportionate risk treatments, in line with the NAO's risk appetite.

Key skills/competencies required:

Essential:

• Stakeholder interfacing skills, and an ability to talk to technical colleagues, translating complex messages into the wider organisation.
• Experience working within a governance focussed organisation and making processes simpler.
• Proactive and positive attitude towards ongoing role focussed personal development.
• Understanding of key security principles, threats, controls, and risks
• Detailed knowledge of key threat actors affecting the NAO.

Desirable:

• Significant experience working within or implementing ISO 27001:2022 ISMS
• Experience maintaining Cyber Essentials Plus
• Hold one or more of the following industry accreditations, or able to achieve within six months:
  • CISSP, CISM, CISA, CRISC
  • Comp TIA Sec+, Azure Cloud or Microsoft Security certifications.

Who are the team?

Our team is inclusive, diverse, and agile, dedicated to helping the business understand, identify, and manage threats and risks that could affect the NAO's vision and strategy.