Health & Care System Cyber Security Compliance Lead - Joint Cyber Unit

The Joint Cyber Unit (JCU) is a collaboration between the Department of Health and Social Care (DHSC) and NHS England (NHSE). The JCU is embedded within the Digital Policy Unit (DPU), a unit comprising both DHSC and NHSE staff intended to design, plan and build a digitally enabled, data driven and safe health and social care system with ministers and the NHS. The purpose of the JCU is to provide strategic leadership in cyber security across the health and care sector, assure the cyber security of the sector, act as system stewards to improve cyber resilience across the health and care system and to provide advice which empowers health and care staff to share information appropriately and securely to deliver care.

The JCU is comprised of two divisions:

• Governance, Risk and Compliance – cyber and information governance, system engagement, system compliance, system supply chain, system risk management and internal JCU business operations.
• Strategy and Policy – development and implementation of national strategy, policy and regulation.

The Compliance and Engagement team monitors performance and assesses cyber security compliance across the Health and Care landscape, identifying where organisations need more support by providing evidence-based confidence in the effectiveness of cyber security controls, processes and systems.

• Evaluating compliance against statutory, regulatory and NHS requirements such as the Data Security and Protection Toolkit (DSPT), Network and Information Systems (NIS) Regulations and national security policies.
• Engaging with NHSE regional cyber leads to understand drivers, blockers and emerging incidents related to cyber security.
• Developing strategies and supporting Board-level decision making by presenting findings aligned to business risk and impact.
• Developing strategies to support remediation across the health and care system, helping organisations improve their cyber security maturity.
• Monitoring performance of organisations across Health and Care, identifying where more support is needed and enabling access to further support through funding, national services, regulation or engagement.
• Analysing and reporting on compliance performance across the system to identify trends and common weaknesses.

The NHS England board has set the top-level purpose for the organisation and the role includes contributing to: enabling local systems and providers to improve health outcomes; making the NHS a great place to work; ensuring the workforce has the right knowledge and behaviours; optimising digital technology, research and innovation; and delivering value for money.

If you would like to know more or require further information, please visit https://www.england.nhs.uk/.

Colleagues with a contractual office base are expected to spend, on average, at least 40% of their time working in person. Staff recruited from outside the NHS will usually be appointed at the bottom of the pay band. If you are successful at interview, an Inter Authority Transfer (IAT) will be run in the Electronic Staff Record (ESR) system to support onboarding. You may inform us if you do not consent to this process.

Date posted: 24 September 2025

Pay scheme: Agenda for Change

Band: Band 8c

Salary: £100,054.50 to £115,286.60 per year (inclusive of 30% RRP); exclusive of London Weighting

Contract: Fixed term

Duration: 11 months

Working pattern: Full-time

Reference number: 990-TD-DPU-16847-E

Job locations: Wellington Place/Wellington House, Leeds / London, LS1 4AP

As a Health and Care System Cyber Security Compliance Lead within the Joint Cyber Unit, the post holder will work as part of a dynamic team in delivering an effective service supporting cyber security risk reduction across the health and care system. The post holder will lead the provision of an efficient, effective, and high quality professional and well-coordinated system-wide Health and Care cyber security compliance service capable of meeting all statutory, regulatory and NHS requirements ensuring alignment with the activity of the organisation. The post holder will be responsible for:

• Provide team leadership and subject matter expertise in security compliance.
• Oversee team workload and capacity, collaborating with other leaders to align resources and priorities.
• Lead the delivery of a responsive, high quality cyber security compliance service.
• Drive remediation of cross-cutting security issues through the design and continuous delivery of security improvement plans.
• Partner with regional stakeholders to strengthen cyber maturity and organisational resilience.
• Coordinate cyber security compliance activities across a diverse stakeholder base to drive meaningful security improvement and maintain clear lines of communication.
• Scope and assess the security posture of Health and Care Organisations taking an evidence-based approach.
• Develop and manage security compliance metrics to inform evidence-based decision making.
• Lead compliance activities aligned with key frameworks and legislation such as NCSC CAF, NIS Regulations, and the DSPT.
• Provide cyber security expertise supporting the development, implementation, and monitoring of the compliance service.
• Provide comprehensive compliance plans and progress reports to the relevant Boards as per the agreed reporting schedule and on an ad hoc basis as required.
• Work closely with other leads and sponsor directors to ensure interdependencies across all compliance areas are considered and actions aligned.
• Manage the day-to-day activities of the compliance service and contribute specialist knowledge to develop effective strategy and operational policies.
• Engage with key strategic regional and national policy makers to inform development of strategy and policies.
• Identify examples of national and international best practice to ensure benefits from relevant innovations in healthcare are realised.
• Develop and champion new initiatives or projects as necessary.
• Ensure the team works cohesively within the team and with other programmes.
• Provide leadership, direction, and support to ensure a consistent programme management approach to delivering organisational objectives.

The post has been awarded a Recruitment and Retention Premia (RRP) of 30% per annum. RRP is non-contractual and subject to review.

Please note the fixed-term reason is covering vacancy.

National Security Vetting

Residency requirements: All NHS England Cyber Security personnel must hold SC level as a minimum. SC clearances require 5 years continuous UK residency (or 3 years with additional overseas checks in some cases). Applicants from HM Government, Armed Forces or UK government roles will be considered. If offered, failure to achieve SC after offer may result in withdrawal. For guidance see GOV.UK on security vetting.

Further information on National Security Vetting and contact details are provided in the original job posting.

Secondments

Applicants from within the NHS will be offered on a secondment basis only, with employer agreement required prior to submitting the application.

Qualifications Essential

• CISSP/CISA/CISM/CRISC or equivalent qualification from a recognised security-focused body

Experience Essential

• Extensive knowledge and experience of strategies, frameworks, controls and processes used to encourage good cyber hygiene
• Extensive knowledge and experience of information security management, including deploying and monitoring security systems and resolving IT security violations
• Experience providing technical or business guidance to clients internal and external, adapting to diverse situations

Desirable

• Strong track record in strategic and operational delivery within NHS and social care, with programme/project management experience
• Experience leading change projects in health and/or social care environments

Skills Essential

• Ability to communicate highly complex, sensitive information and negotiate with senior stakeholders; present to large groups
• Strong team management, coordination and motivational skills

Desirable

• Ability to analyse complex facts and develop multiple options

Disclosure and Barring Service Check

This post is subject to the Rehabilitation of Offenders Act; a DBS submission will be made to check for any previous convictions.

UK Registration

Applicants must have current UK professional registration. See NHS Careers website for details.

Notes

Secondments and role title notes: The advertised job title is for advertising purposes; the successful candidate will be hired with the title of Cyber Operations and Engagement Lead until a formal change can be made.

Employer details: NHS England, Wellington Place/Wellington House, Leeds / London, LS1 4AP. Website: https://www.england.nhs.uk/about/working-for/