Address*This role is location agnostic and is open to candidates across the United Kingdom
About Steer
We are Steer and we help people, places and economies thrive. Steer is a global employee-owned business consultancy specialising in transport, cities and infrastructure, with over 530 staff in 24 offices around the world.
We have an enduring commitment to generate success for our clients, for ourselves and for the communities which we support. A commitment that ultimately improves the way people live, work and travel.
At Steer, our consultants work to improve the outlook of our region, ensuring that our clients keep social and environmental impact in mind as they conduct their operations. We believe that actions speak louder than words, and therefore have annual measurable targets across all social impact areas, particularly DEI and sustainability. We have also committed to successfully operate as a Net Zero Carbon company by 2025, participating in the UN’s Global Compact.
For further information on Steer, please take a moment to review our website
Steer | Helping people, places and economies thrive (steergroup.com)
About the role
We are seeking an experienced Information Security & Compliance Manager who, whilst having a technical background, can work closely with Steer’s clients, suppliers and internal staff globally on matters relating to Information Security.
You will take a leading role in the management of Information Security and have experience of working across all levels within a business, along with several external partners, to achieve the goal of keeping Steer’s data and systems secure.
Quality, Information Security and data protection are critical areas for Steer to enable the delivery of high-quality work to our clients, securely and to the highest standards possible.
We are certified to the ISO9001 standard, along with Cyber Essentials Plus and desire to develop a full Information Security Management System and gain ISO27001 certification. Additionally, we set our own internal policies relating to data protection, Information Security, compliance and risk management and measuring our performance against these. It is vital we uphold these standards to ensure client, supplier and employee data are handled securely and in line with all required laws and industry codes.
About the candidate
You will take a leading role in setting the company’s standards, policies and procedures for Information Security and associated activities, across all its operations, consultancy functions and geographical locations.
Reporting to the Head of IT and working closely with the IT, Legal and Quality teams, amongst others, the main functions of this role include managing, designing, implementing and maintaining the Company’s overall Information Security strategy, policies, risk management, audit methodology and activities, compliance and assurance activities, incident management and certification around technology as well as providing updates to our Chief Operating Officer (COO) and our Information Governance Committee (IGC) concerning Information Security Governance related activities.
This is a new role within Steer and the successful candidate will be able to make the role their own, but it is expected that the role will have the following scope:
- In conjunction with Head of Legal, Head of IT and IT Infrastructure Manager, develop, maintain, implement and support standards, policies, procedures and measures to ensure compliance with all applicable Information Security legislation and ensuring suitability with Steer’s business operations;
- In conjunction with Group Quality Manager, establish Information Security risk management approach applicable across the business, leveraging Steer’s existing risk management framework, and manage the operationalisation of this, including risk monitoring, mitigation, reporting and escalation;
- Oversee security compliance activities including Cyber Essentials Plus and NIST-CSF, continually seeking for more efficient, automated controls and ways of working and assuring compliance;
- Define and manage a control assessment / assurance program and security architecture reviews to continually ensure security controls are operating effectively;
- Develop and maintain an Information Security Management System and mature Steer towards ISO27001 certification;
- Support and work with the IT Infrastructure Manager in managing our primary suppliers of IT security solutions;
- Mature our Security Operations capability, potentially appointing a Managed SOC and establishing appropriate operating model and processes;
- Define, operationalise and monitor Security Incident Management procedures and playbooks;
- Monitor, analyse and triage security incidents. Participation in security incident handling efforts in response to a detected incident, following through to successful remediation;
- Work with stakeholders and business units to identify and record details of data processing and advise on data lifecycle management (including identification, classification, retention, and deletion);
- Maintain awareness of trends in security regulatory, technology, and operational requirements;
- Be a focal point for technical Information Security expertise;
- Participate in completion of third-party supplier security/compliance assessments. Building relationships with key clients and suppliers/sub-contractors identifying steps for security improvements where appropriate;
- Contribute to proposal submissions and client contract reviews where required andapplicable, responding to client Information Security requirements and assessment questionnaires;
- Manage and support the IT team with delivery of on-going security initiatives and security projects, including vulnerability scanning, penetration testing, patch management, SIEM monitoring, etc.;
- Define roadmap on where Information Security practices and systems can be improved or costs to the company reduced;
- Work with Learning & Development to create and maintain an on-going Information Security awareness program of training and comms;
- Champion and promote Information Security awareness and management across employees, sub-contractors and suppliers;
Work-life balance
At Steer, we believe that a healthy work-life balance is paramount to long term success, which is why all employees seeking a full-time opportunity are encouraged to spend 60% of their time either in office or on-site with clients and why we aim to keep our employee’s typical work week to 37.5 hours, reflective of client needs. Hours, expectations, and exemption status will be determined for any applicant seeking a part-time opportunity.
Compensation
Steer is committed to ensuring that all its employees are compensated a fairly and at a competitive rate. All initial compensation, regardless of location, may be subject to change as skills, abilities, internal equity and geographic location are taken into account.
In addition to base salary, all employees will be eligible for an annual discretionary performance bonus. Please review the benefits section for more information on total reward.
Steer reserves the right to ultimately pay more or less than the posted range and offer additional compensation.
Requirements
- At least 5 years working in Information Security;
- Excellent knowledge of Information Security, risk management and governance, data protection;
- Knowledge of data protection principles, including GDPR, CPPA, NYPA amongst others and the practical application of data protection laws around data handling and management within a global business;
- Excellent experience and knowledge of Information Security frameworks such as ISO27001, Cyber Essentials, Cyber Essentials Plus and NIST-CSF;
- Knowledge and experience of implementing ISO Standards and data protection frameworks in a large or complex business with multiple stakeholders in a global environment;
- Practical knowledge and experience in writing and implementing Information Security strategy, policies and procedures;
- Strong understanding of the business impact and benefit of security tools, technologies and policies;
- A team player with a flexible, pro-active and ‘can-do’ approach to work, with the ability to work autonomously, but will seek guidance when required;
- Highly organised and able to work in a fast-pace environment with multiple and sometimes changing priorities;
- Be forthcoming and proactive in suggesting new ideas and identifying areas for improvement or enhancement;
- Excellent customer facing and presentation skills for liaison with colleagues at all levels and used to interacting at a senior level;
- Must have a conscientious, accurate and methodical approach to work and have strong written and verbal communications skills;
- Support, influence and promote risk and risk management culture;
- Experience of working with external audit bodies in the planning, preparation and hosting of external audits;
- Experience of planning and conducting internal audits in relation to quality, Information Security and data protection, producing clear and actionable findings and supporting IT & business teams to implement these actions;
- Assist in documentation and submission of information and presentations for internal management committees;
- Experience of dealing with data related incidents efficiently and effectively, ensuring issues are managed and appropriately escalated within the business;
- Ability to quickly develop an understanding of internal systems, governance, and IT infrastructure to allow the accurate completion of client security questionnaires and contract reviews;
- Excellent experience of Information Security / cyber security tools & technologies within a large and complex environment including firewalls, anti-malware / EDR, SIEM, DLP, SCCM, etc.;
- Demonstrable experience of implementing Information Security controls in on-premise Microsoft environments, VMWare, M365 and Azure environments required. Experience of implementing such controls in AWS and Google environments and with Apple Mac endpoints would be an advantage.
- Would be a preferable for the candidate to hold qualifications in an Information Security related discipline such as CISA, CISM, CISSP, or hold ISO27001 implementation/audit qualifications;
- Would be preferable for the candidate to have experience of working in a multi-site and global organisation, as would candidates with experience in a Professional Services organisation;
- Must be legally authorized to work in the United Kingdom without the need for employer sponsorship, now or at any time in the future.
Benefits
We offer a competitive package of benefits including private medical insurance and health screening, life assurance, group income protection, company pension scheme, EAP, ability to buy and sell annual leave days, Season Ticket Loan, a group Share Incentive Plan, up to 5 days for volunteering activities and a discretionary bonus scheme based on annual compensation (dependent upon individual and company performance).
Additionally, we offer 25 days annual leave, plus the 8 bank holidays and the ability to buy and sell leave in the year to give extra flexibility.
Steer is an equal opportunity employer and welcomes all candidates regardless of race, color, ancestry, gender identity or expression, religion, national origin, sexual orientation, age, citizenship, marital status, disability, Veteran status, or any other legally protected status. Any other human expressions and experiences not mentioned here are equally welcome. If you require an accommodation, now or throughout your employment, please let us know.
In our commitment to inclusivity in the workplace, Steer has welcomed the creation of various Employee Resource Groups, dedicated to ensuring the support, progression, and well-being of all employees. For more information, check out our social responsibility page Our social responsibility | Steer (steergroup.com).
We understand that some may be dissuaded to apply based off their compatibility with the job description. That being said, we understand that not everyone is a perfect match on paper and encourage anyone to apply regardless of how much their work experience directly relates to the job description.
Part-time and flexible working applications will be considered.
