Information Assurance and Security: Security and information risk

Find out about the job roles that comprise the Information Assurance and Security – Security and information risk job family practice.

This document is part of a collection


Head of security and information risk

Role summary

The Head of Security and Information Risk is responsible for the security and information risk specialism. They provide strategic direction, anticipate challenges, drive performance and build the capability required.

Typical role level expectations

  • Be the primary point of contact on security and information risk issues with key stakeholders, including external parties, and actively develop strong working relationships in relation to information risk and assurance
  • Ensure that the security and information risk policies and controls remain appropriate and proportionate to the assessed risks, and are responsive and adaptable to the changing threat environment, business requirements and government policies
  • Champion learning, development and accreditation, cultivate talent and foster an inclusive, diverse and motivated workforce
  • Work with the heads of specialisms to promote cross-government security and information risk mindedness
  • Influence, change and impact decisions with both internal and external stakeholders
  • Work with industry to drive best practice
  • Drive professional development by working with the Digital Data and Technology Profession to set and drive continuous learning standards

Entry route

Internal: Suitable for an individual from the Digital, Data and Technology Profession or Government Security Profession

External: Suitable for an individual who has worked in the private sector in both a managerial and a technical capacity, especially from the information technology and governance sector

Skills required to be a head of security and information risk

  • Analysis. Able to visualise, articulate and solve complex problems and concepts by interrogating and using data or intelligence to formulate and influence plans. Able to interpret complex business and technical issues. Can identify and recognise a viable solution or control. Understands and links complex and diverse sets of information to inform the response and approach, for example identifying vulnerabilities and their impact.
  • Communicating between the technical and non-technical. Is able to communicate effectively across organisational, technical and political boundaries, understanding the context. Makes complex and technical information and language simple and accessible for non-technical audiences. Is able to advocate and communicate what a team does to create trust and authenticity, and can respond to challenge.
  • Design secure systems. Able to design secure system architectures through the application of patterns and principles, to meet user needs whilst managing risks. Able to identify security issues in system architectures.
  • Enabling and informing risk-based decisions. Capable of making and guiding effective decisions on risk, explaining clearly how the decision has been reached. Able to make decisions proportionate to the level of technical complexity and risk.
  • Research and innovation. Understands and can apply a range of user research methods correctly. Able to choose appropriate methods for different life cycle phases and situations.
  • Specific security technology and understanding. Knowledge of system architectures. Able to understand the risk impact of vulnerabilities on existing and future designs and systems, and identify how easy or difficult it will be to exploit these vulnerabilities.
  • Understanding security implications of transformation. Able to work with business and technology stakeholders to understand the security implications of business change. Can interpret and apply an understanding of policy and process, business architecture and legal and political implications to assist in the development of technical solutions or controls.

Skills needed for this role

  • Analysis (Relevant skill level: expert). At this level you:
    • Provide direction and leads on change with regards to factors that feed into analysis.
    • Monitor changes in the technical environment and assesses whether risks are still at acceptable levels or whether previous decisions need to be revisited.
    • Direct and influence others on best practice and policy.
  • Communicating between the technical and non-technical (Relevant skill level: expert). At this level you:
    • Are able to mediate and mend relationships, communicating with stakeholders at all levels.
    • Are able to manage stakeholders’ expectations and facilitate discussions across high risk or complex topics, or under constrained timescales.
    • Are able to speak and represent the community to large audiences inside and outside of government.
  • Design secure systems (Relevant skill level: expert). At this level you:
    • Lead design and review solutions to complex problems with system architectures by defining and challenging patterns and principles.
    • Create precedents and set direction.
  • Enabling and informing risk-based decisions (Relevant skill level: expert). At this level you:
    • Act as a point of escalation.
    • Are trusted by senior risk owners as an expert in security.
    • Are able to apply risk methodologies at the most complex levels of risk.
  • Research and innovation (Relevant skill level: expert). At this level you:
    • Are able to lead organisational contributions to and inform developments on security properties in technology.
    • Are able to lead identification of new technologies and design the use of these in the business context across the organisation.
    • Engage with the UK and wider security community.
  • Specific security technology and understanding (Relevant skill level: expert). At this level you:
    • Have strong knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs, systems and how easy or difficult it will be to exploit these vulnerabilities.
    • Are acknowledged as an expert by peers in the broader security industry.
  • Understanding security implications of transformation (Relevant skill level: expert). At this level you:
    • Are able to challenge and lead changes to policy and processes to support business outcomes, business architecture and legal and political implications.

Contact

ddat@gov.scot

Back to top