Length of employment: Job Summary: Are you someone that thrives on tackling complex security challenges and driving impactful change? Ofgem is Great Britain's independent energy regulator - a critical role that puts us at the forefront of cyber security, ensuring public data is safe and secure and that we set the standard for the energy industry. We're looking for a Principal Security Specialist (IT/OT) to join and lead the design, assessment, and implementation of innovative security solutions and associated guidance aimed at protecting critical systems. This work aligns with our core mission: to deliver a fair, sustainable, and secure energy future. This is a permanent role within our Cyber Guidance & Monitoring (G&M) team, which sits within Ofgem's Cyber and AI Directorate. The G&M team focus on ensuring resilience is built into systems run by energy operators who control the UK's energy infrastructure. We do this as part of our role as Joint Competent Authority ("CA") for the Network and Information Systems Regulations 2018 ("NIS Regulations"). We provide 1-2-1 and sector-wide advice and guidance to operators throughout their security journeys, seeking to build greater collective industry resilience. We are very fortunate to be able to help influence and shape the security and resilience of a whole sector (specifically, the Downstream Gas and Electricity sector). As an expert in the field, you'll lead high-profile security improvement projects, engaging with a wide range of internal and external stakeholders to shape security posture, implementing best practice in line with National Cyber Security Centre (NCSC) guidance. This is a chance to be at the forefront of innovation and meaningful change, championing secure by design principles and influencing digital strategies that benefit millions. This role provides a rare opportunity to combine technical expertise with strategic leadership - and it's an exciting time to join us! At Ofgem, we offer more than just a job - we provide a supportive and flexible working environment designed to help you thrive. With hybrid working arrangements, newly refurbished offices in central London, Glasgow, or Cardiff, and a generous rewards package that includes excellent professional learning and development opportunities (including access to potential higher education funding - subject to review), you'll find everything you need to excel both professionally and personally. For further details on the role and on our hybrid working arrangement, please read the candidate pack and other documents below. Job Description: Key Responsibilities: We are looking for someone who can: Apply existing knowledge of cyber security engineering and IT/OT security best practice to support operators of essential services (OES) in adhering to cyber-focused regulatory requirements. Use existing experience and knowledge of security risk management to identify areas for improvement - both for individual operators we regulate, and sector-wide - in to advance overall security maturity and resilience. Recommend pragmatic risk-based security solutions to be adopted by the operators we regulate to manage security risk across essential services, in line with UK Government's cyber security strategy. Use excellent communication and stakeholder management skills to effectively work with a broad range of external organisations (across industry and our partners). Look to understand their needs and any security challenges. Monitor progress for sector-wide and individual security improvement projects (where necessary). Using your prior understanding and/or knowledge of relevant security frameworks, such as the NCSC Cyber Assessment Framework, assess the overall maturity of the sector. Use your ability to influence to engage on delivering security outcomes, driving good behaviours, and where necessary, make recommendations for program or process improvements in line with the NIS Regulations. Provide security subject matter expertise to operators of essential services (OES) on the delivery and development of new or changed infrastructure projects that are of high strategic importance to GB critical national infrastructure. Provide security subject matter expertise in support of wider projects across the Cyber and AI Directorate, and where appropriate, to wider Ofgem functions. Raise awareness and influence related workstreams and project teams to support wider energy systems resilience aims. Using your expertise, facilitate wider knowledge-sharing and development both within the Guidance and Monitoring team and the broader Cyber and AI Directorate. Continually demonstrate adherence to Ofgem's values in all that you do. Key Outputs and Deliverables As a lead member within the directorate, we want you to use your knowledge, understanding, and experience of cyber security practice to: Plan, oversee and deliver a set of clear and transparent work deliverables on time and to a high standard through effective stakeholder management, project management, and resource management. Support the development and maintenance of a repository of recognised cyber security practice for use internally by the cyber regulatory team or externally with organisations whom Ofgem regulate for management of security risk to network and information systems. Continually review and assess threats affecting the sector, based on an understanding of the wider threat landscape as well as the security posture held by organisations across the DGE sector. Review the cyber security measures taken by regulatees. Identifying key challenges faced by the sector. Collaborating with stakeholders and regulatees to develop effective mitigation strategies to counter these challenges. Building resilience in line with guidance provided by the UKs Technical Authority, the National Centre for Cyber Security ("NCSC"). Use applied security and engineering expertise to identify key security risks to energy infrastructure solutions comprising of IT, OT and IIoT technologies used to provide or sustain essential services across the DGE sector. Develop and maintain guidance for external organisations (primarily OES), to support the improvement of cyber resilience for the sector. Facilitate effective information sharing within Ofgem and across the DGE sector focused on accelerating sector-wide implementation of cyber security best practice. Adjust your communication style to ensure stakeholders gain a firm understanding of relevant security expectations and their respective responsibilities in line with Government (cyber security) strategy. Develop an understanding of Government's strategic direction for cyber resilience within the energy sector by collaborating closely with the Department for Energy Security and Net Zero ("DESNZ") as the joint CA and engaging with key stakeholders interested in energy (cyber) security for the sector. Provide expert guidance to help team members deliver, by building supportive, inclusive team environment based on trust-based relationships, transparency and inclusivity. Ofgem can offer you a comprehensive and competitive benefits package which includes; 30 days annual leave after 2 years; Excellent training and development opportunities; The opportunity to join the generous Civil Service pension which also includes a valuable range of benefits; hybrid working (currently 1 day a week in the office but this is kept under review), flexible working hours and family friendly policies. Plus lots of other benefits including clean and bright offices based centrally, engaged networks and teams and an opportunity to contribute to our ambitious and important targets of establishing a Net Zero energy system by 2050. This exciting blend of professional challenge and personal reward identifies career opportunities at Ofgem as something to get excited about. Essential Criteria Experience in a leading role delivering technical security risk management and security improvement plans is essential. (Lead criteria) Demonstrable experience of effective stakeholder management and ability to communicate technical concepts to a non-technical audience. Task management and project and programme delivery to apply security frameworks and or technical standards e.g. NCSC CAF, NIST CSF, ISO 27K, CIS Controls, IEC/ISA 62443 to support development of organisational capability and practice. Able to achieve and maintain SC clearance. Willing to help and mentor junior cyber security practitioners and help develop our team. When you press the 'Apply now' button, you will be asked to complete personal details (not seen by the sift panel), your career history and qualifications. You will then be asked to provide a 1250 word 'personal statement' evidencing how you meet the essential and desirable skills and capabilities listed in the role profile. Please ensure you demonstrate clearly, within your supporting statement, how you meet each of the essential and desirable skills and capabilities. Please note there may be a second interview stage for this role. The Civil Service values honesty and integrity and expects all candidates to abide by these principles. You must ensure that any evidence submitted as part of your application or used during interview, including your CV and any statements or examples, are truthful and factually accurate. Ofgem takes any incidences of cheating very seriously. Please ensure all examples provided are of your own experience. Any instances of plagiarism or other forms of cheating will be investigated and, if proven, the relevant applications will be withdrawn from the process. Please note that plagiarism can include presenting the ideas and experiences of others, or generated by artificial intelligence, as your own. The personal information we have collected from you will be shared with Cifas who will use it to prevent fraud, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct. If any of these are detected, you could be refused certain services or employment. Your personal information will also be used to verify your identity. Further details of how your information will be used by us and Cifas, and your data protection rights, can be found by [ https://www.cifas.org.uk/fpn ].