Cyber Risk and Assurance Analyst

Our client Scottish Power Cyber are currently recruiting for a Cyber Risk and Assurance Analyst to join their team based in Glasgow on a contract basis initially. Ideally for this role they are looking for an Experienced Risk and Assurance Analyst within Cyber who is either more assurance based or more governance based within a relevant sector. For more information on this role see below:

The primary purpose of the Cyber Risk and Assurance Analyst is to support the delivery of Cyber Risk and Assurance services by the SPEN Cyber Governance, Risk and Assurance team. This role offers the opportunity to work and gain further experience within three primary GRA domains – Cyber Risk Management, Governance and Cyber Assurance.

• Risk
• • Conduct comprehensive BAU and Change Delivery cyber risk assessments for SPEN IT and OT assets and essential services, identifying vulnerabilities and potential threats with appropriate mitigation or treatment strategies.
• • Co-ordinate approval of cyber, physical and environment risk assessments and strategies by appropriate stakeholders, including SPEN Cyber Security Forums.
• • Track and support delivery of mitigation or treatment strategies by BAU or change delivery teams.
• • Maintain Cyber Risk Registers, with regular reviews and reporting of current risks to ensure they are appropriate.
• • Review of risks based on situational events such as new threats and control improvements.
• • Production of risk reports for stakeholder groups.

• Governance
• • Support Scottish Power and SPEN Cyber Governance Activities, including documentation, milestone and global objective reporting and stakeholder engagement.
• • Support the implementation of the Cyber Security Governance model, including reporting.
• • Support the maintenance of a suite of Key Risk and Key Performance Indicators.
• • Support the Head of Cyber Security Governance, Risk and Assurance and the Governance and Assurance Manager achieve governance objectives, including tracking actions and driving mitigations.

• Assurance
• • Develop Assurance Plans with stakeholders, taking into account all internal and external regulatory compliance requirements.
• • Conduct planned assurance activities with stakeholders, documenting the evidence, approach and provide recommendations to any areas of identified weakness.
• • Support Capability and Control Owners with self-assessments.
• • Develop and present formal reports of the outcome of the assurance activities to senior business stakeholders.
• • Follow up previous assurance activity recommendations to ensure they have been adequately addressed prior to closure.
• • Co-ordinate assurance engagement with 2LoD and 3LoD, including sample testing of CAF Outcome attainment status.
• • Maintain dashboard view of NCSC CAF Attainment position and communicate to relevant stakeholders and governance committees.
• • Support internal and external audit requirements, including management of any audit actions.
• • Track and report on assurance activities performed outside of GRA Team, including penetrations tests.
• • Provide assurance support for change initiatives, including assessment against CAF requirements.

• General
• • Provide guidance and support to IT and OT teams on cyber best practices, policies, and procedures.
• • Participate in cross-functional projects and initiatives to enhance the overall cybersecurity posture of the organisation.
• • Stay current on industry trends, emerging technologies, and regulatory changes related to cybersecurity in the energy sector.

Responsibility of ongoing risk assessments or assurance for an agreed number of critical assets. Requirement to support Risk, Governance and Assurance Leads with ongoing workload. Able to support risk, governance and assurance workload components.

Technical Skills:

• Minimum 3 years experience of performing cyber risk assessments and/or cyber assurance activities such as audits.
• Professional qualification related to cyber risk management, audit or compliance such as CRISC or CISA desirable.
• Experience of working with a structured management system, including ISO27001.
• Understanding of IT and OT cybersecurity principles, frameworks and best practices such as NCSC CAF, ISO27001, MITRE or NIST CSF.
• Awareness of regulatory requirements, such as NIS Regulation.

Personal Skills/Abilities:

• Excellent analytical, problem-solving, and communication skills.
• Ability to work collaboratively in a cross-functional team environment.
• Excellent communication skills.
• Ability to build effective relationships with key stakeholders.
• Ability to adapt quickly to change and support others in this process.
• High integrity and emotional maturity.
• Creative flair is encouraged.

Candidate should be able to work to current assurance schedules and meet deadlines to ensure regulatory compliance. Manage own workload with weekly reporting to the wider Governance Risk and Assurance Team.

Supports Risk, Governance and Assurance Leads with delivery of risk, governance and assurance demand. Stakeholders across SPEN Cyber functions including SPEN Cyber Leadership who are potential Cyber Risk Owners and/or responsible for Capabilities and Controls that are in scope of NIS Regulations and Change Delivery. Teams across our 3LoD model including Digital Transformation (1LoD), Corporate Cyber (2LoD) and Internal Audit (3LoD).

• 3 years in similar work, preference for having worked in industrial sectors (energy or otherwise).
• Experience of working as part of a team within a fast-paced and evolving business.
• Good oral and written communication skills.
• Must be a proven team player to work, promote and consolidate efficient team working relationships.