Summary
A chief information security officer creates an environment and culture in the organisation that ensures the security of its information and technology. They enable the organisation to achieve its objectives and deliver services in a safe and secure way.
The chief information security officer role is part of both the Government Digital and Data profession and the Government Security profession.
In this role, you will:
- create a strategy for information and cyber security that supports both the organisation's strategy and wider government security strategy
- lead the organisation in implementing the information and cyber security strategy
- evaluate the current status and maturity of information and cyber security in the organisation
- determine how to get to the level of information and cyber security maturity the organisation needs
- understand risks across the organisation and advise the board and other leaders on how to mitigate risks in their areas and in future plans
- enable the organisation to be innovative in a safe and secure way
- ensure the organisation is prepared for cyber attacks and can detect, respond to and recover from an attack
- ensure that information and cyber security aspects of crisis management are effective
- encourage a culture of cyber security awareness and good security practices
- implement practices to increase the maturity of information and cyber security
Work Activity Components
| Title | Details |
|---|---|
| Compliance (SCTY) (Level Seven) | Accountable for business strategy compliance with information security policies. Takes steps to ensure the organisation complies with all relevant security regulations including GDPR. |
| Policy and strategy (SCTY) (Level Seven) | Directs the development, implementation, delivery and support of an enterprise information security strategy aligned to the strategic requirements of the business, and consistent with relevant IT and business plans, budgets, strategies etc. |
| Security consultancy (SCTY) (Level 7) | Manages a significant security consultancy practice, either stand-alone or within a larger business organisation. |
| Security expertise (SCTY) (Level Seven) | Takes responsibility for the delivery of IT security expertise for the organisation, providing authoritative advice and guidance on the application and operation of all types of security control, including legislative or regulatory requirements such as data protection/GDPR and software copyright law. Acts as the organisation's data protection officer for the purposes of GDPR legislation. |
| Threats and breaches (SCTY) (Level Seven) | Leads the provision of information security resources, expertise, guidance and systems necessary to execute strategic and operational plans across all the organisation's information systems. This includes executive responsibility and accountability for the management of threats to confidentiality, integrity, availability, accountability and relevant compliance, and for security control reviews, business risk assessments and reviews that follow significant breaches of security controls. In the case of breach, undertakes the duties of data protection officer to ensure that registration and notification of the breach is done in accordance with GDPR legislation. |
| Career paths and mentoring (PEMT)(Level 6) | Mentors and influences senior individuals in consideration of their career opportunities and contribution to the organisation talent pool. Advises on their career paths, and encourages pro-active development of skills and capabilities. |
| Empowerment and role model (PEMT)(Level 6) | Facilitates effective working relationships within and between senior staff. Motivates, engages with, influences and empowers senior staff. Acts as a role model for senior staff and staff at all levels across the organisation, setting a high standard, acting professionally at all times and working to the highest levels of conduct and ethics. |
| Guidance, performance and feedback (PEMT)(Level 6) | Optimises performance of senior staff, measuring and reporting on performance against agreed high level strategy and key performance indicators. Collects data on the performance of senior staff. Gives regular feedback to senior teams as to their contribution towards organisational performance and strategy. |
| Lead, manage and supervise (PEMT)(Level 6) | Leads, supports and guides the work of senior staff, including allocation, to senior individuals, of management and supervisory responsibilities. |
| Transformation and change (PEMT)(Level 6) | Leads the organisation during times of change, aligning change programmes with the skills and capabilities of key senior staff. Support senior staff, through difficult and challenging change programmes. |
Behavioural Skills
| Title | Details |
|---|---|
| Commercial Orientation | Understanding commercial considerations and ensuring alignment with them when making decisions or recommending actions. |
| Conceptual Thinking | Acquiring understanding and insights regarding the underlying issues in complex problems or situations through the development of abstract representations, the identification of patterns and the analysis of hypotheses. |
| Counselling and Developing Others | Helping others to understand their values, needs, goals and limitations and coaching them to develop their effectiveness towards the limits of their potential. |
| Delegation | Delegating tasks, responsibilities and authorities effectively. |
| Flexibility | Taking account of new information or changed circumstances and/or business requirements and modifying response to a problem or situation accordingly. |
| Follow-up and Monitoring | Checking progress against targets, taking action to resolve exceptions/ issues and reporting and escalating where necessary. |
| Holistic Thinking | The ability to place problems in the context of the wider business landscape or area of interest. Understanding how different business functions work together to achieve shared goals. |
| Influence, Persuasion and Personal Impact | Conveying a level of confidence and professionalism when engaging with stakeholders, influencing positively and persuading others to take a specific course of action when not in a position of authority. |
| Interacting with People | Establishing relationships, contributing to an open culture and maintaining contacts with people from a variety of backgrounds and disciplines. Effective, approachable and sensitive communicator in different communities and cultures. Ability to adapt style and approach to meet the needs of different audiences. |
| Leadership | Clearly articulating goals and objectives, and motivating and leading others towards their achievement. |
| Organisational Awareness | Understanding the hierarchy and culture of own, customer, supplier and partner organisations and being able to identify the decision makers and influencers. |
| Providing Direction | Directing others to undertake specified tasks within a defined timescale. |
Technical Skills
| Title | Details | Depth |
|---|---|---|
| Access Control Systems | Any tool or system which provides security access control (i.e. prevents unauthorised access to systems). | Proficient in |
| Application Systems | Technical or functional understanding of Commercial Off-the-Shelf (COTS) applications and/or other bespoke software deployed within the organisation in order to provide system configuration, audit, technical, and/or functional support. | Proficient in |
| Big Data | The discipline associated with data sets so large and/or complex that traditional data processing applications are inadequate. The data files may include structured, unstructured and/or semi-structured data, such as unstructured text, audio, video, etc. Challenges include analysis, capture, curation, search, sharing, storage, transfer, manipulation, analysis, visualization and information privacy. | Familiar with |
| BYOD | The policy of permitting employees to bring personally owned mobile devices (laptops, tablets, smart phones etc) to their workplace, and the implications of using those devices to access privileged company information and applications consistent with safeguarding corporate systems and data taking account of security and confidentiality requirements. Also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC). | Proficient in |
| Cloud/Virtualisation | The principles and application of cloud/ virtualisation (including ownership, responsibilities and security implications). Use of tools and systems to manage virtualised environments. | Familiar with |
| Corporate, Industry and Professional Standards | Applying relevant standards, practices, codes, and assessment and certification programmes to the specific organisation or business domain. | Expert in |
| Cyber Security Concepts | The understanding of cyber security concepts and ability to effectively translate and accurately communicate security and risk implications across technical and non-technical stakeholders so that they are understood and applied. | Expert in |
| Disaster Recovery Planning | Methods and techniques for planning for, and mitigating against, serious disruption of IT services. Techniques may include data replication, log shipping, HA, resilience, fallback location/services, offsite back-up, recovery time objectives (RTO), recovery point objectives (RPO), maximum tolerable downtime window, cloud computing, diversity, etc. | Familiar with |
| Infrastructure/System Security | The security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components, and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents affecting system hardware, software and other infrastructure components. | Expert in |
| IT Audit | Principles, practices, tools and techniques of IT auditing. | Proficient in |
| National/International Standards | Current and emerging standards associated with IT practice nationally and internationally, published by authorities such as IEEE, IEC, BSI, ISO. | Proficient in |
| Network Data Security | Network security and threat mitigation, including physical, electronic, firewalling, encryption, access, and authorisation; protecting data at rest and in transit; defending against viruses and malware; the impact of Big Data; and the integration of robust security controls into enterprise services and policies. | Expert in |
| Network Traffic Analysis | Methods and techniques for the capture of traffic information (packet level) and the forensic analysis of this information into its constituent elements. | Expert in |
| Networking and Communications | The planning and management of the interaction between two or more networking systems, computers or other intelligent devices. | Proficient in |
| Operational/Service Architecture | Knowledge of the IT/IS infrastructure and the IT applications and service processes used within own organisation, including those associated with sustainability and efficiency. | Familiar with |
Other Skills
| Title | Details | Depth |
|---|---|---|
| Appraisal Techniques | Methods and techniques for appraising an individual's performance and potential. | Expert in |
| Budgets | Principles, methods, techniques and tools for the preparation and monitoring of budgets to manage costs and ensure cost-effectiveness and value for money. | Proficient in |
| Coaching Techniques | Methods and techniques for coaching individuals or groups by a balanced combination of support and direction, which could include use of virtual learning environments plus add-ons to augment feedback specific to work items, workflow or career plans. | Expert in |
| Disciplinary Issues and Procedures | Managing episodes of unsatisfactory behaviour or performance in accordance with appropriate policies and legislative conformance. Includes changes to circumstances, such as sickness, disability and other personal issues. | Proficient in |
| Enterprise Architecture | Understanding of Enterprise Architecture principles and practises, e.g. as defined within TOGAF, used to create a strategic framework to align the organisation's business strategy, processes, information, and technology to satisfy business goals. Enterprise architecture provides a holistic view of the organisation, enabling effective decision-making, optimisation of resources, and more efficient adaptation to change in the business environment. | Familiar with |
| Legislation | Relevant national and international legislation. | Expert in |
| Performance Monitoring | Identifying, agreeing and monitoring (usually by face-to-face interviews) objectives and deliverables with individuals. Identifying under-performance issues against agreed quality standards and performance criteria. Identifying gaps in capability and causes, disciplinary or ability-related (needing assistance, training or other support). | Expert in |
| Presentation Techniques | Methods and techniques for delivering effective and accessible presentations, either face-to-face or online within various contexts and to a variety of audiences. | Proficient in |
| Resource Allocation | The effective and efficient routine deployment of resources, (but also including reassessment and reallocation in a dynamic multi-project environment), to achieve optimum results. | Proficient in |
| Risk Management | Methods and techniques for the assessment and management of business risk. | Expert in |
| Standards Writing Techniques | Principles, methods and techniques for establishing, documenting, and maintaining standards. | Expert in |
| Team Dynamics | Knowledge and understanding of the psychological and environmental forces that influence the direction of team behavior and performance and the tools and techniques to improve team cohesion and performance. | Proficient in |
| Techniques for Effective Meetings | Methods and techniques for running effective meetings and for understanding and influencing the roles played by participants. | Proficient in |
| Threat Landscape | Knowledge and understanding of the threat landscape, regulatory and legislative requirements and awareness of industry good practice relating to information governance, privacy and security. | Expert in |
Training
| Title | Details |
|---|---|
| Diversity and Inclusion | Raise diversity in-the-workplace awareness in order to better understand how the world looks through the eyes of people of a different age, race, gender, sexuality, etc, improve communications with people from diverse backgrounds and reduce the levels of unconscious bias in decision-making. |
| Human Resource Planning | Techniques and practices involved in planning the numbers and types of personnel needed over time by a particular skillset, department or function within an organisation. |
| Technology Products for Future Use | Technology products or solutions that are potentially of use to the organisation. |
Professional Development Activity (PDA)
| Title | Details | PDA Group |
|---|---|---|
| Gaining Knowledge of Broader IT Issues | Increasing and maintaining currency of knowledge of broader IT issues through reading, attending and participating in seminars or conferences, special studies, temporary assignments etc. | Increasing Knowledge |
| Gaining Knowledge of Standards and Legislation | Gaining and maintaining knowledge of relevant national and international standards and legislation. | Increasing Knowledge |
| Gaining Strategic Knowledge of Employing Organisation | Developing a comprehensive understanding of the business environment in which the employing organisation operates and its position, policies and direction in relation to health and care, country and global issues. | Increasing Knowledge |
| General Management | Continuing learning and development in general management skills, such as effective communication, leadership styles and skills, team building and team roles, motivation and delegation, planning and resource scheduling, influencing, persuasion and negotiation, so as to be in a position to accept greater responsibility at senior management or director (including non-exec) level. | Developing Professional Skills |
| Mentoring | Acting as a mentor, advising those for whom there is no direct responsibility, on matters to do with their job role, career and professional development. | Broadening Activities |
| Participation in Professional Body Affairs | Taking an active part in professional body affairs at branch, specialist group, committee or board level. | Participation in Professional Activities |
Qualification Components
| Title | Awarding Bodies |
|---|---|
| FEDIP Leading Practitioner | The Federation for Informatics Professionals |
| CISSP Certified Information Systems Security Professional | (ISC)2 International Information Systems Security Certification Consortium |
Government Digital and Data Profession Capability Framework Skills
| Skill | Level |
|---|---|
|
Capability building for digital, data and technology |
Expert Capability building for digital, data and technology You can:
|
|
Changing security culture |
Expert Changing security culture You can:
|
|
Cyber Incident Management |
Expert Cyber incident management You can:
|
|
Cyber risk management |
Expert Cyber risk management You can:
|
|
Cyber security governance |
Expert Cyber security governance You can:
|
|
Innovation in digital, data and technology |
Expert Innovation in digital, data and technology You can:
|
|
Security architecture |
Expert Security Architecture You can:
|
|
Strategic cyber security planning |
Expert Strategic cyber security planning You can:
|
The Professional Body Responsible for this job family is BCS. This job role profile was created in collaboration with BCS, using Role Model Plus.