We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Cyber security: advisory

Published
9 September 2021
Directorate
Digital Directorate
Part of
Business, industry and innovation, Economy

Find out about the DDaT job roles that comprise the cyber security advisory family practice.

This document is part of a collection

Head of Cyber Security

Role summary

The Head of Cyber Security is responsible for the Operations Cyber Security specialism. They provide strategic direction, anticipate challenges, drive performance and build the capability required to ensure the security of new and existing services.

Typical role level expectations

  • Be the primary point of contact on Cyber Security issues with key stakeholders, including external parties, and actively develop strong working relationships in relation to Cyber Security
  • Ensure that the Cyber Security policies and security controls remain appropriate and proportionate to the assessed risks, and are responsive and adaptable to the changing threat environment, business requirements and central government policies
  • Champion learning, development and accreditation, cultivate talent and foster an inclusive, diverse and motivated workforce
  • Work with the heads of specialisms to promote cross-government security mindedness
  • Influence, change and impact decisions with both internal and external stakeholders
  • Promote the Profession and advise on Cyber Security risks
  • Work with industry, including security manufacturers and security consultants, to drive best practice
  • Drive professional development by working with the Government Security Function to set and drive continuous learning standards

Entry route

Internal: Suitable for an individual from the Government Security Profession, Digital Data and Technology Profession or other relevant profession (e.g.  Science and Engineering Profession)

External: Suitable for an individual from a senior cyber security management position in the private sector

Skills required to be a head of cyber security

  • Applied security capability. Applied security capability is formed of a set of complementary security skills. Individual roles may have a requirement for a different profile across these skills. Applied security capability involves 4 elements:
  1. Security requirement elicitation: gathering and deriving meaningful security requirements to support an identified need
  2. Application of security capabilities: apply standardised or unique security capabilities to address security needs
  3. Provision or assurance and confidence: provide confidence that business priorities are appropriately protected
  4. Security and risk reporting: communicate security and risk effectively
  • Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.
  • Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.

Skills needed for this role

  • Applied security capability (Relevant skill level: expert). At this level you:
    • Provide direction and lead on change with regards to factors that feed into analysis.
    • Monitor changes in the technical environment and assesses whether risks are still at acceptable levels or whether previous decisions need to be revisited.
    • Direct and influence others on best practice and policy.
  • Protective security (Relevant skill level: working). At this level you:
    • Apply concepts of protective security within the context of the other specialisms/enablers, and keeps knowledge up to date
    • Champion protective security within the wider security function, providing advice to others
  • Threat understanding (Relevant skill level: awareness). At this level you:
    • Describe specific threats and how they may manifest themselves in a local environment
    • Maintain understanding of local threat environment and can apply to inform and provide context for wider activities
    • Use local threat information in decision-making and planning
    • Demonstrate knowledge of current threats and trends affecting the landscape
  • Information risk assessment and risk management (Relevant skill level: awareness). At this level you:
    • Demonstrate knowledge of risk assessment and risk management theory and approaches
    • Understand how risk management supports business or organisational objectives
    • Understand and can follow routine organisational governance processes for security and risk management

Contact

ddat@gov.scot

Back to top