Job Description

The culture of IT Services is one of innovation, collaboration, excellence and inclusivity, and we apply the principles of customer focus and continuous improvement to everything we do. We want to attract outstanding, inspirational, and talented people, support them to succeed, and celebrate their success.

Our Information Security team is a key part of IT Services, responsible for maintaining our security tools and services, investigating and dealing with issues as they arise and supporting information security across the wider university.

Main Duties

• Develop, implement and monitor a strategic, comprehensive enterprise information security and IT risk management programme.
• Work directly with academic and professional services functions to facilitate risk assessment and risk management processes.
• Develop, maintain and enhance an information security management framework and all related policies and processes.
• Understand and interact with related disciplines to ensure the consistent application of policies and standards across all technology projects, systems and services.
• Define and maintain the structure of the Information Security team, including any changes in staffing.
• Provide leadership to the Information Security team and virtual teams within and external to IT Services.
• Create and maintain a strong team ethos and morale, both with direct teams and as part of the wider IT services function.
• Ensure strong and positive day to day working relationships between the security team and all key stakeholders, in particular other parts of the IT function.
• Represent the University externally as the authoritative voice in the area of information and cyber security and governance.
• Partner with business stakeholders across the University to raise awareness of risk management concerns.
• Assist with overall technology planning, providing a current knowledge and future vision of technology and systems.
• Any other activities that may be reasonably required by the university in the delivery of its overall business objectives.

Dimensions

• Customer - the post-holder will interact on a regular basis with senior officers and key staff in colleges and professional services across the University.
• Operational - the post-holder is a member of the IT Services senior management team and has authority in day to day matters relating to information and cyber security.
• External - the post-holder is expected to be professionally active outside the University through participation in conferences, seminars and working groups representing the University. The CISO should be well-known in the industry and maintain a network of professional contacts at senior levels across the Higher Education sector as well as government and industry.

Required Knowledge, Skills, and Abilities

Experience as an information security professional – especially in the area of information security strategy, governance, Information Security policy creation and maintenance and Information security monitoring and compliance. Formal certification (CISSP, CISM or CRISC) and/or formal training in information security standards and best practice (e.g.: ISO 27001/2, COBIT). Experience Implementing and/or maintaining formal best practice information security compliance or certification (e.g. ISO 27001/2, COBIT). A proven track record of creating and maintaining an information security service and developing, maintaining, implementing and enforcing information security policy in a large institution or organization. Experience in having dealt successfully with information security incidents. Experience of evaluating, creating, managing and providing information security training. Demonstrated ability to operate within a secure environment on sensitive data, data request and information security incidents against strict information security policies. Up to date knowledge of key information security technologies including encryption, vulnerability and penetration testing, compliance checking, anti-virus, firewall, other perimeter security and intrusion detection technologies as well as risk management systems, asset management and security event and incident management and monitoring. Demonstrated ability and experience in establishing, tracking, measuring and weighing information security risk. Demonstrated ability to build relationships at different levels of the organization. Capable of working with and earning the respect of senior customer stakeholders. Graduate caliber with degree or equivalent. Able to articulate and agree a clear vision for information security strategy. Excellent presentation skills and the ability to create persuasive and accessible presentations to non-specialist staff at many levels of the organization. Experience of building and managing teams, including senior level responsibility for HR and financial management at divisional level. Experience of working with information security suppliers, both in procurement and delivery of services. Ability to work in a highly diverse organization with considerable variations in In depth knowledge and experience with key national and international information security and digital data standards, legislation and guidance relevant to the academic and research sectors including: The Freedom of Information Act, The Data Protection Acts, The General Data Protection Regulation, The Regulation of Investigatory Powers Act, The Human Rights Act, The Privacy and Electronic Communications (EU Directive) Regulations and including recent UK and EU legislation such as the Data Retention and Investigatory Powers Act 2014 and the Counter-Terrorism and Security Act 2015. Experience building and maintaining a strong information security and risk governance structure within a large organization. Postgraduate degree, Masters or PHD, in Business, Information Security or Computer Science. Experience with NHS information security policies, standards and regulations including NHS IG toolkit. Experience of acting as chair of governance committees or boards. Demonstrable high level strategic thinking and planning skills. Has a network of senior-level contacts within the Higher Education sector, government and industry both in the UK and internationally. Experience of working with and established relationships with security agencies such as the National Crime Agency (NCA), National Cyber Security Centre (NCSC), MI5 and GCHQ. Professionally active and known within the information or cyber security sector, a confident and authoritative public speaker and writer. A demonstrable commitment to leadership development of self and others as it relates to this area of professional specialist work.