Role Profile Role details

Role Title: Principal Security Architect Level: Level 3 Directorate: DDSS Location: London / Glasgow / Cardiff Number of positions & contract types: 1 Contractor (T&M) Inside IR 35 Approach: External Security Clearance: SC

Ofgem works on behalf of energy consumers to ensure that every household and business in the UK can rely on a safe, affordable and environmentally sustainable energy supply. We are playing a vital part in accelerating the transition to Net Zero and a carbon‑neutral energy system – a goal that everyone wants to achieve. Whatever your role, you will be playing your part in creating new energy solutions that are great for customers and great for the environment. Ofgem has a culture of inclusion that encourages, supports and celebrates the diverse voices and experiences of our colleagues. It fuels our innovation and helps ensure we can best represent the consumers and the communities we serve. Everyone is welcome – as an inclusive workplace, our employees are comfortable bringing their authentic selves to work. This role aligns with the Cyber Security role in the Government Security Profession Capability Framework. Purpose A Security Architect advises and enables technical teams to make security decisions. They provide advice and guidance to ensure common tools and patterns are used effectively to deliver secure systems and implement proportionate controls to enable business outcomes. The role of the Corporate Systems Refresh (CSR) Security Architect is to ensure that the information systems that the CSR Programme develops and deploys are designed and developed in compliance with the required security standards and best practice. Key Responsibilities

Lead the Security Assurance and Compliance of the CSR Programme with, setting a strategy that can be used in the long term and across the services that are impacted by the delivery of this programme. Develop vision, principles and strategy for the CSR Programme and the technologies that it impacts. Recommend security design for the CSR Programme or technologies it impacts, up to an organisational or inter‑organisational level, solving unprecedented issues and problems. Influence key CSR Programme architectural decisions, and interact with senior stakeholders across organisations to reach and influence a wide range of people across larger teams and communities. Lead and assure processes, and provide SME thought leadership on tooling and dynamic and static analysis during the CSR Programme life cycle. Lead the Security Architecture assurance that is aligned with Cyber Assurance Framework (CAF) and NCSC Guidance.

Skills Security Architecture Level: Expert

Designs and reviews system architectures for a broad range of complex or uncommon requirements to identify security weaknesses and recommend mitigations. Designs (or significantly influences) the technical design of a system to enforce security properties that have been derived from first principles to meet a complex or uncommon set of requirements. Follows a methodical and repeatable approach to reviewing the security of a system architecture, and can describe that approach. Advises on security architecture implications of technological trends when applied to existing systems, such as migration to the cloud. Can explain how those technologies change the security approach required. Contributes to new and innovative security architecture guidance for others to re‑use. May have one or more technology specialisms where they are regarded as an expert in how their specialism supports security architecture design (e.g. telecoms, Cloud, micro‑service architectures, identity).

Applied Security Capability Level: Expert

Considers complicated, non‑obvious security needs, e.g. where the connections between business need, the technology that supports that need and how it might be impacted are important to work out. Works closely with those who own business needs, deduces their tolerances with regard to things they care about and turns those into meaningful security statements that can be applied. This might be either complicated and specific, or simple scenarios with broad applicability. Delivers security advice that is contextualised and appropriate for the strategic customer need. Avoids providing ‘point’ solutions or advice that does not address the overall key need. Looks at the wider ‘system’ including sociotechnical considerations (e.g. the role the user plays in meeting the desired security outcomes). Provides security advice that extends beyond particular technologies of which the candidate is familiar and draws upon and directs appropriate expertise to solve the bigger security problem. Ensures the overall technical coherence and quality of advice. Together with assurance experts, develops and applies novel approaches to assurance of CSR Programme products/systems/services. Understands and applies different approaches to product, implementation and operational assurance. Uses each appropriately to derive a genuine understanding of confidence that the overall business objective is protected. Provides technical leadership for specific experts (be they pen‑testers, product or behavioural assurance, for example) in the context of a specific technical assurance or confidence challenge. Effectively communicates difficult risk and security concepts in accessible ways that can be clearly understood by business leaders. Contributes to and develops risk communication strategies.

Information Risk Assessment and Risk Management Level: Working

Leads programme stakeholders in carrying out risk assessments and developing mitigation strategies for relatively common and well‑understood scenarios. Understands, and can apply, the fundamental principles of risk assessment, risk management processes and decision‑making.

Threat Understanding Level: Working

Interprets sources of threat information for the local environment and applies knowledge of the external environment. Maintains understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context. Uses local and strategic threat information in decision‑making and planning. Communicates tailored threat information to relevant local stakeholders within the organisation.

Key Outputs and Deliverables

Acts as the owner of the CSR Programme Security Architecture. Advise and support the Data, Enterprise and Integration Architects on the security aspects of designs and end solutions. Assure security aspects of plans, designs and delivery solutions provided by 3rd Party Suppliers. Chair the CSR Programme Work Group and represent the CSR Programme on the Digital, Data and Security Services (DDSS) Security Working Group (SWG). Support and advise the CSR Programme on all security aspects throughout the life cycle of the programme. Develop and maintain the security aspects of the Programme Delivery Schedule. Maintain the CSR Programme risk register assessing the security, privacy and resilience risks likely to affect delivery of business operations; forward work plan; and corporate functions. Manage all mitigating actions to reduce residual risk to acceptable levels, consistent with Ofgem’s risk appetite for security, privacy and resilience. Manage changes in the CSR Programme in conjunction with colleagues, develop a control improvement strategy, programme and activities, which are then managed through to conclusion with security assurance oversight. Regular reporting on key performance indicators and governance meetings.

Key Stakeholder Relationships Internal

Directors, Associate Directors and all colleagues within the CSR Programme and the wider Ofgem business teams and 3rd parties working for Ofgem’s business teams and corporate functions to manage the delivery of the CSR Programme to the required quality, cost and timescales, including the provision of HR, IT and physical security operations.

External

Security, privacy and resilience professionals across Central Government. SIAs and LEAs as appropriate, particularly those involved in helping to deliver the CSR Programme through NCSC and Cabinet Office programmes.

Role Criteria Essential

Chartered via the UK CSC or CISSP or equivalent (lead criteria). Deep technical understanding of IT infrastructure / Software development and management of these components. Experience of engaging, advising and influencing at all levels of an organisation whilst projecting credibility and self‑assurance – specifically relating to intelligence analysis and risk management. Experience of developing and implementing a pragmatic approach to assessing the security, privacy and resilience risks affecting sensitive assets, including engaging stakeholders to create shared understanding of the risks. Experience of managing the implementation of strategic plans, tracking progress on risk reduction and benefits delivery; and managing changes to plans line with identified delivery risks and issues. Experience of negotiating and managing 3rd party contracts and acting as an intelligent customer, ensuring that security, privacy and resilience are negotiated into the agreed contract terms and conditions.

Desirable

Experience of defining and gaining approval for a viable, agile and pragmatic security, privacy and resilience strategy capable of responding to and anticipating changes to the assessed threats, risks and business environment. Experience in analysing incidents across a complex environment. Experience of developing a business case for change that identifies the business benefits of a defined security, privacy and resilience strategy.

Behaviours

Communicating and Influencing Leadership Making Effective Decisions

#J-18808-Ljbffr