Head of Cyber Security Operations and Governance
- Civil Service
- Full Time
- Birmingham
- 59,870 - 66,592
Job Description
Job summary
The purpose of this role is to:
- Lead the organisations cyber security operations and governance function, ensuring that cyber security risks are identified, assessed, managed and reported in a clear, proportionate and effective way.
- Provide leadership for cyber governance, operational security oversight, assurance activity, incident readiness, supplier assurance and secure-by-design practices across digital services and business operations.
- Support the organisation in protecting its data, systems and services by aligning cyber security arrangements to government requirements, NCSC guidance, recognised standards, regulatory obligations and organisational risk appetite.
- Provide clear, risk-based advice to senior leaders and governance forums, enabling informed decision-making, improved resilience and continual improvement in cyber security capability and assurance maturity.
- Act as the functional lead for cyber security operations and governance, working through direct team leadership and wider matrix relationships across DDaT, assurance, delivery and supplier-facing teams.
This role requires strong cyber leadership, governance and assurance expertise. Deep technical specialism is not expected in every area, but the postholder must be able to provide credible leadership, oversight, and challenge across cyber security operations and governance.
Job description
The post holder will be responsible for the following:
- Leading and developing the cyber security operations and governance function, ensuring that security activities, governance arrangements and assurance outputs support business objectives and reduce risk.
- Defining, implementing and continually improving the cyber security operations and governance approach, aligned to government requirements, NCSC guidance, organisational priorities and secure-by-design principles.
- Leading the organisations cyber governance arrangements, including policies, standards, procedures, guidance, risk management, exception handling and assurance reporting.
- Overseeing cyber security operational processes, ensuring effective arrangements are in place for monitoring, incident coordination, vulnerability management, access governance, control oversight and service improvement.
- Leading cyber assurance activity across the organisation, including second line assurance, control reviews, thematic reviews, support to audit activity and follow-up of improvement actions.
- Ensuring that cyber security requirements are embedded across the lifecycle of products and services, from design and procurement through to deployment, operation, change and decommissioning.
- Leading supplier and third-party cyber assurance activity, including security due diligence, proportionate control requirements, ongoing oversight and management of identified risks.
- Maintaining alignment between cyber governance, risk management, assurance activity and wider organisational resilience arrangements, including business continuity and major incident processes.
- Ensuring effective cyber incident readiness and response arrangements are maintained, tested and aligned to wider operational and organisational response processes.
- Developing and maintaining meaningful cyber metrics, dashboards and reporting for senior leaders and governance forums, translating technical and assurance information into clear business risk and improvement priorities.
- Advising senior leaders on cyber risk, assurance findings, control effectiveness, resilience and governance priorities, ensuring decisions are informed, proportionate and evidence-based.
- Building effective relationships across digital, operational, commercial, legal, assurance and business teams to ensure cyber security is understood as a practical enabler of trusted service delivery.
- Leading, coaching and developing cyber professionals, setting direction, building capability and driving a culture of accountability, collaboration and continual improvement.
- Maintaining awareness of emerging threats, relevant technology developments, regulatory change and good practice across government and the wider cyber security profession, using this knowledge to strengthen the organisations approach.
Who we are
Acas exists to make working life better for everyone in Britain. We are the experts in workplace matters, were impartial, so were not on anyones side. That means were working for everyone to help prevent, manage and resolve workplace issues.
Acas helps employers and employees by providing information, advice, training, conciliation and other services that prevent, manage or resolve workplace problems.
Acas: Britains Workplace Experts
Acas has been recognised for its Diversity and Inclusion in the workplace from the Employers Network for Equality and Inclusion awards; it has been Disability Confident Highly Commended, a Pay Gap award winner, and an Overall winner for public sector organisations. Acas is committed to providing services and developing policies which embrace diversity, promote equality of opportunity and eliminate unlawful discrimination.
Person specification
Essential Experience criteria:
- Strong senior cyber security leadership experience, spanning cyber operations, governance, assurance, risk management, control oversight and operational resilience in a large or complex organisation (Lead criterion).
- Ability to design, implement and continually improve cyber security policies, standards, processes, operating models, governance arrangements and risk management processes aligned to organisational risk, government expectations, NCSC guidance, recognised frameworks, secure-by-design principles and assurance expectations (Lead criterion).
- Experience of leading, overseeing and improving cyber security operations and assurance activity, including incident readiness and response, vulnerability management, access governance, monitoring, control effectiveness, control reviews, audit support, thematic assurance, measurable improvement actions and service improvement.
- Experience of embedding secure-by-design principles into products, services, projects or technology change, leading supplier and third-party cyber assurance, and applying recognised cyber frameworks and good practice to strengthen governance, assurance, resilience and risk-based decision-making.
- Ability to provide clear, practical and risk-based advice to senior stakeholders and governance forums; translate technical, assurance and operational findings into recommendations, prioritised actions, risk papers, dashboards and senior-level reporting; develop meaningful metrics and risk insight; lead, mentor and develop cyber professionals; work across technical and non-technical teams; and understand governance and risk considerations for emerging technologies, including AI-enabled services.
Desirable Criteria:
- Knowledge of Cyber Assessment Framework (CAF), GovAssure and wider government assurance approaches.
- Knowledge of ISO 27001, NIST CSF, Cyber Essentials and Zero Trust principles Awareness of AI governance concepts and frameworks such as ISO 42001 and NIST AI RMF.
- Familiarity with security operations tooling and practices including SIEM, SOAR, EDR/XDR, vulnerability management, cloud security and identity security Experience.