Status: Closed - Another successful assignment for Oakleigh Resourcing
Role: Head, IT Secuirty, Risk and Compliance
Client: The British Council
Department: Global Business Services
Reporting to: Director, Global Business Services
Location: British Council Offices, Spring Gardens, London SW1A
Remuneration: Attractive salary and 'family friendly' benefits package
Purpose of job:
To help ensure the delivery of a technology landscape that supports business goals and objectives whilst minimising exposure to risk in areas of technology security and related legal and regulatory compliance. Leading a team of IT secruity specialists, and working closely with teams responsible for information management, this role needs to objectively assess the Council's information systems, develop appropriate policies, processes, procedures and standards, recommend improvements in security and controls, monitor compliance with standards, both internal and external, and track any remedial actions through to completion, providing assurance to the British Council's Board. In addition, this role will lead the technical response to security or other critical incidents, provide adisory and consulting services as needed to the business, and accept ad hoc assignments as the needs dictates.
The post holder will win the confidence of senior business leaders whilst providing thought leadership in this area.
Context and environment:
The security team has a key role in supporting the British Council in the management of security, risk and compliance whilst facilitating the achievement of business objectives. The composition and responsibilities of the security team are currently under review but are expected to grow as techology offerings become increasingly important to the business delivery. In this role, the post holder will have responsibility for the management of a team responsible for addressing the IT security, risk and compliance needs of the organisation. In addition to independent and team assignments and responsibilities, the post holder will be engaged with relevant members of the global team in support of their activities, particularly in areas of technology policies, processes, procedures, standards, risk management and controls.
Areas of particular challenge on the BC horizon include BYOD, technical protection for the valuable IP, the new HMG information protection (protective marking) regime, Cloud based infrastructure and services, and sharing common IT platforms with business partners.
Accountabilities, responsibilities and main duties:
The post holder will be responsible for the security of information held in electronic form across the British Council; they will work in close partnership with the Head Information Governance and Privacy, Head IT Strategy, Head Service Management, Head Operations as well as Internal Audit in the areas of system security and information risk. Their work, and that of their team, will be to ensure the delivery of a coherent and well managed technology infrastructure with adequate controls for information assets and systems. The post holder will also perform a key role in relation to programmes and projects so that their development and introduction is aligned with the appopriate guideliines. Delivering on this mandate should be accomplished through the following (not exhaustive):
- Provide technical security and information risk expertise to a range of business units, sites and projects.
- Plan and manage delivery of an information security work programme.
- Act as Information Technology Security Officer (ITSO) for the purposes of the Security Policy Framework.
- Deliver and implement an accreditation process which meets HMG IA Standards numbers 1 and 2.
- Lead the development of Security Operating Procedures (SyOPs) for IT systems.
- Review and report on the effectiveness of IT security controls.
- Develop an information technology assurance strategy and related policies, guidance and awareness.
- Produce information security and risk management documentation to demonstrate compliance with, and provide assurance against, applicable policies and standards.
- Report on risks ans appropriate mitigations to relevant stakeholders.
- Build constructive relationships with users and managers to build technology compliance assessment activities into business and project plans.
- Manage a team of information security personnel.
- Develop new business cases and commission investment projects related to IT security and risk management technologies.
- Lead technical investigations into IT security incidents and other critical incident response.
- Lead operation review in areas of IT security, risk and compliance.
Internal: Global Business Services, Business Solutions, UK and Regional Network, Information and Knowledge Management, Enterprise Risk Management, Finance, Internal Audit.
External: Foreign and Commonwealth Office, National Technical Authority for Information Assurance (CESG) Cabinet Office, external auditors and regulators, business partners, technology partners and suppliers.
Other important features or requirements of the job:
- This is a global role with the possibility of significant travel, weekend and evening working and the potential to occasionally work in hostile environments.
- UK passport required.
- Developed Vetting required.
Essential Behaviours: (the Behaviours Dictionary can be viewed on the British Council website)
- Working together (Most Demanding)
- Creating shared purpose (Most Demanding)
- Being accountable (Most Demanding)
- Making it happen (Most Demanding
- Shaping the future (Most Demanding)
- Connectinig with others (Most Demanding)
Skills and Knowledge:
- Expert knowledge of ISO 27001 and HMG's InfoSec policy and Information Assurance Assessment Framework.
- Business Management and Development (3).
- Project Management - Proven understanding of, and extensive experience in, designing, delivering and evaulating projects, with an emphasis on the needs of information security and asset management.
- Leadership - Experience of leading a muti-disciplinary team to deliver enterprise critical function.
- Experience of operating effectively across different cultures/with multi-cultural teams.
- Significant experience of managing information security in large, complex organisations encompassing areas such as: Security, Llegal/compliance, Operations, Projects, Consultancy, Diverse technologies, Multiple countries/cultures, a variety of business settings.
- Previously held responsibility for ISO 27001 assurance in a mature, globally dispersed organisation with ISO 27001 certification.
- Essential - Industry standard certification in areas of IT Security, Risk and Compliance, such as Certified Information System Auditor (CISA) or Certified Information Systems Security Professional (CISSP) etc.
- Desirable - Other industry standard qualifications such as in project management (PMI, PRINCE2) ITIL, etc.
The Assessment Process:
The assessment process provides both parties with the opportunities to assess the cultural and team fit, individual and organisation aspirations, and details of key objectives and priorities for the role. Elaine Rippon is the retained consultant for this assignement.