Our client Scottish Power Cyber are currently recruiting for a Cyber Governance and Assurance Manager to join their team based in Glasgow on a contract basis initially. Ideally for this role they are looking for an experienced manager within Cyber Governance and Assurance with a specific emphasis on the assurance side of things, as well as that they would be looking for someone who has UK Energy supplier experience as would be relevant to this role. For more information on this one see below:
Job Purpose Statement
This role is responsible for defining, implementing, and managing the Cyber Security Governance and Assurance functions across ScottishPower Energy Networks (SPEN). The effective delivery of these functions on an on-going basis will ensure that key cyber security controls are effective and remain fit for purpose directly contributing to operational risk reduction, as well as relevant risk and performance indicators reported to the relevant SPEN and ScottishPower Governance Committees.
This role is responsible for defining and maintaining the management of the Cyber Security Rules, Policies, Standards and Procedures for SPEN and implementing a proportionate, risk-based annual assurance programme to ensure the on-going adoption and embedding of recognised best practice cyber security controls and capabilities. In addition, the assurance activities will contribute to demonstrating regulatory compliance, including the NIS Regulations.
The role will require effective leadership of an efficient assurance team delivering a comprehensive rolling assurance programme which will help to deliver the objectives set out in SPEN's Cyber Security Strategy.
The role operates within the 1st Line of defence, providing governance and assurance across SPEN Cyber at the business and Operational Technology (OT) level and a close working relationship with corporate IT functions.
Accountability Statements
Governance:
* Ensure the Cyber Security Governance and Assurance functions are clearly defined, effectively implemented and easily measurable on an on-going basis aligned to the SPEN Security Strategy and wider objectives.
* Ensure the Cyber Security Policies, Frameworks, Rules, and Methodologies are adequately designed and communicated with key stakeholders across the SPEN cyber team and wider Business.
* Lead and coordinate the production of SPEN Cyber Governance Committee and Forum Papers and tracking of actions.
* Own and manage the Cyber Rule Exception Procedure.
* Develop and maintain a suite of Key Risk and Key Performance Indicators for upward communication to the SPEN Executive Team and address any queries.
* Build and maintain strong relationships with SPEN, ScottishPower and Global colleagues as is appropriate to the role.
* Build and maintain strong communication mechanisms to ensuring on-going alignment of project, BAU and regulatory activities in a governance and assurance context.
Assurance:
* Define and lead the annual rolling SPEN cyber assurance plan and drive assurance activities across SPEN cyber and business to ensure key milestones are met
* Manage the CAF Evidence Repository and reporting dashboards
* Manage and track remedial activities Support audit activities across SPEN and Scottish Power working with 2nd and 3rd LoD.
* Support regulatory compliance assessments and annual reporting to the Regulator (as required).
Dimensions
Responsible for a team of governance and assurance team members to cover the areas of:
* Cyber Security Governance and Assurance.
* Work and collaborate across SPEN, ScottishPower and Global companies within the Iberdrola Group to deliver strategic security solutions.
* Effectively engaging with a variety of internal and external stakeholders.
* Support the Head of Cyber Security Governance, Risk and Assurance to achieve relevant Global Cyber, ScottishPower, SPEN and objectives.
* Work collaboratively as part of the wider Cyber Security Team.
* Embed good practice security assurance principles and support relevant risk management activities across the Business.
* Provide expert advice on cyber security assurance and governance related matters across SPEN Cyber.
* Provides expert SPEN Cyber input to global definition of strategy, standards and procedures relating to Cyber Security Governance and Risk.
Skills, Knowledge & Experience
Technical Skills:
* Highly specialised knowledge and experience of Cyber Security as evidenced by relevant industry qualifications (e.g. GICSP, CISSP, CISM)
* Significant experience of developing and leading Cyber Security Assurance and Governance in an organisation of similar scope and scale to ScottishPower, with previous Security Management experience in a global organisation preferred.
* Expert knowledge in cyber security frameworks and standards as well as a deep understanding of cyber security regulations as they apply to a UK energy supplier.
* Significant experience in defining cyber security assurance strategies, methodologies and planning and developing and delivering associated services.
* Previous experience of working in a regulatory environment - preferably energy and utilities, desired Critical National Infrastructure (CNI)
* Awareness of key legislation and regulation impacting the delivery of IT and OT Cyber Security in an energy utility.
Personal Skills/Abilities:
* Excellent communication skills, with an ability to distil technical issues into a form that can be digested by non-technical managers at the most senior levels of the company.
* Strategic orientation with ability to act tactically, as required.
* Strong leadership and communication skills.
* Highly developed ability to resolve complex problems and negotiate successful outcomes.
* Ability to build effective relationships for key stakeholders locally and globally.
* Global perspective multi-cultural understanding and approach.
* Strong negotiator/facilitator and consensus builder.
* Ability to interact at all levels of the organisation.
* Ability to adapt quickly to change.
* High integrity and emotional maturity.
Planning & Organising
* Planning and supporting the delivery of the ongoing Cyber assurance and governance plans
* Create, manage, and track a 12-month delivery plan covering all team and service
provider activities to ensure delivery of all required services and objectives.
* Organises own and team (including external contractors) workload over a 12-month
planning horizon, including objective setting and performance management.
* Creating and executing an annual internal and audit schedule for UK OT and Business OT functions.
* Defining, delivering, and reporting remediation plans for internal/external audit and
regulatory non-compliance issues.
Internal and External Relationships
* Reports to the Head of Cyber Governance, Risk & Assurance.
* Internal/external auditors.
* Cyber Security industry providers.
* UK Cyber Security Organisations.
* Industry bodies including NCSC, Ofgem, BEIS, the Energy Cyber Security Group (E3CC) and industry cybersecurity task forces.
Special Requirements (not mandatory)
* Post holder must have the credibility associated with operating at a senior level and have demonstrable experience of influencing at Director Level.
Useful qualifications:
* CCP Practitioner SIRA
* CISSP-ISSMP
* CISSP
* CISM
* CRISC
* CSX-P
* IEC 62443
* ISO 27001
* SANS GIAC
Minimum Criteria (mandatory)
Criteria
Criteria Essential/Desirable
* Highly specialised knowledge and experience of Cyber Security as evidenced by relevant industry qualifications (e.g. GICSP, CISSP, CISM).
* Significant experience of developing and leading Cyber Security Assurance and Governance in an organisation of similar scope and scale to ScottishPower, with previous Security Management experience in a global organisation preferred.
* Expert knowledge in cyber security frameworks and standards as well as a deep understanding of cyber security regulations as they apply to a UK energy supplier.