Head of IT Security

The IT Security Manager plays a pivotal role within the organisation, actively engaging with the wider business to monitor, report, and evaluate the security of its digital services. In addition, they provide essential support to the Chief Digital Officer in implementing and delivering the Digital/Data and IT Strategies, ensuring alignment with business objectives and maintaining robust security standards.

Key responsibilities include:

• Transform access to information
  • Deliver secure and resilient IT and information security services, safeguarding networks, infrastructure, and systems through robust configurations and compliance with recognised standards.
  • Embed security by design in all new systems, APIs, and datasets, ensuring alignment with legislation and frameworks such as GDPR, Data Protection Act 2018, NCSC guidance, and ISO27001. Implement and maintain data protection practices, including applying retention and classification labels to support compliance and effective records management. Collaborate across IT, digital, and business teams to integrate security principles into projects and change initiatives, providing expert input throughout the lifecycle.
• Analytics and Intelligence
  • Implement advanced security monitoring and risk management capabilities—including Third Party Risk Management (TPRM), vulnerability scanning, Dark Web monitoring, and annual health checks (penetration testing, vulnerability assessments)—to proactively identify and mitigate threats.
  • Lead incident response and security operations, acting as the primary authority for IT security events, ensuring effective investigation, containment, recovery, and forensic analysis, and coordinating resolution of breaches and vulnerabilities. Provide clear visibility of security posture through regular reporting on risks, incidents, and remediation progress to senior leadership, supporting informed decision-making and continuous improvement of cyber resilience.
• Collaborate, partner and assure
  • Develop and maintain cyber and IT strategies in collaboration with the Chief Digital Officer, including systematic reviews of legacy systems and securing leadership approval for a comprehensive five-year security plan.
  • Oversee delivery of IT security services and operations, including Security Operations Centre (SOC) capabilities, ensuring alignment with strategic goals, compliance with frameworks (Cyber Essentials Plus, GovAssure/CAF), and continuous improvement through regular assessments and remediation. Embed security standards and architecture across projects and systems, collaborating with IT, PMO, service providers, and directorates to ensure security-by-design and adherence to NCSC guidance, GDPR, and ISO27001. Manage organisational cyber risk and governance, including monitoring risk registers, enforcing policies and standards, managing budgets, and providing recommendations to strengthen security posture and resilience.
• Influence
  • Represent NSTA in industry and government forums, including serving as Co-Chair of the SOCS forum, participating in cross-industry cyber working groups, and promoting the organisation’s approach to cyber security and digital resilience at external events.
  • Act as a subject matter expert (SME) for IT, cyber security, and digital enquiries, maintaining strong liaison with security networks to share best practices and enhance collaborative security initiatives. Provide governance and compliance oversight, preparing reports for Security Advisory Board (SAB), Audit Risk Committee (ARC), and leadership teams, maintaining a register of legal and regulatory obligations, and raising awareness of changes and their organisational impact.
• People, culture and skills
  • Lead and manage a high-performing records management team, ensuring compliance with regulatory requirements and organisational standards. Lead and deliver cyber security awareness initiatives—including phishing simulations, mandatory training, and information security sessions—while monitoring compliance and completion rates across the organisation and service partners. Champion a robust security culture by embedding emerging security requirements into practices and continuously improving training programmes through gap analysis and targeted interventions to strengthen cyber resilience.