Senior Cyber Security Risk Manager - Information Security

About Our Client The Medicines and Healthcare products Regulatory Agency enhances and improves the health of millions of people every day through the effective regulation of medicines and medical devices, underpinned by science and research.

The Digital and Technology Group (DTG) lies at the heart of the Agency and is responsible for delivering an optimised IT infrastructure and maximising the secure use of data to enable our scientists, inspectors, and the rest of the organisation to deliver world class services which can improve outcomes for patients and the public. The Group was essential in the race to approve COVID 19 vaccines in 2020 and in supporting the UK to set up its own medicines and devices approvals systems following our exit from the EU. The work we do matters!

Its centre of excellence is also responsible for delivering a broad portfolio of change initiatives, both to transform the Agency's legacy technologies and to deliver innovative new solutions, designed around our customers' needs. DTG works in a holistic way to combine digital and technology change, data and information management, project delivery, business process, product management and cultural change to maximise its impact and ensure sustainability.

We plan to be at the heart of one of the most digitally advanced medical regulators in the world and we need people who can help us deliver that ambition. DTG is a great place to build your career and we are committed to enabling our people to do the best work of their lives.

The Technology & Service Operations function is responsible for managing the existing IT infrastructure including both software and hardware, databases, and other technology platforms; leading the support and maintenance of applications; development and testing of new applications and platforms; and cyber and information security for the Agency.

Job Description This is an exciting role where you will drive the agency's information security agenda.

As a skilled and experienced Information Security Manager, you will play a central role in delivering the Agency's strategic objectives by embedding robust governance, risk, and compliance practices. You will lead and develop a high performing team, building capability and maturity to ensure that information security remains integral to our digital, data, and information transformation.

You will work closely with the Head of Information and Cyber Security, the Senior Information Risk Owner (SIRO), Board members, and delivery teams to continuously improve the management of information risk. You will also represent the Agency in engagements with external stakeholders, including other government health bodies and IT and security delivery partners.

In this role, you will collaborate with the Cyber Defence Team and the Data Protection Team to make informed, risk based decisions on both strategic and operational matters. You will be expected to quickly understand the Agency's culture and processes, enabling you to influence and embed a strong, pragmatic security and privacy culture across the organisation.

Governance & Leadership

• Lead the development and implementation of the Agency's information security governance framework, ensuring alignment with strategic objectives and regulatory expectations.
• Maintain and enforce security policies, standards, and guidelines that support consistent risk based decision making.
• Promote a culture of accountability and security awareness across the Agency.

Risk Management & Assurance

• Own and operate the information security risk management process, ensuring risks are identified, assessed, and treated proportionately.
• Ensure security controls are selected and maintained based on business context and threat landscape, using recognised frameworks (e.g. ISO 27001, NCSC CAF).
• Provide assurance to senior stakeholders through regular reporting and engagement with governance forums.
• Understand and implement Secure by Design.

Identity & Access Oversight

• Govern identity lifecycle processes (e.g. joiners, movers, leavers) and ensure access rights are appropriate, risk based, and regularly reviewed.
• Oversee privileged access governance and support enforcement of least privilege principles.

Assurance & Control Effectiveness

• Lead or support internal and third party assurance activities, including audits and compliance reviews.
• Validate the effectiveness of controls and ensure findings are communicated and addressed.

Horizon & Threat Awareness

• Monitor emerging threats, vulnerabilities, and regulatory changes to inform the Agency's risk posture and control strategy.
• Ensure lessons learned from incidents, audits, and assessments are captured and used to improve controls, processes, and response capabilities.
• Provide input into security impact assessments and business impact assessments to ensure critical assets and processes are appropriately protected.

Stakeholder Engagement & Process Improvement

• Act as a trusted advisor to business and technical stakeholders, translating risk into actionable insights.
• Continuously improve GRC processes to support operational effectiveness and informed decision making.

If you would like to find out more about this fantastic opportunity, please click here for further details.

The Successful Applicant Our successful candidates will have:

• Certification and Professional Alignment - Holds a recognised professional security certification (e.g. CISM, CISSP, CRISC) and at least four years' experience in an information security or GRC role.
• Demonstrates a strong understanding of security frameworks and standards, governance, risk management, and compliance practices, and a commitment to continuous professional development.
• Technical Infrastructure - Ability to critically assess and challenge technical or infrastructure work from a risk perspective, with a solid understanding of key domains such as Cloud, Network and Applications, focusing on those most relevant to enterprise risk management.
• Making the Process Work - Demonstrates a track record of designing, implementing, and improving security governance and risk processes that are both effective and pragmatic. Ensures that security controls and procedures support business operations without introducing unnecessary complexity or friction.

Successful candidates must pass a disclosure and barring security check as well as animal rights and pro life activism checks. People working with government assets must complete basic personnel security standard checks.

Certain roles within the MHRA will require post holders to have vaccinations, and in some circumstances, routine health surveillance, including laboratory based roles working directly with known pathogens, maintenance roles, or roles that involve visiting other establishments where vaccination is required.

Applicants who are successful at interview will be part of pre employment screening subject to a check on the Internal Fraud Database (IFD). Any applicant's details held on the IFD will result in refusal of employment. A candidate is not eligible to apply for a role within the Civil Service if the application is made within a 5 year period following a dismissal for carrying out internal fraud against government.

Any move to the MHRA from another employer will mean you can no longer access childcare vouchers. This includes moves between government departments. You may however be eligible for other government schemes, including Tax Free Childcare. Determine your eligibility here.

Successful candidates may be subject to annual Occupational Health reviews dependent on role requirements.

In accordance with the Civil Service Commissioners' Recruitment Principles, the recruitment and selection processes are underpinned by the requirement of selection for appointment on the basis of merit by a fair and open competition. If you feel your application has not been treated in accordance with the Recruitment Principles and you wish to make a complaint, you should firstly contact Florentina Oyelami, Head of Talent Acquisition. If you are not satisfied with the response you receive, you can contact the Civil Service Commission at civilservicecommission.independent.gov.uk.

What's on Offer Our successful candidate will benefit from:

• Salary of £57,028
• Hybrid working
• Access to Alpha pension scheme, which all new starters are enrolled into automatically, is 28.97%

A Digital Allowance of up to £21,948 per annum may be available for exceptional candidates based on our assessment of your skills and experience. This allowance is non pensionable and may change on an annual basis:

• Developing - £5,888
• Proficient - £13,918
• Accomplished - £21,948

The Selection Process

• Application, which will include a CV, which should demonstrate how you meet the Experience and Technical Success Profile criteria.
• Presentation, to be prepared as part of your interview, with further information being supplied when you reach this stage.
• Interview, which can include questions based on the Behaviour, Experience, Technical and Strengths Success Profiles.

Closing Information Closing date: 10am, 19th November

Shortlisting date: 24th November

Interview date: 4th & 5th December

Candidates will be contacted within a week of the sift and the interviews completed to inform them of the outcome.
. click apply for full job details