Security and Information Risk Advisor

Join us as an IT Security and Information Risk Advisor (SIRA) within Scottish Government's Cyber Security Unit (NCSR), where you'll play a key role in protecting our digital services, helping ensure they remain secure, resilient, and well positioned to respond to evolving cyber threats.

As a valued member of the team, you will play a crucial role in helping the Scottish Government and service owners develop policy and apply standards, manage cyber and information risk, identify mitigations, and obtain assurance and compliance.

In this role you will help system owners, projects, and procurements understand, assess, and manage cyber and information risks, ensuring systems and data stay secure and compliant. Providing clear, practical advice to support risk-based decisions you will help build resilience against evolving threats from both inside and outside the organisation.

• Provide advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
• Carry out assessments to identify and define security requirements that enable business operations, ensure regulatory compliance, and align with strategic objectives.
• Undertake Cyber Security related risk assessments and business impact analysis, conduct threat assessments, carry out threat modelling, and other risk management activities on complex information systems.
• Contribute to development of information security policy, standards, and guidelines.
• Interpret information assurance and security policies and applies these to manage risks.
• Provide advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards, and guidelines.
• Provide advice to validate the effectiveness of risk mitigation measures, including an understanding of how to use different assurance activities (such as a pen test) and make recommendations for improvement and support information assurance assessments.
• Communicate with internal and external stakeholders at all levels of technical ability, on high risk or complex topics or under constrained timescales.