
Home > Current vacancies > Lead Security Architect
Lead Security Architect
£69,574 - £78,538 per annum
External applicants will be offered at the base point of the salary range, the Civil Service pay rules apply for current Civil Servants apply on promotion or level transfer.
Location
Leeds (our Canary Wharf of South Mims sites are only available to internal applicants)
Hours
37 hours per week (excluding lunch break)
Reports to
Deputy Director Strategy and Architecture
If you have had a COVID-19 vaccine or have ever taken a medicine, or used a medical device, then you have already come into contact with the Medicines and Healthcare products Regulatory Agency.
Our vision, One Agency - Delivering for Patients, underpins all that we do as we set out on an ambitious roadmap for change to become a truly world-leading, enabling regulator that protects public health through excellence in regulation and science.
The Medicines and Healthcare products Regulatory Agency enhance and improve the health of millions of people every day through the effective regulation of medicines and medical devices, underpinned by science and research.
About the Group and Function
The Digital and Technology Group (DTG) lies at the heart of the Agency and is responsible for delivering an optimised IT infrastructure and maximising the secure use of data to enable our scientists, inspectors, and the rest of the organisation to deliver world class services which can improve outcomes for patients and the general public. The Group was essential in the race to approve COVID-19 vaccines in 2020 and in supporting the UK to set up its own medicines and devices approvals systems following our exit from the EU. The work we do matters!
Its centre of excellence is also responsible for delivering a broad portfolio of change initiatives, both to transform the Agency’s legacy technologies and to deliver innovative new solutions, designed around our customers’ needs. DTG works in a holistic way to combine digital and technology change, data and information management, project delivery, business process, product management and cultural change to maximise out impact and ensure sustainability.
We plan to be at the heart of one of the most digitally advanced medical regulators in the world and we need people who can help us deliver that ambition. DTG is a great place to build your career and we are committed to enabling our people to do the best work of their lives.
The Strategy & Architecture team is responsible for ensuring that DTG service provision supports the delivery of the Agency's strategy and Corporate Delivery Plan including meeting MHRA’s financial and performance targets and delivery objectives. The team is responsible for providing digital, data and technology design assurance to ensure proposed solutions are compliant with legislation, standards and Government policy, and for ensuring the effective running of the Division, including budget and performance management.
Role Purpose
As an IT Security Architect, you will play a critical role in safeguarding the department’s IT infrastructure and sensitive data.
You will be responsible for designing, building, and maintaining robust security architectures that protect the department's systems from threats and vulnerabilities.
Your primary goal is to ensure that all IT services and solutions are secure by design and compliant with government security policies and standards.
This role requires a strategic thinker with deep technical knowledge, an understanding of emerging threats, and the ability to work collaboratively with various stakeholders to embed security principles throughout the IT landscape.
You will maintain relationships with relevant suppliers, making sure services and products are delivered and aligned to industry best practice and regulatory and contractual requirements.
Key Responsibilities
-
Security Architecture Design
-
Develop and maintain a comprehensive security architecture framework that aligns with the department's IT strategy, government policies, and best practices.
-
Design security controls and solutions for new and existing systems, applications, and services, ensuring they are secure by design and compliant with relevant standards (e.g., NCSC, GDPR, ISO 27001).
-
Conduct threat modelling and risk assessments to identify and mitigate potential security vulnerabilities in proposed and existing systems.
-
-
Security Policy Development and Compliance
-
Develop, implement, and maintain security policies, standards, and procedures in line with government regulations, industry standards, and departmental needs.
-
Ensure that all IT systems and solutions comply with relevant legal, regulatory, and governmental standards, such as GDPR, Cyber Essentials, Secure By Design
-
Conduct regular security reviews, audits, and assessments to ensure ongoing compliance and continuous improvement of security measures.
-
-
Security Awareness and Training
-
Stay current with the latest security trends, vulnerabilities, and threats, and disseminate relevant information to the wider IT team and stakeholders.
-
-
Stakeholder Engagement and Collaboration
-
Act as the primary security architecture point of contact for project teams, providing expert guidance on security requirements, design considerations, and risk management.
-
Collaborate with cross-functional teams to ensure security is integrated into all aspects of the department's digital transformation initiatives.
-
Effectively communicate difficult risk and security concepts in accessible ways that can be clearly understood by business leaders.
-
Influence and educate stakeholders on the importance of security principles, standards, and best practices.
-
-
Innovation and Continuous Improvement
-
Proactively identify opportunities to improve security architecture and reduce risk through innovation, new technologies, and process improvements.
-
Stay abreast of industry trends, emerging technologies, and best practices in security architecture, bringing forward recommendations for improvement.
-
Key Results areas
-
Secure IT Systems
-
All IT systems, applications, and services are designed and implemented securely, with security controls that are compliant with government standards and policies.
-
-
Reduced Risk Exposure
-
Reduced risk exposure through effective threat modelling, vulnerability management, and mitigation strategies, resulting in a secure and resilient IT infrastructure.
-
-
Compliance
-
All IT systems and solutions achieve and maintain compliance with relevant legal, regulatory, and government standards, such as GDPR, Cyber Essentials, and PSN accreditation.
-
-
Stakeholder Engagement
-
High levels of engagement and collaboration with stakeholders, resulting in security being embedded into all aspects of IT and digital transformation initiatives.
-
-
Continuous Improvement
-
Ongoing enhancement of security policies, procedures, and controls, driven by proactive threat intelligence, incident reviews, and lessons learned.
-
The job description is not intended to be exhaustive, and it is likely that responsibilities and outcomes may be altered from time to time in the light of changing circumstances and after consultation with the postholder.
Person Specification
Important Candidate information:
The Civil Service use a recruitment framework called Success Profiles. Success Profiles are made up of 5 elements: Ability, Behaviours, Experience, Technical, Strengths but it is unlikely that you will be assessed against all 5.
Behaviours, Experience and Technical elements will be assessed through your application form, in the first instance.
Method of assessment key: (A) - Application, (T) - Test, (I) - Interview, (P) - Presentation
Behaviours (A, I)
Communicating & Influencing
-
Communicate with others in a clear, honest and enthusiastic way in order to build trust.
-
Explain complex issues in a way that is easy to understand. Introduce different methods for communication, including making the most of digital resources whilst getting value for money.
-
Excellent communication skills with the proven ability to elicit and portray the organisational security picture. With the ability to map out the current , interim and future target states to a wide variety of technical and non-technical stakeholders.
Working Together
-
Proactively create, maintain and promote a strong network of contacts across the organisation and externally.
-
Embed an inclusive culture of creating positive and supportive teams who consider the diverse needs and feelings of other colleagues.
Leadership
-
Remain visible and approachable to all colleagues and stakeholders. Actively promote the reputation of the organisation with pride, both internally and externally.
Experience (A, I, P)
Proven Experience in Security Architecture
-
Extensive experience designing, implementing, and managing security architecture for large and complex organisations, preferably within the public sector.
-
Deep Knowledge of Security Architecture Principles including defence in depth, zero trust, least privilege, and secure by design.
-
Familiarity with UK public sector regulations, standards, and frameworks, such as the Government Digital Service (GDS), Cyber Essentials, NCSC guidelines, GDPR, and ISO/IEC 27001.
-
Knowledge of industry security frameworks such as CAF, NIST.
-
Proven experience designing and implementing secure cloud architectures and understanding of cloud security principles across major cloud platforms.
Risk Management and Mitigation Experience
-
Experience conducting risk assessments, threat modelling, and developing risk management strategies to mitigate identified security risks.
-
Experience in developing, implementing, and maintaining security policies, standards, and procedures aligned with industry best practices.
-
Proven experience of internal and external security audits, assessments, and penetration testing.
Experience with Emerging Security Threats and Trends
-
Up-to-date knowledge of current and emerging security threats, vulnerabilities, and industry trends, and experience applying this knowledge to enhance organisational security posture.
Technical (A, I)
Expertise in Network Security design
-
Experience in designing and implementing secure network architectures, including knowledge of network protocols, segmentation, firewalls, VPNs, and intrusion detection/prevention systems (IDS/IPS) in on-premise and cloud environments.
Knowledge of Security Technologies and Tools
-
Demonstrable experience with a range of security technologies and tools, including but not limited to:
-
Identity and Access Management (IAM), SIEM tools, endpoint protection, and cryptography and encryption solutions, Data Protection and Privacy Controls, Vulnerability Management, Security Orchestration, Automation, and Response (SOAR) Tools, Secure Mobile and Endpoint Computing.
Application Security Knowledge
-
Technical expertise in securing web applications, APIs, and microservices, including experience with secure coding practices.
Desirable
-
Security qualification e.g. CISSP, SABSA.
-
Experience of cross-government Secure by Design approach.
Strengths (I)
-
Preventer – you think ahead to anticipate, identify, and address and risks or problems before they occur.
-
Explainer – you communicate ideas, verbally or in writing. You simplify complexities and adapt communication so others can understand.
-
Catalyst – you are self-motivated to act to achieve a goal. You are confident using your own initiative to take forward actions.
-
Problem Solver – you take a positive approach to tackling problems and find ways to identify potential solutions.
The Civil Service Code
These core values support good government and ensure the achievement of the highest possible standards in all that the Civil Service does. You can find out more about our values, standards of behaviour and rights and responsibilities in The Civil Service Code.
Civil Service Values
Integrity
-
Putting the obligations of public service above your own personal interests
Honesty
-
Being truthful and open
-
Basing your advice and decisions on rigorous analysis of the evidence
Objectivity
Impartiality
-
Acting solely according to the merits of the case and serving equally well governments of different political persuasions
Agency Values
The code is reflected in the Agency's values, which state that:
-
We focus on patients and public health
-
We work together with respect
-
We take responsibility and are accountable
-
We create an environment where learning and innovation thrive
