We are looking for
a QSA to join our GRC team in the UK. This role is home-based, with travel to client sites .
You’ll be part of a team delivering security consultancy in a client-facing role, with a particular focus on:
1. PCI DSS consultancy and assessments
2. Security reviews against standards or guidelines such as the NCSC Steps to Cyber Security and NIST CSF
3. ISO gap analyses
4. Helping our clients to implement Information Security Management Systems and achieve and maintain ISO certification
5. Conducting risk assessments
6. Creating or supporting third-party risk management and audit programmes
Essential skills and experience:
7. Be a current QSA who has completed multiple on-site PCI DSS assessments, and be able to demonstrate a mature understanding of complex PCI DSS environments, and an ability to consult as well as assess
8. Have experience with ISO, including implementing an ISMS and achieving certification
9. Have experience working with the NIST CSF
10. A good understanding of core concepts and technologies. For example, networking, Windows and Linux operating systems, and security technologies such as antimalware, IDS/IPS, etc. You do not need hands-on experience with these technologies or to have worked in an operational role
11. Be experienced working as a consultant in a client-facing role, leading delivery. You’ll be friendly and approachable and able to work well with our clients
12. Ability to work in a structured and methodical manner, with support to manage your own time with a focus on quality work
Your primary role will be to deliver PCI DSS consultancy and assessment activities to our clients as part of an established and experienced team of consultants. It’s not all PCI DSS, though, and you’ll be involved in other areas as listed above and have opportunities to scope and deliver more bespoke engagements.
Location
13. This role is home-based, with an expectation of travel to client sites, primarily in the UK, but with some opportunities for European and international travel; therefore, all candidates must be willing to travel
14. PCI DSS assessment activities require on-site work, but most other work is delivered at least partly from home
15. We can support working from across the UK
16. All applicants will require residence in the UK
What you’ll be doing in your role:
In your role, you will deliver consultancy services to our clients, covering the following areas:
17. Conduct security reviews against standards or guidelines such as the NCSC Steps to Cyber Security, NIST CSF, Cyber Essentials
18. Perform ISO gap analyses
19. Help our clients to implement Information Security Management Systems and achieve and maintain ISO certification
20. PCI DSS consultancy and gap analyses
21. Assistance in implementing PCI DSS requirements such as policy writing
22. Complete on-site assessments and reports on compliance
23. Complete risk assessments
24. Conduct third-party risk reviews
25. Support pre-sales where required by assisting in the pre-sales process, understanding client requirements and contributing to proposals and scoping of engagements
Key Skills:
Essential skills and experience:
26. Be a current QSA who has completed multiple on-site PCI DSS assessments, and be able to demonstrate a mature understanding of complex PCI DSS environments, and an ability to consult as well as assess
27. Have experience of ISO, including implementing an ISMS and achieving certification
28. A good understanding of core concepts and technologies. For example, networking, Windows and Linux operating systems, and security technologies such as antimalware, IDS/IPS, etc. You do not need hands-on experience with these technologies or to have worked in an operational role
29. Be experienced working as a consultant in a client-facing role, leading delivery. You’ll be friendly and approachable and able to work well with our clients
30. Ability to work in a structured and methodical manner, with support to manage your own time with a focus on quality work
Desirable skills and experience:
31. Experience working with the NIS directive, NCSC CAF or CAA ASSURE
32. Be experienced at C-Level, including presenting to top-level management, decision makers and risk owners. You will have the ability to articulate information security risks in a way that demonstrates an understanding of the broader business impact
33. Demonstrate leadership as a senior team member. You will be expected to have input into developing the wider team, take ownership of service areas, and be able to support and mentor other team members
34. Experience in delivering security awareness training to end-users
35. Hand-on technical experience, even if not recent
Certifications
As an active QSA you must hold a certification from list A and list B per the PCI SSC requirements. Whilst a collection of certifications is less important than experience, many areas in which our team works have pre-requisite certifications that our consultants either hold or are working towards achieving.
Any of the following certifications would be beneficial:
36. ISO lead auditor or lead implementer
37. CISSP - (ISC) Certified Information System Security Professional
38. CISM - ISACA Certified Information Security Manager
39. CISA - ISACA Certified Information Systems Auditor
40. CRISC - ISACA Certified in Risk and Information Systems Control
What we offer:
We are a people-focused, high-performing, high-trust professional services team. You’ll be part of a diverse and growing international group of consultants, and we go out of our way to make sure our consultants feel part of our team. We use technology to ensure we’re always communicating with each other and schedule time every week to talk as a team.
The successful candidate will have opportunities to:
41. Make a difference – as clichéd as it sounds, this really is true. We encourage all consultants to challenge norms and empower them to get involved. This might be getting involved with other teams or developing a new service offering – but if you want to do something, we always try to make it happen
42. Get involved – enjoy blogging or public speaking? Our team is committed to getting involved in industry discussions. We make time to attend conferences and get involved in the infosec community
43. Develop their skills – we love learning and ensure we find time for professional development. This isn’t just about collecting certifications and attending training courses – gaining and sharing knowledge in new areas is vital. These don’t always have to be directly related to your “day job”; in fact, we actively encourage developing knowledge in new and exciting domains