Security Risk Manager

Company Details

Symmetric Encryption Reborn for the Cloud

Security Risk Manager

We have a Purpose: we use transformational quantum encryption technology to keep safe the data of our governments, enterprises and citizens. You can be a part of that purpose. Join a team where every member is valued in our work solving a big problem impacting people and outcomes around the globe. Our business is about trust in data and we start with trust in you.

Arqit has brought together a world-leading team of pioneers and we now have new opportunity for a Security Risk Manager. The role may involve working in our London office or in our regional operations centre, and there will be considerable flexibility around working from home.

We believe that inclusivity makes us a stronger, happier team, with better decision-making and greater ability to connect with all customers, and we are committed to maintaining a working environment which is welcoming and supportive.

What you’ll be doing:

This role reports to the Head of Security Compliance, and the Security Risk Manager role supports the wider Arqit Security Team in implementing the CISO’s security and data privacy vision, model, and principles primarily across Arqit’s project and corporate operational areas, ensuring security risks are correctly identified, communicated and managed to an acceptable tolerance level whilst aligning to applicable Business Impact Analyses.

The Security Risk Manager works with the Security Team and various areas within the company to identify, catalogue, and manage risks associated with the company’s day to day operations and projects. Dealing with a variety of staff with differing skills and seniority you will work with these key stakeholders to ensure risks are fully identified and understood by their respective areas, that risks are assessed, accepted and owned by the appropriate risk owners and that risk treatment plans are agreed and implemented to bring any residual risk within acceptable tolerances.

The role will necessitate preparing and presenting regular updates to senior stakeholders on security risks throughout the business, and using their experience and professional insight to provide pragmatic and business appropriate advice and support to risk owners in managing their risks.

Support the CISO and Head of Compliance in the following areas:

  • Provision of Information Security management processes and procedures to manage security and privacy risks effectively within Arqit.
  • To produce, update and maintain risk registers at various levels of company operations and ensure ownership and accountability is correctly allocated within the company structure.
  • To develop engagement plans and process to maintain contact with all areas of the company, and to maintain that contact with regular reviews and updates.
  • To support the Security Team in developing strategies & plans to enforce security requirements and address identified risks.
  • Reporting to line or senior management concerns about residual risk, vulnerabilities, and other security exposures.
  • To support programme and project development work throughout the development lifecycle by delivering risk, business impact and data privacy impact assessments when required.
  • Contribute to corporate risk register work, ensuring security risks are included in a way commensurate with overall reporting standards.
  • To provide support and analysis during and after a security incident, as necessary, and to assist in the resolution of reported security incidents
  • To participate in security investigations and compliance reviews.

Information Security and Design

  • Creation of all necessary Information Security risk documentation.
  • Responsible for producing and maintaining up to date risk registers for corporate, project and operation areas;
  • An ability to create information security risk assessments, business impact assessments and Data Privacy Assessments.
  • Provide authoritative advice and guidance on managing risk.

Stakeholder Relationship Management

  • Presents a professional image of self and organisation to manage, develop and facilitate open, constructive, pro-active stakeholder communication.
  • Develop extensive working relationships across the business and with key suppliers and partner organisations.

Audit Activities

  • Identifies audit requirements of existing and planned information system evaluating areas of risk to assess the adequacy and effectiveness of the organisation’s approach to risk in use of its information assets.
  • You will be able to communicate associated risk cases of a complex nature to senior managers or executives and recommend changes in processes and control procedures based on audit findings. (This includes discussions with providers of other IT Assurance services such as Pen testers, ISO 27001 auditors and other technical specialists).
  • Clear understanding of the requirements for 3rd parties to meet security flow down requirements from all/any existing contractual obligations to their business. Complete audit specification and execution against the third parties, including supervision of their management, around obligations which flow down directly onto their subcontractors.

What we’re looking for:

  • Be a formally certified or a member of a professional body (e.g., IRM, IIA, ACCA) or considerable demonstrable career experience.
  • Understand and have applied the principles of INFOSEC Standards for more than 2 years.
  • ISO 27001 audit and/or implementation experience.
  • Excellent communication skills, both written and verbal.
  • Excellent analytical and problem-solving skills.
  • Ability to prioritise workload and work well under pressure to meet deadlines and manage business expectations.
  • Strong communication, organisational and time management skills.
  • Understanding and experience of business and technical information security concepts including risk management, defence in depth, and accreditation demands.
  • Strong negotiation skills to influence cost and risk-based decisions within either a business or technical audience.
  • Able to work in UK immediately and eligible to obtain UK security clearance.

Preferential competencies/skills

  • Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA) and/or Certified in Risk and Information Systems Control (CRISC) preferred, or demonstrated technical capability at this level (Ideally should have been held for more than 3 years.)
  • Understand and have applied the principles of INFOSEC Standards within HMG/NIST.
  • Familiarity with Requirements Management and System Architecture Processes, Tools and Methodologies (Ideally JAMA).
  • Have worked with the European Space Agency as part of a previous security or audit/risk-based role.
  • Have a clear understanding of recent or current PCI DSS standards, AoC/RoC and typical compensating controls.

Tagged as: system architecture, jama, irm / iia / acca, security compliance

Visit us on LinkedInVisit us on FacebookVisit us on Twitter