Principal Cyber Security
Specialist - GDPR
Department: Cybersecurity Regulation
Reports to: Director of Cybersecurity Regulation
Salary: £63,223 - £81,448 per annum (Level G)
Hours: 37 per week
Purpose of post
Reporting to the Director of Cyber Security Regulation, this role will be a subject matter expert, leading the ICO strategy in the relevant cybersecurity specialism across the ICO.
The role will coordinate information and cybersecurity activity performed across the various functions within the Regulatory Supervision Service and have matrix or dotted line responsibility for these resources, ensuring that objectives are met, and regulatory obligations are delivered.
The role will support the development of a strategic plan for information and cybersecurity regulation.. The strategy will define appropriate expected standards of cybersecurity within regulated organisations and be used to enhance the ICO’s regulatory activity such as guidance, advice, and investigations.
​
​
Key responsibilities
-
Shaping and directing the ICO’s approach to the cybersecurity specialism with which the post holder is responsible.
-
Supporting the definition, delivery, and implementation of an appropriate cybersecurity strategy and operating model.
-
Responsible for the development and delivery of cybersecurity guidance and advice within the relevant specialism.
-
Anticipate and analyse future political, social, legal, and technological developments that impact on the ICO’s regulatory activity in relation to cybersecurity.
-
Champion the development of staff in relation to cybersecurity regulation, creating an inclusive environment which values diversity, encourages learning and development, and identifies and acts where capabilities need to be improved.
-
Working collaboratively with colleagues across the ICO and other relevant stakeholders to build Cybersecurity career pathways and a Cybersecurity profession within the ICO.
-
Monitoring developments in the security and resilience of companies in scope of UK’s 2018 Data Protection Act (DPA), assessing the information that the companies provide about their security and operational resilience arrangements and monitoring the progress of any remediation work.
-
Provide technical advice for any incidents reported with the operational teams.
-
Identifying companies that could fall within the scope of the Regulations and gathering evidence to support recommendations.
-
Developing and drafting security best practices and compliance guidance, carrying out and/or managing security assessments.
-
Understanding how the evolution of technologies used in the delivery of digital service provision may affect security and resilience risks.
-
Working closely with stakeholders to improve the levels of security and operational resilience in the companies we regulate. This will include other regulators, both within the UK and beyond, NCSC in their role as the UK’s technical authority, and DCMS as the lead government department for the sector.
-
Promoting efficiency and continuity by ensuring knowledge and best practice is embedded and shared in the team.
​
​
Person specification
Education & Qualifications
-
Preferred but not mandatory: A relevant degree, post graduate degree, or associated information and cybersecurity qualification (e.g. MSc, CISSP, ISEB, CISM)
​
​
Working experience
-
Substantial experience working within cybersecurity across all domains; practical experience with technical controls implementations
-
Substantial experience working with GDPR/ data protection regulation; interpreting requirements and defining best practices
-
Experience in managing and balancing regulatory requirements with operational challenges faced by companies falling within the scope of the regulation
-
Implementing data security controls to meet the intent of regulatory requirements
-
Comprehensive understanding of conducting security assurance assessments, audits, and managing remediation plans
-
Understanding of the types of threats faced by companies regulated by the ICO and defining appropriate mitigating strategies
-
Experience with evaluating technical vulnerabilities and the probable impact if those were to materialise, and defining reasonable and appropriate compensating controls to mitigate the risk(s)
-
An understanding of modern digital technologies, the distinct threats and opportunities they present to companies, and how security controls can be designed and implemented to meet this changing threat landscape
-
Knowledge of and experience in the practical application of cyber standards such as Cyber Essentials Plus, ISO, and the NIST framework
-
Experience of working with or within regulatory environments
-
Experience of engaging and negotiating with both internal and external stakeholders at all levels
-
Experience working with the NCSC and the UK or other international governments is beneficial
-
Experience working on data protection incidents is beneficial
​
​
Knowledge, skills and abilities
-
Up to date subject matter expertise of current trends and practices relating to cybersecurity and GDPR/ data protection regulation
-
Awareness of current global cybersecurity legislation and security best practices
-
In depth knowledge of GDPR/ data protection regulation and ability to translate regulatory requirements into practical implementation guidance(s)
-
The ability to analyse and interpret complex information
-
Excellent written and verbal communication and presentation skills, including the ability to explain technical matters to a non-technical audience
-
Personally effective – excellent organisational skills, ability to prioritise and delegate
-
Ability to use good judgement to make decisions on high profile and complex issues
​
​
Please note that post holders for this role will be required to receive security clearance to SC level. This requires the disclosure of spent and unspent convictions. Although convictions will be taken into account, any such information will not necessarily prevent you from obtaining a security clearance.
​
​