Publication - Advice and guidance

Cyber security: advisory

Find out about the DDaT job roles that comprise the cyber security advisory family practice.

Cyber security: advisory
Chief Information Security Officer

Chief Information Security Officer

Role summary

The Chief Information Security Officer provides leadership and direction on information and cyber security. The Chief Information Security Officer is responsible for the Cyber Security specialism. They provide strategic direction, anticipate challenges, drive performance and build the capability required to ensure the security of new and existing services.

Typical role level expectations

  • Be the primary point of contact on Information Security issues with key stakeholders, including external parties, and actively develop strong working relationships in relation to Information Security
  • Ensure that government assets are resilient to cyber-attack
  • Develop consistent and straightforward approaches to managing security risk that supports the adoption of new technology
  • Champion learning, development and accreditation, cultivate talent and foster an inclusive, diverse and motivated workforce
  • Develop a culture of cyber and information assurance awareness helps to reduce the likelihood of a successful cyber-attack
  • Influence, change and impact decisions with both internal and external stakeholders
  • Promote the Digital, Data and Technology Profession and advise on Information Security risks
  • Work with industry, including security manufacturers and security consultants, to drive best practice

Entry route

Internal: Suitable for an individual from the Digital, Data and Technology Profession, Government Security Profession, or other relevant profession (e.g.  Science and Engineering Profession)

External: Suitable for an individual who has worked in the private sector in both a managerial and a technical capacity, especially from the information technology sector.

Skills required to be a chief information security officer

  • Secure design. Secure design is the ability to apply Cyber Security functions or designs to reduce high-level to low-level service exploitation opportunities. Secure design includes designing countermeasures and mitigations against potential exploitations of service weaknesses for applications, systems, hardware and/or services.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Threat intelligence and threat assessment. Threat intelligence and threat assessment encompasses evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging concern or risk that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making processes. Principles of the skill include assessing and validating information from several sources on current and potential cyber and information security threats to the business, analysing trends and highlighting information security issues relevant to the organisation, including security analytics for big data; processing, collating and exploiting data, taking into account relevance and reliability to develop and maintain ‘situational awareness’; predicting and prioritising threats to an organisation and their methods of attack; analysing the significance and implication of processed intelligence to identify significant trends, potential threat agents and their capabilities, predicting and prioritising threats to an organisation and their methods of attack; using human factor analysis in the assessment of threats; using threat intelligence to develop attack trees; and preparing and disseminating intelligence reports, providing threat indicators and warnings.
  • Specific security technology and understanding. Knowledge of system architectures. Able to understand the risk impact of vulnerabilities on existing and future designs and systems, and identify how easy or difficult it will be to exploit these vulnerabilities.
  • Understanding security implications of transformation. Able to work with business and technology stakeholders to understand the security implications of business change. Can interpret and apply an understanding of policy and process, business architecture and legal and political implications to assist in the development of technical solutions or controls.

Skills needed for this role

  • Secure design (Relevant skill level: expert). At this level you:
    • champion secure design principles, frameworks and standards for a digital service or programme.
    • Sponsor and direct design of detailed low-level workflows, diagrams that describe input, output and logical operation of a digital service.
    • Design and develop the processes of a digital service through its full life cycle.
    • Lead and translates security requirements into application design elements including documenting specific security criteria
    • Design advanced audit points into digital services
  • Information risk assessment and risk management (Relevant skill level: expert). At this level you:
    • Enable the organisation to deliver balanced and cost-effective risk management decisions on situations with complex scope or significant risk. Ensures that risk is embedded into corporate governance processes
    • Integrate risk management processes into appropriate business activities such as system development, security architecture or procurement
    • Develop approaches to effectively report risk (including through system life cycles) to management who are responsible for risk to a given system or capability. This includes the ability to interpret management risk direction to others (such as developers or other security professionals)
    • Deliver comprehensive risk assessments for complicated or novel scenarios, using methodologies appropriate to the situation. Understands in detail how the risk assessment output dovetails into the risk management process
    • Determine and understand the security characteristics of complicated or novel systems
  • Threat intelligence and threat assessment (Relevant skill level: expert). At this level you:
    • Demonstrate a highly advanced understanding of threat principles and concepts. Identifies sources of threat information and selections and, where required, develops techniques to acquire, validate and analyse threat information from multiple sources
    • Synthesise and place complex intelligence in context, understanding relevance in the context of organisational strategy
    • Apply and direct others in application of expertise and insight to enrich threat information, including understanding the behaviour, capabilities and activities of threat actors and assessing possible implications Is responsible for disseminating enriched threat intelligence
    • Direct and responsible for the application of threat intelligence to model threats, including sophisticated and complex threats, to protect organisational assets and goals, including informing the selection of security controls, developing indicators of compromise, detecting illicit behaviour (including evidence of fraud and crime), and providing context for undertaking investigations and responding to events
    • Lead and oversee the threat intelligence function and activities for an organisation
    • Are responsible for strategy, policy, procedures, guidelines and selection of relevant tools and techniques within the organisation
    • Advise and influence senior management when required, and influences developments in the field at a national level
  • Specific security technology and understanding (Relevant skill level: expert). At this level you:
    • Have strong knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs, systems and how easy or difficult it will be to exploit these vulnerabilities.
    • Are acknowledged as an expert by peers in the broader security industry.
  • Understanding security implications of transformation (Relevant skill level: expert). At this level you:
    • Are able to challenge and lead changes to policy and processes to support business outcomes, business architecture and legal and political implications.

Contact

ddat@gov.scot