Band 8d Head of Digital Security Royal Free London NHS Foundation Trust

The Head of Digital Security will be responsible for the operational implementation of the Trust’s Cyber Security strategy, ensuring the organisation's digital assets and data are protected against evolving cyber threats. Reporting to the Chief Digital Officer, the post holder will work closely with internal and external stakeholders to safeguard the Trust’s infrastructure, digital and data assets and ensure compliance with industry standards and regulatory requirements.
• Incident Management
• Stakeholder Collaboration
• Governance, Risk, and Compliance (GRC)
• Industry Standards & Compliance
• Risk Management & Mitigation
• Security Awareness & Culture
• Representation & Advocacy
• Third-Party & Vendor Management
• Team Leadership & Development

Refer to Job description for more details.

The Royal Free London NHS Foundation Trust is one of the UK’s biggest and most innovative trusts. Across three main hospitals, our dedicated army of staff care for over 1.6 million patients, treat more than 200,000 in A&E, deliver over 8,000 babies and carry out more than 17 million tests.

Our size, scale and influence offer you unrivalled career opportunities and a forward-thinking approach to working that works around your lifestyle. From flexible hours and generous benefits, to next level training, we make it easier to take your career to the top

Incident Management:

• Lead the Trust’s response to cyber incidents and service outages, ensuring rapid recovery and minimising disruption. Develop and maintain incident response plans, conduct post-incident reviews, and implement improvements based on lessons learned.
• Examples: Orchestrating the response to a ransomware attack by activating the incident response team, isolating affected systems, and working with external experts to recover data. Post-incident, reviewing logs and collaborating with all stakeholders to improve resilience and prevent future occurrences.

Stakeholder Collaboration:

• Work closely with Digital Services teams such as network, server, endpoint management, patient information systems, technical operations, and information governance to ensure that security best practices are embedded throughout the organisation.
• Examples: Collaborating with the network team to ensure network segmentation and firewalls are properly configured to mitigate risks; working with patient system managers to secure medical devices and ensure they comply with cyber security standards, such as applying encryption and access controls for sensitive health records.

Governance, Risk, and Compliance (GRC):

• Lead the implementation of GRC frameworks, ensuring robust administrative and technical controls are in place. Conduct regular internal and external audits to verify that data confidentiality, integrity, and availability (CIA) principles are being upheld. Cyber Assurance Framework (CAF) and other standard industry compliance standards such as ISO27001, NIS2 and NCSC Cyber Essentials.
• Responsible for the production and distribution of Monthly Information Security Reporting
• Examples: Managing the lifecycle of security policies and standards across the Trust, conducting quarterly GRC reviews, and implementing automated tools to monitor compliance. Regularly auditing access control policies and ensuring that only authorised personnel can access sensitive health information.
• Examples: Production of monthly IGG Security KPI Metrics

Industry Standards & Compliance:

• Ensure compliance with key cyber security frameworks, such as the Cyber Assurance Framework (CAF), ISO27001, NIS2, and NCSC Cyber Essentials. Proactively identify and address gaps in compliance through process improvement and remediation plans.
• Examples: Leading initiatives to prepare for and pass ISO27001 certification audits by ensuring that all documented procedures, access controls, and security protocols are in line with certification requirements. Working with the compliance team to regularly update risk assessments and ensure adherence to NCSC’s Cyber Essentials framework, particularly for critical infrastructure and patient data systems.

Risk Management & Mitigation:

• Stay up to date with the latest cyber threats, vulnerabilities, and attack vectors. Develop and implement mitigation strategies such as timely patch management, system updates, and enhanced monitoring to ensure proactive defence mechanisms are in place.
• Examples: Monitoring threat intelligence feeds and deploying real-time threat monitoring tools like SIEM (Security Information and Event Management) solutions. Leading efforts to implement a vulnerability management program, prioritising patching schedules for critical systems, and coordinating with technical teams to ensure prompt remediation of vulnerabilities.

Security Awareness & Culture:

• Foster a culture of cyber security awareness within the Trust. Design and deliver engaging training programs for staff at all levels, tailored to their specific roles and responsibilities. Promote best practices for handling sensitive data and minimising cyber risks.
• Examples: Rolling out mandatory security awareness training for all employees, including phishing simulation campaigns. Organising specialised workshops for clinical staff on safeguarding patient information, and creating resources such as posters, videos, and intranet content to highlight the importance of secure passwords and data handling.

Representation & Advocacy:

• Represent the Trust in regional and national cyber security forums and industry events, working closely with London and national partners to implement the NHS’s cyber security objectives, including the five pillars of NHS cyber security.
• Examples: Participating in NHS Digital’s national cyber security forums, contributing to discussions on healthcare-specific cyber threats and sharing best practices with other Trusts. Leading collaborative initiatives with regional partners to improve the NHS’s overall cyber security posture, such as implementing shared threat intelligence systems or joint training sessions.

Third-Party & Vendor Management:

• Manage relationships with third-party vendors and external organisations, ensuring that they adhere to the Trust’s security policies. Review security controls for external systems and vendors that interact with the Trust’s IT infrastructure to reduce supply chain risks.
• Examples: Conducting third-party risk assessments and ensuring that vendors providing critical systems, such as medical devices or cloud-based patient data systems, meet NHS security standards. Working with procurement to ensure security requirements are integrated into contracts and SLAs, and conducting regular security reviews with third-party vendors.

Incident Management:

• Lead the Trust’s response to cyber incidents and service outages, ensuring rapid recovery and minimising disruption. Develop and maintain incident response plans, conduct post-incident reviews, and implement improvements based on lessons learned.
• Examples: Orchestrating the response to a ransomware attack by activating the incident response team, isolating affected systems, and working with external experts to recover data. Post-incident, reviewing logs and collaborating with all stakeholders to improve resilience and prevent future occurrences.

Team Leadership & Development:

• Lead, mentor, and develop the Cyber Security team, ensuring continuous professional development in defensive and offensive cyber security skills. Create a clear development pathway for team members, encouraging certification and advanced training in relevant areas.
• Examples: Organising training sessions and certifications for the team, such as CISSP (Certified Information Systems Security Professional) or CEH (Certified Ethical Hacker). Supporting the development of specialist skills within the team, such as advanced threat hunting or penetration testing, and ensuring that team members have opportunities to attend industry conferences and seminars.


This advert closes on Thursday 22 May 2025