IT Security Governance and Process Manager

The Forestry England IT team provides IT capabilities to the Forestry Commission; Forestry England, Forest Services and the Commissioners’ Office. This consists of the provision of managed services, systems and devices to ~1900 staff across a broad range of roles and diverse business functions across England, supporting the Forestry Commission’s mission to manage, protect and expand the nation’s woods and forests.  The team consists of highly-skilled in-house IT specialists, supported by third-party service-providers and suppliers.

This role provides a well organised and ambitious member of staff with an excellent opportunity to join the Forestry England IT Security, Risk and Compliance team, working to take forward and develop our IT governance, risk-awareness, security, and compliance obligations in a dynamic IT department, furthering the Forestry Commission’s unique mission and heritage.

The IT Security Governance and Process Manager (ITSGPM) will take a lead role in ensuring that our IT Security Governance is robust, current, and fit for purpose, while fully complying with both legal and HM Government security requirements. Working under the direction of the IT Security Compliance & Risk Manager (ITCRM) to ensure effectiveness and consistency of approach. The ITSGPM will work to understand and identify the security-risks associated with Forestry Commission processes and security governance, review security governance frameworks.  A large part of the work will include staff-collaboration, communicating and articulating security requirements, with ownership of security training and work to improve our security culture. The post holder will be an IT Security Manger with a particular focus on furthering our IT Security governance, and improving our security-culture and the security-behaviours of our staff.  Your remit will cover Forestry England, Forest Services and the Commissioners’ Office.

Key Work Areas

Key Work Area 1 – Improving Security Governance, Policy and Procedures

The post holder will have responsibility for overseeing, shaping and governing the IT security governance framework within Forestry England and will manage day-to-day security-governance and people-security requirements. You’ll be our governance, personnel and behavioural-security Subject Matter Expert. Responsibilities will include:

• You will own the governance downstream processes of “Manage, curate, and regularly review and amend” existing and new IT Security articles of governance to ensure alignment to business direction, other security and information risk policies, legal requirements, government guidelines and sound business practices, to meet and enable business need.

• You’ll drive the improvement and leveraging of our established framework of security-governance to best effect. You’ll also lead on promoting this to the wider business and lead reporting on implementation, enforcement and compliance metrics.

• You’ll be responsible for formal audit, assurance and accreditation programmes as directed, building upon the ITCRM’s efforts to comply with internal requirements or through compliance with HMG obligations.

• You’ll be accountable for monitoring, recording and reporting of security metrics across the IT estate for a variety of consumers and needs. You’ll achieve this through collaboration with the IT Security Systems Manager and other IT roles.  You’ll lead on requirements but be guided by others of our capabilities.

• You’ll own and lead projects and workstreams that support the IT Compliance & Risk Manager with governance and process implementation, and enforcement activities, which support the IT Security strategy, programme and policy development.

• You’ll lead on reporting from your area of responsibility, and contributing this to the purpose of the Security and Risk Management Forum (SRMF) as required, reporting on events and incidents, articulating and addressing these in cultural and behavioural terms, and reporting on project progress and next-steps.

• You’ll be a key member of various groups and be expected to play a pivotal role in Disaster Recovery, Incident Management and Business Continuity scenarios.

Key Work Area 2 – Improving IT Security Behaviours and Culture

The post holder will be one of our IT Security Subject Matter Experts and will be jointly responsible for providing information, and approved advice and guidance across the business and for helping to drive beneficial IT security change.

• You’ll ensure that pragmatic and workable IT security advice is provided to the wider business and stakeholders where appropriate. Provide an escalation point for IT process-driven and people-security risks and incidents, ensuring that staff and managers are provided with clear, unambiguous instruction to follow when you are mitigating or remediating risks or incidents.

• Promote compliance with, and continued awareness of, the IT Security governance framework. Provide input across the business to evaluate, encourage, guide or change security improvements within processes at all stages of task and business unit life-cycles, through planning, procurement, design, build, delivery and production. You’ll focus on people-security to achieve this.

• Fully understand the environment, business processes, threats and risks that influence processes, information and staff. Work to identify areas where sub-optimal work-practices intersect and conflict with security requirements. Prioritise these so that available resources are effectively used to address training, communication and awareness needs.

• You’ll drive the delivery of targeted cyber-training, delivering training content that is bespoke and tailored to specific groups, operational needs and audience capabilities. You’ll steer the creation and use of existing training materials and programmes, and create and curate new content for other channels to cascade and deliver IT Security awareness-improvement throughout the business. You’ll act as our behavioural and cultural Security Champion across other disciplines, driving beneficial security change.

• Ensure that the requirements of the role remain aligned with threats and risks, industry trends, changes of best practice advice and government guidance. Use that knowledge to raise awareness throughout the business to positively influence business strategy and culture.

Reporting Line

Reports directly to IT Compliance and Risk Manager.

Staff Responsibilities

This role will manage and engage as necessary with external consultancy resources, specifically our appointed Cyber Security consultancy.   The position is expected to have responsibility for directing junior staff within the function.

Financial and Budget Responsibilities

Manage a delegated budget for programme activities. Jointly responsible for all aspects of ITSec financial management including forecasting and reporting of future IT Security requirements.

Working Relationships

You will be working closely with the IT Compliance and Risk Manager, the IT Security Systems Manager, colleagues within the Forestry England IT Team and the SRMF. You will create and maintain effective, positive relationships within scope of the role across all Forestry Commission departments and Business Units as well as 3rd parties, suppliers, consultancy services, and partner organisations.

Working Patterns

This is a full-time position but there is scope for flexible hours (working the hours that suit your lifestyle) within reason, and blended/hybrid working (you’ll be able to work from home when agreed).

Essential Criteria

A formal qualification or accreditation in the field of IT Security, OR proven experience in a governance, communications, audit or IT Security role or very similar.

Strong demonstrable experience and knowledge within an enterprise or business IT environment across at least one of the following fields and as set out in this job description:

IT Security Governance, IT Security Compliance, IT Security Risk and IT Security Audit.

Enthusiasm for spreading security-awareness in writing and through presentation.

Strong familiarity with enterprise IT security or service-provision requirements.

The ability to write fluently, accurately and concisely with clarity.

Proven abilities documenting and presenting concise reports, explaining complex information to varied audiences.

You’ll have a track record of good judgement and pragmatic decision making; communication skills with an ability to listen, influence and negotiate outcomes, and be able to speak, guide and assert with authority.

You’ll have experience of managing challenging situations and circumstances with discretion, respecting confidentiality, with fairness, honesty and empathy.

There will be a requirement for occasional travel and work away from your reporting point.  You must be prepared for this and hold a full UK driving licence.  Driving is the only way to efficiently reach many of our business locations.

Location is flexible for this role, but based around use of one of the existing Forestry Commission offices in the North-east or South-west of England and blended home working. The post holder will be expected to occasionally travel throughout England with some overnight stays, including at the Bristol national office.

There will be an expectation that you contribute when unplanned requirements, such as security incidents or failures, necessitate additional hours of work over and above contractual hours of work.

Desirable Criteria

Strong relationship-building and collaboration skills, with experience of negotiation and problem solving.

Experience with policy and procedural creation.

A demonstrable track record in either training or communications.

Strong familiarity with typical Line of Business applications; Microsoft 365,(Teams, SharePoint, Outlook, Excel, Word).

A track-record of the ability to influence and guide senior IT leadership team on strategy direction and delivery.

You’ll help identify opportunities to engage, promote and champion beneficial security changes. You’ll be able to demonstrate that you’ve influenced projects and their delivery to ensure wider positive adoption and use.

An understanding of the requirements and principles of GDPR and the Data Protection Act 2018.

BCS professional membership or membership of other authoritative body

Awareness of IT service frameworks such as ITIL.

Ownership of your personal development to ensure you are equipped with the skills relevant to the proposition, now and in the future

We’ll assess you against these behaviours during the selection process:

• Communicating and Influencing
• Leadership
• Managing a Quality Service
• Working Together
• Seeing the Big Picture

• Learning and development tailored to your role
• An environment with flexible working options
• A culture encouraging inclusion and diversity
• A great, inclusive and friendly work-team with a supportive work environment
• A Civil Service pension with an average employer contribution of 27%
• This is a full-time role but with scope for blended/hybrid and flexible working (working from home at hours that suit you and us the most).

Job contact :

• Name : Phil Brown
• Email : philip.brown@forestryengland.uk

Recruitment team

• Email : fcerecruitment.grs@cabinetoffice.gov.uk