Back to Job SearchThe team you'll be working with:
The GRC Consultant (Cyber Assurance / Security Operations Manager) is primarily responsible for ensuring the security controls (people, process, technology) are in place and operating as designed. The primary aim is the design, development, test and evaluation of information security throughout its lifecycle. This is to ensure the business purpose of the system is enabled in a safe and secure manner based on the alignment of identified risks to the acceptable risk posture of the business.
What you'll be doing:
- Providing security expertise across security standards and accreditations, measure and control the effectiveness of the security controls framework and maintain the Information Security Management System.
- Deriving and delivering documented Information Security Management Plans which incorporate Regulatory, Legal and Compliance in relation to applicable security policies. Standards and guidelines
- Assisting with the identification of identified risks and emerging cyber security vulnerabilities and threats. The subsequent analysis to quantify and lead risk mitigation plans
- Work with Service Management to ensure that partners and suppliers adhere to agreed standards, policies and verify/evidence appropriate compliance and security KPIs
- Work closely with 1st, 2nd and 3rd lines of defence on all matters relating to cyber security, information assurance, cyber risk, data privacy including regulatory and compliance considerations
- Lead the development and enhancement of governance, risk and compliance aligned to policy, standards an industry good practice
- Ensure that continuous assessment, identification, analysis and reporting of useful metrics to enable informed risk based decisions to be taken
- Constructively challenge established processes and controls to identify, recommend and facilitate continuous improvement, ensuring that all personnel (including senior stakeholders) understand their responsibilities in relation to security risk mitigation and remediation
- Review and verify that documentation relating to process and technical security controls are maintained
- Develops and maintains Information Security Management practice and process to ensure certification to required industry standards (e.g., ISO 27001) within relevant geographic boundaries.
- Develops, proposes and seeks sponsorship for changes to policies, procedures and controls to ensure the integrity of the in-scope IT services and effective management and control of information assets. Facilitates the implementation of these controls.
- Performs focused information risk assessments of existing or new services and technologies, alongside the Operational/Service Management team and technology subject matter experts.
- As required, will extend the assessment of existing and proposed services to third party suppliers, including the facilitation of IT Security checks during the supplier onboarding and contract lifecycle to ensure coherent approach to risk management
- Coordinate audit, ITHC and risk assurance activities to evidence compliance with established regulatory and governance requirements including governance of any Remediation Action Plan (RAP) to ensure timely mitigation of identified risks / vulnerabilities
- Maintains strong working relationships with individuals and groups involved in managing information risk across the in-scope services and aligned suppliers / 3rd parties
- Chairs and co-ordinates the Security Working Group (SWG) and actively participates in supporting/governing forums
- Contribute to the analysis and mitigation of data protection risks
- Monitors information security incidents, contributing to incident response and root cause analysis. Will own resulting actions as required where they relate to required changes in IT Security and Information Risk Management policy and controls
- Security operations and incident response, liaison with internal teams and 3rd party suppliers
What experience you'll bring:
- Minimum of 10 years’ experience of working in a multi-tiered IT enterprise environments
- Minimum of 5 years’ experience in a Governance, Risk and Compliance role
- A track record of delivering security solutions for large-scale infrastructure, transformation or integration programmes
- Practical knowledge and understanding of industry security frameworks and guidance such as NIST CSF, NIST 800-53, NCSC CAF and other NCSC guidelines
- Good knowledge of networking (switching, routing, firewalls)
- In-depth knowledge of modern security concepts, common attack vectors, malware, security analytics and threat intelligence.
- A good understanding of security testing and vulnerability management is important (including pen testing/ITHC, CVSS/CVE)
- Experience working with security standards such as ISO 27001, 27002, 27017, 27108 etc
DESIRABLE SKILLS AND EXPERIENCE
- Experience with the design concepts associated with adoption of Cloud platforms (AWS and/or Microsoft Azure)
- An understanding of the native security capabilities and good practice within Cloud platforms (AWS and/or Microsoft Azure)
- CISSP, CISM, CCSP, CRISC or equivalent experience
- Good knowledge covering several of the following examples (this list is not exhaustive): AD, Cryptography, End User Computing, IAM, PKI, Server hardening, SIEM, SOAR, virtualisation (VMware)
- Familiarity with MITRE ATT&CK
- Familiarity with ITIL
Who we are:
We’re a business with a global reach that empowers local teams, and we undertake hugely exciting work that is genuinely changing the world. Our advanced portfolio of consulting, applications, business process, cloud, and infrastructure services will allow you to achieve great things by working with brilliant colleagues, and clients, on exciting projects.
Our inclusive work environment prioritises mutual respect, accountability, and continuous learning for all our people. This approach fosters collaboration, well-being, growth, and agility, leading to a more diverse, innovative, and competitive organisation. We are also proud to share that we have a range of Inclusion Networks such as: the Women’s Business Network, Cultural and Ethnicity Network, LGBTQ+ & Allies Network, Neurodiversity Network and the Parent Network.
For more information on Diversity, Equity and Inclusion please click here: Creating Inclusion Together at NTT DATA UK | NTT DATA
Service Line Manager
Warren is a seasoned security consulting advisory leader & practitioner, who has worked in the Professional & Consulting Services sector for more than 25 years. Employed by NTT he holds a trusted client advisory & consulting role as well as working in client executive or director level roles, Warren is focused on building, leading & directing corporate security functions, educating client boards & executive management on Information & Cyber Security risks, defining strategies in Enterprise & Service Provider environments, as well as helping clients solve individual Cyber & Info. Sec. challenges. Warren understands business language, identifies key drivers and links this to his extensive experience in enterprise security, strategy & road mapping, audit, and a depth of knowledge in a portfolio of security, risk and privacy / industry methodologies & frameworks; NIST, ITIL, SABSA, TOGAF, COBIT, COSO & ISO to name just a few.
Location
“Upon joining the NTT DATA UK family, you will experience a culturally diverse organisation living our values of Clients First, Teamwork and Foresight as we partner with our customers every day.
At NTT DATA UK, we are proud to support and invest in our people. We offer a variety of rewarding career paths and opportunities to develop professionally - with access to cutting edge innovation.”
Fernando Apezteguia, CEO, NTT DATA UK
