Job Description

We are looking for an established QSA to join our information security consulting team. Your primary role will be deliver PCI DSS consultancy and assessment activities to our clients, as part of an established and experienced team of QSAs based in the UK and US. This is a home-based role, with an expectation of travel to client sites as and when travel restrictions are lifted.

What you’ll be doing

In your roll you will deliver a mixture of on-site and remote consultancy services to our clients, covering the following areas:

• PCI DSS gap analyses and workshops;
• Assistance implementing PCI DSS requirements such as policy writing;
• Complete on-site assessments and author reports on compliance;
• Security reviews of client environments;
• Gap analyses against NCSC Ten Steps, NIST CSF, CIS 20;
• Complete risk assessments;
• Conduct third-party risk reviews;
• Support ISO 27001 implementation projects – management workshops, ISMS reviews, risk management workshops, controls reviews, internal audits, third-party risk reviews;
• Support pre-sales where required by assisting in the pre-sales process, understanding client requirements and contributing to proposals and scoping of engagements.

Our team is currently delivering the vast majority of client engagements remotely, and there is an expectation that you will be delivering client engagements 60-70% of the time, which is split between on-site (or remote during COVID restrictions) and remote days for reporting. Our clients are primarily based in the UK, however some European and international travel is required- therefore all candidates must be willing to travel.

What we offer:

We are a people-focused, high-performing, high-trust professional services team. You’ll be part of a diverse and growing international group of consultants, and we go out of our way to make sure our consultants feel part of our team. We use technology to ensure we’re always communicating with each other, and schedule in time every week to talk as a team. We also have regular face-to-face “clinic days”, where the whole team gets together for two days in a workshop style for learning, sharing, and collaborating.

The successful candidate will have opportunities to:

• Make a difference – as clichéd as it sounds, this really is true. We encourage all consultants to challenge norms, and empower them to get involved. This might be getting involved with other teams, or developing a new service offering – but if you want to do something, we always try to make it happen
• Get involved – enjoy blogging or public speaking? Our team is committed to getting involved in industry discussions. We make time to attend conferences, and get involved in the infosec community
• Develop their skills – we love learning, and make sure that we find time for professional development. This isn’t just about collecting certifications and attending training courses – gaining and sharing knowledge in new areas is vital. These don’t always have to be directly related to your “day job”, in fact we actively encourage developing knowledge in new and exciting domains

Required Knowledge, Skills, and Abilities

Experience of PCI DSS– a qualified QSA who has completed full assessments for merchants and service providers with large and/or complex environments. An ability to provide strategic advice to guide clients from the inception of their PCI DSS project through to a compliant report on compliance. A solid technical background, with hands-on experience with technologies such as Windows/Linux, networking, databases, development, firewalls, security technologies such as antivirus, IDS/IPS, DLP. Experience in a consultancy role, and an ability to communicate clearly, with impact, to both technical and exec/board level staff. As a consultant you will have experience of using your time effectively, and be motivated to drive client engagements and be pro-active in your approach. Strong written skills. Strong communication skills and an ability to build rapport with key stakeholders. Willingness to “roll up your sleeves” and get involved, and take responsibility for ensuring we always exceed client expectation. As an active QSA you must hold a certification from both list A and list B as per the PCI SSC requirements. Whilst a collection of certifications is less important than experience, many of the areas in which our team works have pre-requisite certifications that our consultants either hold, or are working towards achieving. ISO 27001 lead auditor or lead implementer; CISSP – (ISC)2 Certified Information System Security Professional; CISM – ISACA Certified Information Security Manager; CISA – ISACA Certified Information Systems Auditor; CRISC – ISACA Certified in Risk and Information Systems Control; Eligibility for Security Clearance. An understanding of the GDPR and data protection act. Knowledge of cloud technologies such as AWS and Azure. Experience delivering security awareness training or public speaking. Hands on experience in implementing ISO27001.