Key Responsibilities
Secure by Design Leadership
* Lead Secure by Design discovery and assessment activities across digital services and portfolios.
* Provide Secure by Design risk and security assurance functions within MOD/Public Sector accounts.
* Define pragmatic security control expectations aligned to service context and business risk appetite.
* Coach delivery teams to adopt secure working practices in Agile and iterative environments without impeding delivery speed.
Risk Assessment & Threat Modelling
* Conduct cyber risk assessments using NIST 800-30/37 (rev.5), ISO 27005, and NIST Cyber Security Framework (CSF).
* Perform threat modelling using STRIDE, attack trees, and other contemporary analytical methods.
* Identify vulnerabilities, threats, impacts, and control gaps to inform risk treatment decisions.
* Carry out technical and control-based risk assessments, incorporating outcomes of architecture reviews and testing activities.
Risk Treatment & Remediation Planning
* Develop actionable, prioritised risk remediation plans, including responsibilities, timelines, and mitigation steps.
* Provide pragmatic and business‑aligned risk remediation guidance, balancing operational needs with security obligations.
* Work closely with risk owners and technical leads to negotiate and agree treatment strategies.
Governance, Assurance & Reporting
* Support governance and assurance forums by articulating risk, mitigation options, and residual exposure.
* Produce concise, informative documentation including:
o Risk assessment reports
o Threat modelling outputs
o Vulnerability and control analysis
o Residual risk statements
o Secure by Design compliance evidence
* Validate that required control patterns, assurance activities, and security testing have been completed.
Stakeholder Collaboration & Workshops
* Facilitate security, risk, and threat modelling workshops with multi‑disciplinary teams and Authority stakeholders.
* Engage with business and technical stakeholders to ensure alignment with broader transformation goals and regulatory requirements.
* Work with MOD/Public Sector teams to ensure security expectations and compliance obligations are met.
Compliance & Evidence Production
* Identify, collect, and review evidence demonstrating compliance with Secure by Design principles.
* Produce documentation including:
o Risk assessments
o Security testing results
o Evidence packs for Secure by Design compliance
o Residual risk reports
Leadership, Coaching & Knowledge Sharing
* Mentor junior consultants, technical specialists, stakeholders and program across multiple business units.
* Produce and deliver awareness sessions on Secure by Design, secure development, governance, and best practice.
* Promote a culture of continuous security improvement.
Skills & Experience Required
Essential
* Eligibility for UK security clearance
* Proven experience leading Secure by Design across portfolios or multiple digital services.
* Strong experience supporting MOD, Defence, or UK Public Sector clients.
* Deep expertise in cybersecurity risk frameworks including:
o NIST 800-30/37
o ISO 27005
o NIST CSF
* Demonstrated ability to facilitate structured threat modelling (STRIDE, attack trees).
* Highly skilled in producing clear, concise, decision‑focused reporting for senior stakeholders.
* Strong capability in running governance, risk, and assurance activities.
* Experience working with Agile, DevOps, and multi‑disciplinary delivery teams.
* Excellent stakeholder management and communication skills.
* Experience in Secure by Design frameworks used within Defence and Government.
* Knowledge of MOD security governance, assurance, and accreditation processes.
* Background risk consultancy, or security assurance.
* Certifications such as CISM, CRISC, CISSP, SABSA, CCP, or equivalent.
What You Will Deliver
* Secure by Design discovery assessments and control expectations.
* Threat models, risk assessments, vulnerability analyses.
* Risk remediation action plans with clear owners and timelines.
* Concise assurance documentation and residual risk reports.
* Secure by Design compliance evidence aligned to programme and Authority requirements.
* Clear risk recommendations supporting decision‑making and governance.
#J-18808-Ljbffr