Senior Information and Cyber Security Officer (4144)

Are you ready to make a real impact in cyber security? Were looking for an experienced Senior Information and Cyber Security Officer to join our Digital Risk and Security branch at Social Security Scotland. In this key role, youll help drive our Security Risk and Assurance programme and strengthen our governance, risk management, and compliance frameworks. Youll work at the heart of our security functionpartnering with the Cyber Security Risk and Assurance Manager and contributing to the ongoing development of our governance, risk, and compliance capabilities across the organisation.

The ideal candidate can:

• Apply deep expertise in governance, risk management, and assurance, using ISO 27001, NIST 800‑53, GDPR and DPA 2018 to strengthen organisational security.
• Identify, analyse, and mitigate cyber risks, giving stakeholders clear, actionable advice that enables well‑informed, auditable decisions.
• Engage and influence stakeholders, lead policy, compliance, and third‑party assurance activities, and drive the maturity of security frameworks and the ISMS.
• Contribute to security projects, build security awareness across the organisation, and support incident response to contain and resolve threats.

The Senior Information and Cyber Security Officer identifies, understands and mitigates cyber-related risks. They provide risk or service owners with advice to help them make well informed risk based decisions.

• Independently undertake risk management activities within a given area of practice or expertise, usually within established security and risk management governance structures.
• Lead the analysis and derivation of business-supporting security needs, undertake Cyber Security related risk assessments, conduct tailored threat assessment and other risk management activities, and ensure activities are consistent with applicable regulations and legislation.
• Provide tailored advice to a range of stakeholders on how to remedy identified risks by proportionately applying security capabilities, using published guidance, standards, and drawing on a range of experts as well as personal expertise.
• Provide expert security advice that highlights Cyber Security related risks, so risk or service owners can make well-informed and auditable decisions.

GDD Pay Supplement

This post is part of the Government Digital and Data (GDD) profession and currently attracts a 4,000 annual GDD pay supplement, which is paid monthly - pay supplements are reviewed regularly.

Responsibilities

Security Leadership & Governance

• Serve as a key point of contact for security advice and guidance.
• Lead security governance groups to promote and maintain strong security practices.
• Help maintain the organisations desired cyber security posture in line with its risk appetite.
• Provide leadership and guidance to a small team of security professionals to ensure high‑quality service delivery.

Risk Management & Compliance

• Identify, assess, and manage cyber threats and risks to protect organisational assets.
• Conduct compliance audits to ensure adherence to internal and external security requirements.
• Perform internal and external security assessments to evaluate controls and drive continuous improvement.
• Support teams in identifying vulnerabilities, conducting risk and impact assessments, and implementing protective actions.

Policies, Standards & ISMS

• Develop and maintain information security policies, procedures, standards, and guidelines.
• Provide guidance to support the effective adoption of security policies and standards.
• Support and enhance the organisations Information Security Management System (ISMS).

Third‑Party & Supplier Assurance

• Work with third parties to obtain independent assurance on the effectiveness of security controls.
• Oversee third‑party security by assessing supplier controls and ensuring compliance with organisational requirements.

Security Projects & Consultancy

• Lead the design, procurement, and implementation of security projects to strengthen the organisations security posture.
• Deliver specialist security consultancy to support successful project outcomes.

Awareness & Incident Response

• Contribute to the development and delivery of a security awareness programme that strengthens the organisations security culture.
• Support incident response activities to contain, investigate, and resolve security incidents.

Success Profiles 

We use an assessment framework called Success Profiles which lists the elements we test and provides detailed descriptions of each. Find out more about the framework here.

For this post, the following Success Profile elements will be assessed:

Experience:

1. In-depth knowledge of information security standards like ISO/IEC 27001 and NIST SP 800-53, combined with understanding of current legislation such as DPA 2018 and GDPR. Proven ability to interpret and apply these standards and legal requirements to ensure compliance and integrate best practices into organisational operations.
2. Comprehensive understanding of internal and external information security risks, and proficiency in identifying, assessing, and implementing administrative, physical, and technical controls to mitigate these risks effectively.

Behaviours:

• Leadership Level 3
• Delivering at Pace Level 3

You can find out more about Success Profiles Behaviours here.

Technical / Professional Skills: 

This role is aligned to Lead Cyber Security Risk Manager within the Digital, Data and Technology Profession.

These skills will be tested during the Technical Assessment if you are successful at sift stage. They will be not be assessed at application stage. Please review the following to understand the skill expectations