Cyber Risk and Assurance Analyst

Our client Scottish Power Cyber are currently recruiting for a Cyber Risk and Assurance Analyst to join their team based in Glasgow on a contract basis initially. Ideally for this role they are looking for an Experienced Risk and Assurance Analyst within Cyber who is either more assurance based or more governance based within a relevant sector.

The primary purpose of the Cyber Risk and Assurance Analyst is to support the delivery of Cyber Risk and Assurance services by the SPEN Cyber Governance, Risk and Assurance team. This role offers the opportunity to work and gain further experience within three primary GRA domains - Cyber Risk Management, Governance and Cyber Assurance.

• Risk activities: conduct or support cyber risk assessments on behalf of stakeholders using the Cyber Risk Assessment Methodology across essential services, IT and OT estates; regular reviews and reporting of existing risks to ensure remediation plans are on track; produce risk reports for various governance forums; support risk owners with definition of risk treatment strategies.
• Governance: support governance activities and the Cyber governance model, including collecting KPIs, supporting and driving governance meeting cadence, reporting, action management and stakeholder engagement.
• Assurance: engage with the SPEN Cyber Assurance plan, dashboard reporting of CAF attainment status where applicable, and tracking of assurance activities such as penetration testing and management of audit actions.
• Stakeholder engagement: deliver services by engaging with technical and non-stakeholders across the business.

• Risk: Conduct comprehensive BAU and Change Delivery cyber risk assessments for SPEN IT and OT assets and essential services; identify vulnerabilities and potential threats with appropriate mitigation or treatment strategies.
• Coordinate approval of cyber, physical and environment risk assessments and strategies by appropriate stakeholders, including SPEN Cyber Security Forums.
• Track and support delivery of mitigation or treatment strategies by BAU or change delivery teams.
• Maintain Cyber Risk Registers with regular reviews and reporting of current risks to ensure they are appropriate.
• Review risks based on situational events such as new threats and control improvements.
• Produce risk reports for stakeholder groups.

• Governance: Support Scottish Power and SPEN Cyber Governance Activities, including documentation, milestone and global objective reporting and stakeholder engagement.
• Support the implementation of the Cyber Security Governance model, including reporting.
• Support the maintenance of a suite of Key Risk and Key Performance Indicators.
• Support the Head of Cyber Security Governance, Risk and Assurance and the Governance and Assurance Manager to achieve governance objectives, including tracking actions and driving mitigations.

• Assurance: Develop Assurance Plans with stakeholders, considering internal and external regulatory compliance requirements.
• Conduct planned assurance activities with stakeholders, document evidence and approach, and provide recommendations for identified weaknesses.
• Support Capability and Control Owners with self-assessments.
• Develop and present formal reports of assurance activity outcomes to senior stakeholders.
• Follow up on previous assurance recommendations to ensure closures.
• Coordinate assurance engagement with 2LoD and 3LoD, including sample testing of CAF Outcome attainment status.
• Maintain a dashboard view of NCSC CAF Attainment position and communicate to stakeholders and governance committees.
• Support internal and external audit requirements, including management of audit actions.
• Track and report on assurance activities performed outside of the GRA Team, including penetrations tests.
• Provide assurance support for change initiatives, including assessment against CAF requirements.

• General: Provide guidance and support to IT and OT teams on cyber best practices, policies, and procedures.
• Participate in cross-functional projects and initiatives to enhance the organisation’s cybersecurity posture.
• Stay current on industry trends, emerging technologies, and regulatory changes related to cybersecurity in the energy sector.

• Responsibility for ongoing risk assessments or assurance for an agreed number of critical assets.
• Support risk, governance and assurance leads with ongoing workload.
• Able to support risk, governance and assurance workload components.

• Technical Skills:
  • Minimum 3 years’ experience performing cyber risk assessments and/or cyber assurance activities such as audits.
  • Professional qualification related to cyber risk management, audit or compliance such as CRISC or CISA desirable.
  • Experience working with a structured management system, including ISO27001.
  • Understanding of IT and OT cybersecurity principles, frameworks and best practices such as NCSC CAF, ISO27001, MITRE or NIST CSF.
  • Awareness of regulatory requirements, such as NIS Regulation.
• Personal Skills/Abilities:
  • Excellent analytical, problem-solving, and communication skills.
  • Ability to work collaboratively in a cross-functional team environment.
  • Excellent communication skills.
  • Ability to build effective relationships with key stakeholders.
  • Ability to adapt quickly to change and support others in this process.
  • High integrity and emotional maturity.
  • Creative flair is encouraged.
• Planning & Organising: Candidate should be able to work to current assurance schedules and meet deadlines to ensure regulatory compliance; manage own workload with weekly reporting to the wider Governance Risk and Assurance Team.
• Internal and External Relationships: Supports Risk, Governance and Assurance Leads with delivery of risk, governance and assurance demand; stakeholders across SPEN Cyber functions; teams across 3LoD model including Digital Transformation (1LoD), Corporate Cyber (2LoD) and Internal Audit (3LoD).

• 3 years of experience in similar work; preference for experience in industrial sectors (energy or otherwise).
• Experience of working as part of a team within a fast-paced and evolving business.
• Good oral and written communication skills.
• Must be a proven team player to promote and consolidate efficient team working relationships.