NSTA 472 - Head of IT Security role

Our goal is that the NSTA continues to be a ‘Great Place to Work’. Offering a flexible 37-hour week working environment with hybrid model (40% office working). Work life balance is very important to us with a workplace culture that fosters collaboration, respect, and professionalism. In addition, we offer a range of benefits including a competitive pension - employer contribution (28.97%).

Brief overview of role

As a senior member of the IT and Digital team this role is responsible for safeguarding NSTA’s digital assets, systems, and data against evolving cyber threats, providing strategic leadership in developing and ensuring compliance with security policies, proactive risk management, continuous monitoring of security posture, and rapid response to incidents to minimize operational disruption. 

The role acts as the primary authority on cybersecurity within the organisation, advising senior leadership on emerging risks, regulatory changes, and resilience strategies. In addition, the role champions a culture of security awareness, ensuring that employees and contractors understand their responsibilities in protecting sensitive information. 

Detailed job description and key responsibilities

The IT Security Manager plays a pivotal role within the organisation, actively engaging with the wider business to monitor, report, and evaluate the security of its digital services. In addition, they provide essential support to the Chief Digital Officer in implementing and delivering the Digital/Data and IT Strategies, ensuring alignment with business objectives and maintaining robust security standards.

Key responsibilities include:

·            Transform access to information

o   Deliver secure and resilient IT and information security services, safeguarding networks, infrastructure, and systems through robust configurations and compliance with recognised standards.

o   Embed security by design in all new systems, APIs, and datasets, ensuring alignment with legislation and frameworks such as GDPR, Data Protection Act 2018, NCSC guidance, and ISO27001.

o   Implement and maintain data protection practices, including applying retention and classification labels to support compliance and effective records management.

o   Collaborate across IT, digital, and business teams to integrate security principles into projects and change initiatives, providing expert input throughout the lifecycle.

·       Analytics and Intelligence

o   Implement advanced security monitoring and risk management capabilities—including Third Party Risk Management (TPRM), vulnerability scanning, Dark Web monitoring, and annual health checks (penetration testing, vulnerability assessments)—to proactively identify and mitigate threats.

o   Lead incident response and security operations, acting as the primary authority for IT security events, ensuring effective investigation, containment, recovery, and forensic analysis, and coordinating resolution of breaches and vulnerabilities.

o   Provide clear visibility of security posture through regular reporting on risks, incidents, and remediation progress to senior leadership, supporting informed decision-making and continuous improvement of cyber resilience.

·       Collaborate, partner and assure

o   Develop and maintain cyber and IT strategies in collaboration with the Chief Digital Officer, including systematic reviews of legacy systems and securing leadership approval for a comprehensive five-year security plan.

o   Oversee delivery of IT security services and operations, including Security Operations Centre (SOC) capabilities, ensuring alignment with strategic goals, compliance with frameworks (Cyber Essentials Plus, GovAssure/CAF), and continuous improvement through regular assessments and remediation.

o   Embed security standards and architecture across projects and systems, collaborating with IT, PMO, service providers, and directorates to ensure security-by-design and adherence to NCSC guidance, GDPR, and ISO27001.

o   Manage organisational cyber risk and governance, including monitoring risk registers, enforcing policies and standards, managing budgets, and providing recommendations to strengthen security posture and resilience.

·       Influence 

o   Represent NSTA in industry and government forums, including serving as Co-Chair of the SOCS forum, participating in cross-industry cyber working groups, and promoting the organisation’s approach to cyber security and digital resilience at external events.

o   Act as a subject matter expert (SME) for IT, cyber security, and digital enquiries, maintaining strong liaison with security networks to share best practices and enhance collaborative security initiatives.

o   Provide governance and compliance oversight, preparing reports for Security Advisory Board (SAB), Audit Risk Committee (ARC), and leadership teams, maintaining a register of legal and regulatory obligations, and raising awareness of changes and their organisational impact.

·       People, culture and skills  

o   Lead and manage a high-performing records management team, ensuring compliance with regulatory requirements and organisational standards.

o   Lead and deliver cyber security awareness initiatives—including phishing simulations, mandatory training, and information security sessions—while monitoring compliance and completion rates across the organisation and service partners.

o   Champion a robust security culture by embedding emerging security requirements into practices and continuously improving training programmes through gap analysis and targeted interventions to strengthen cyber resilience.

Person specification

Competence 1:          Decision making and judgment

Ability to make complex decisions ensuring policies and procedures are adhered to. Accept responsibility for own actions. Well-developed analytical skills and sound judgement to manage varied and sometimes complex issues. Ability to document rationale and outcome of decisions.

Competence 2:          Delivery

Focusing on delivering timely performance with energy and taking responsibility and accountability for quality outcomes. Working to agreed goals and activities and dealing with challenges in a responsive and constructive way, often working alongside colleagues to deliver success.                

Competence 3:          Collaborating, Influencing and Including

Meets challenges with resourcefulness, generate suggestions for improving work and develops innovative approaches and ideas. Proven leadership skills and ability to develop creative, innovative and strategic thinking to the role and to articulate a vision. Strong interpersonal skills and the ability to influence are essential. Mentor and coach to others; unlocking potential and maximising performance. 

Competence 4:          Planning, Peformance and Achieving

Effective planning, performing and achievement to successfully achieve objectives and improvements to the quality of service, taking account of diverse stakeholder needs and requirements. The ability to structure and organise time and activities to deliver a high quality and efficient service, applying agile approaches to support delivery.

Specialist Skills, Qualifications, Experience, Licenses, Memberships or Language

Essential:   

• Professional Certifications: CISM (Certified Information Security Manager) and/or CISSP (Certified Information Systems Security Professional).
• Leadership & Communication: Strong ability to lead teams, communicate effectively, and manage diverse stakeholders.
• Technical Expertise: Comprehensive knowledge of IT environments, including Windows servers and desktops, cloud platforms, networking, applications, security, and virtualized systems.
• Security Framework Implementation: Demonstrated experience in designing, developing, and implementing information security frameworks, tools, and processes at a technical level.
• Supplier & Contract Management: Proven track record in managing outsourced service contracts and procurement activities.
• IT Security Operations: experience overseeing and managing IT security operations.
• Risk & Compliance Awareness: In-depth understanding of IT security risks and cyber security challenges, particularly within the public sector.
• Change & Transformation: Experience driving change management and implementing transformational IT security initiatives.
• Network & Firewall Expertise: Skilled in network and firewall design, configuration, and applying security principles, including IT auditing practices.
• Access Control Systems: Familiarity with tools and systems for access security control (e.g., ACF2) to prevent unauthorized system access.
• Risk Management & Resilience: Knowledge of risk management methodologies, business impact analysis, and contingency planning for IT service disruptions, including resilience strategies, fallback locations, backups, and diversity measures.

Desirable:   

• Experience of public sector / government regulatory environment / energy sector
• ISO27001 Lead Implementor