Our central government client are currently looking for a cyber security consultant to join them on a 6 month initial contract based in London and paying £750pd inside IR35.
Work within or alongside D&T’s most complex and riskiest product and project teams, providing detailed cyber security advice and guidance to the teams. Use knowledge from Cyber Risk Advisors, to identify relevant threats to systems.
Propose and develop security mitigations to address identified threats. Work with delivery teams to ensure mitigations are implemented at an appropriate point in the delivery lifecycle. Advise on risks that emerge as a result of incomplete or ineffective delivery.
Assess the alignment of cyber security for products and projects with business and statutory legislation, and with government requirements. Assist teams in the preparation of security governance materials, such as Data Protection Impact Assessments, and support governance processes such as Service Assessments from a security perspective.
Support incident investigation, remediation and root cause evaluation for systems which you are knowledgeable about.
Ensure that new and updated platforms, products and transactions are built and operated securely.
Ensure that project teams you are supporting are well aware of their responsibilities for Cyber Security perspectives and practices, through vehicles such as coaching, briefings at team meetings, and training events.
Assist with building a culture of continuous delivery and improvement, ensuring that key systems are regularly risk assessed, maintained and improved.
Skills and Experience
Designing secure systems, including design and review of system architectures through the application of patterns and thinking to reduce cyber security problems.
Threat modelling and assessment, including performing structured evaluation of proposed or implemented complex systems to identify likely cyber security problems. Be able to provide examples of proposing realistic and pragmatic mitigations that address these problems, and working with a product / project team to implement the mitigations effectively into their work.
Enabling and informing risk based evaluation, providing evidence of working with risk advisors to advise and give feedback, in particular advising on risk impact.
Participating in research and innovation, evidenced by advising on developments regarding security properties in technology.
Also showing ability to identify new technologies and design the use of these in the business context.
Areas of specific technology and security understanding, in particular a knowledge of system architectures. Evidenced by an ability to understand and articulate the impact of vulnerabilities on existing and future designs and complex systems, and articulating an appropriate response. Would be likely to have a broad knowledge of a range of systems while specialising in one.
In particular, a strong candidate will have:
Experience of Cloud services and technologies, assuring and working with product teams as they deploy and transition digital solutions into public cloud environments. This would include designing systems to reflect and comply with NCSC Cloud Security guidance, and ISO27001.
Carried out reviews of system and application architectures, for example using workshops and discussions with development teams, resulting in measurable delivery a reduction in cyber security problems.
The ability to carry out risk assessments and risk management following a PACE (Pragmatic/Proportionate, Appropriate and Cost-Effective) perspective, in line with HMG policy and guidance.
A thorough understanding of HMG policies and guidance, especially regarding requirements and controls around the Government Security Policy Classification, mainly at OFFICIAL.
Worked with agile teams, delivering working software incrementally.
Secured web applications and cloud infrastructure environments (AWS/Azure) against vulnerabilities, and applied common and innovative remediation techniques.
Secured AWS components, in particular IAM, S3 and EC2.
Knowledge of security monitoring, prevention and control systems including but not limited to firewalls, IDS/IPS, web proxies, antivirus and log