Security Incident Response Lead

Security incident management is a complex and rapidly evolving area; and you will be expected to keep abreast of how the security environment and threat vectors impact the business. The skills required in this team are a complex blend of investigating, information analysis, decision making and technical capabilities, married with well-developed inter-personal and communication skills.

• You will provide expert Incident Response, determining the threat and level of impact to citizens; DWP business, including its customers and colleagues; DWP assets (including information and premises); and coordinating the appropriate response. As well as getting under the surface of Security Incident causes, to identify and influence future prevention.
• You will be responsible for escalation lead on Incident Live Service; and be strategic lead for one of the Protect functions within SIRT ( protect functions are: People, Security Incidents, Practise & Practices, Crisis Event Management, Learning, Patterns & Insight).
• Working with multiple internal and external stakeholders you will act as a Silver incident commander, coordinating DWP Security Incident Responses to medium and high severity events.
• Provide expert advice to the Head of Security Incident Response Team (SIRT), Head of Cyber Resilience Centre (CRC), DWP Chief Security Officer and Gold Incident Commanders. Produce communications statements, escalate incident recovery issues, and coordinate response forums to ensure effective and timely incident recovery.
• Representing SIRT SLT at security events and governance meetings you will ensure all security issues and incidents are impacted, assigned and resolution action is taken forward.
• Demonstrate command and control for the response to Security Incidents and high priority threat/impact events to ensure Security Incidents and breaches are managed effectively across DWP.
• Lead and coordinate activities within Protect strands, to directly support, improve or develop SIRTs live service.
• Manage, develop, and maintain Security Incident Response policies, procedures and playbooks for DWP.
• Influence the continued development of DWPs Incident Response capabilities, including ensuring that Incident Response technology capabilities are sufficient for DWP security requirements.
• Provide expert security related advice and guidance on the threat environment and Security Incidents.
• Manage Security Incidents in accordance with applicable DWP and His Majestys Government (HMG) policies and standards.
• Supervise, review and instigate Security Incident Response plans and procedures for DWP.
• Lead, manage and/or chair cross functional and cross government Incident Response groups, ensuring appropriate responses to Security Incidents or threats are taken in an appropriate and timely manner.
• Oversee DWPs response to security alerts and notices from external agencies, including the National Cyber Security Centre (NCSC).
• Take responsibility for the production and continuous review of Security Incident Response plans, procedures, and processes for SIRT.
• Ensure DWP's Incident Response plan and the associated response align with His Majestys Government (HMG) standards.
• Guarantee timely and accurate Security Incident Response briefings and communications are issued to the Head of Security Incident Response Team (SIRT), Head of Cyber Resilience Centre (CRC), DWP Chief Security Officer, and Departments incident Gold Commanders, relevant stakeholders, delivery partners and other government departments, where appropriate, such as the Cabinet Office and the National Cyber Security Centre (NCSC).
• When necessary, provide expert stakeholder management to ensure remediation activities are focused on responding to Security Incidents in an effective and timely manner.
• When required, manage the coordination and DWPs collective response to significant vulnerabilities identified via Threat Intelligence (where emergency action is required).
• Ensure the timely identification and briefing of appropriate Gold Incident Commander(s) within DWP. Mentoring them on appropriate decision making and providing them access to specialist advice.
• Demonstrate visible leadership whilst participating in regular drilling / exercising and learning events to build capability and embed Incident Response procedures.
• Ensure that SIRT staff are recording Management Information (MI) in relation to reported security events/incidents accurately including Key Performance Indicators (KPIs) to feed DWP Executive Team and Security & Data Protection (S&DP) Senior Leadership Team (SLT) requirements.
• Provide expert incident management stakeholder input into the development of new capabilities within CRC and across DWP.
• Take responsibility for recruitment activities on SIRT ensuring appropriate resourcing levels are maintained.
• Take responsibility for driving forward deliverables on the SIRT Work Plan in-line with the principles outlined within the National Institute Standards and Technology (NIST) Cybersecurity framework, to improve DWPs identify, protect, detect, response and recovery capabilities and posture.
• Deputise for and represent the Grade 6 Head of Live Service or Head of Protect functions when required.
• Line Management responsibility for SEO Senior Security Incident Response Analyst resources on SIRT.

Person specification

• Supervising the prompt and effective response to Security Incidents reported to SIRT, by effective triage and prioritisation of incidents utilising the Security Incident Response Plan (SIRP).
• Lead, develop and embed lessons learnt and lessons identified as a consequence of Security Incidents investigated particularly those initially triaged as high risk.
• Demonstrate by example an investigative mindset with the ability to problem solve, motivate, influence and be adaptable to a given situation.
• Provide support 24 hours a day, 7 days a week and as a result, you will be expected to work as part of an on call rota, which will also attract occasional out of hours working. You will provide 24/7 initial contact out of hours cover for Security Incident management across DWP on behalf of SIRT; and Silver Commander responsibilities for significant events impacting DWP.
• You will prioritise people, actively promote the health, safety, and wellbeing of SIRT colleagues and others.

You may be required to travel to different DWP sites and government agencies with occasional overnight stays.
Successful candidates should have or show a commitment to working towards, the BCS Certificates in Information Management Principles (CISMP), Certified Information Security Manager (CISM) and NIST cybersecurity framework. https://www.nist.gov/cyberframework/framework
Essential criteria for the role

• Proven leadership experience within an incident management environment.(Lead Criteria)
• Proven experience of making risk-based defensible decisions at pace.
• Proven experience of managing stakeholders in a complex environment with multiple service providers.
• Proven experience communicating complex related messages and providing updates and recommendations in a clear and comprehensive manner.

Desirable Criteria

• Demonstrable experience in interpreting threat intelligence and engaging relevant stakeholders to plan and run complex incident exercises / practice drills taking lessons learned and applying this to incident management playbooks and standards.
• Good working knowledge of security concepts (Physical, Personal, IT and Cyber Security), including security controls, security risk management and Security Incident management.
• Proven experience of handling Security Incidents of direct concern to senior leaders up to director levels, regulatory bodies and/or ministers; and deep knowledge and/or understanding of requirements to co-ordinate responses to Security Incidents across multiple organisations.

If you would like to learn more about the role contact the vacancy holder.
Behaviours
We'll assess you against these behaviours during the selection process:

• Leadership
• Making Effective Decisions
• Delivering at Pace
• Communicating and Influencing
• Working Together

Benefits

• Learning and development tailored to your role
• An environment with flexible working options
• A culture encouraging inclusion and diversity
• On call allowance
• A Civil Service pension with an average employer contribution of 27%
• This job role may be suitable for hybrid working, which is where an employee works part of the week in their DWP office and part of the week from home. This is a voluntary, non-contractual arrangement and your office will be your contractual place of work. The number of days that anyone will be able to work at home will be determined primarily by business need, but personal circumstances and other relevant circumstances will also be taken into account. If you are successful, any opportunities for hybrid working, including whether a hybrid working arrangement is suitable for you, will be discussed with you prior to you taking up your post.

Things you need to know
Selection process details
This vacancy is using Success Profiles (opens in a new window) , and will assess your Behaviours, Strengths and Experience.
As part of the application process you will be asked to complete:
1. A completed Personal Details application form.
2. A curriculum vitae* with education, professional qualifications and full employment history, giving details of key achievements relevant to the skills and experience outlined in this job description.
3. A personal statement clearly demonstrating how you meet the essential criteria as detailed in the job advert in no more than 1000 words. To be successful you must provide as much information and detail as you can, outlining what you did, and what the outcome was. The information you provide will be used to assess your application at the sift stage of the selection process.
Further details around what this will entail are listed on the application form.
When giving details in your employment history and personal statement you should highlight your experience working with the essential criteria previously detailed above (in responsibilities section)
Sift and Interview
The sift panel will use the information in your employment history and personal statement to assess your experience, skills and knowledge against the essential criteria detailed above.
Should a large number of applications be received an initial sift may be conducted using the lead criteria which is: Proven Leadership experience within an incident management environment.
Candidates who pass the initial sift may be progressed to a full sift, or progressed straight to interview.
If you are successful at sift stage you will be invited to attend a face to face interview at one of the identified hub locations. There you will be assessed against the following behaviours:
Leadership, Making effective decisions, Delivering at pace, Communicating and Influencing and Working Together.
You will also be assessed on Strengths and any relevant experience you have.
You will be asked to do a 10 minute (maximum) presentation on a topic identified within the invitation to interview.
Further details will be provided to candidates invited to interview.
Sift will take place after the 5th August 2024.
Interviews will be held W/C 19th August 2024 (dates to be confirmed)
Results issued W/C 2nd September 2024.
Further Information
Find out more about Working for DWP
A reserve list may be held for a period of 6 months from which further appointments can be made.
Any move to DWP from another employer will mean you can no longer access childcare vouchers. This includes moves between government departments. You may however be eligible for other government schemes, including Tax Free Childcare. Determine your eligibility at https://www.childcarechoices.gov.uk
If successful and transferring from another Government Department a criminal record check may be carried out.
In order to process applications without delay, we will be sending a Criminal Record Check to Disclosure and Barring Service on your behalf.
However, we recognise in exceptional circumstances some candidates will want to send their completed forms direct. If you will be doing this, please advise Government Recruitment Service of your intention by emailing Pre-EmploymentChecks.grs@cabinetoffice.gov.uk stating the job reference number in the subject heading.
NSV
For further information on National Security Vetting please visit the following page https://www.gov.uk/government/publications/demystifying-vetting
New entrants are expected to join on the minimum of the pay band.
Applicants who are successful at interview will be, as part of pre-employment screening, subject to a check on the Internal Fraud Database (IFD). This check will provide information about employees who have been dismissed for fraud or dishonesty offences. This check also applies to employees who resign or otherwise leave before being dismissed for fraud or dishonesty had their employment continued. Any applicants details held on the IFD will be refused employment.
A candidate is not eligible to apply for a role within the Civil Service if the application is made within a 5 year period following a dismissal for carrying out internal fraud against government.
Before applying for this vacancy, current employees of DWP should check whether a successful application would result in changes to their terms & conditions of employment, e.g. mobility, pay, allowances. Civil Servants that would transfer into DWP from other government organisations, following successful application, will assume DWP's terms & conditions of employment current on the day they are posted, unless DWP has stated otherwise in writing.
The Civil Service values honesty and integrity and expects all candidates to abide by these principles. Please ensure that all examples provided in your application are taken directly from your own experience and that you describe the examples in your own words. Applications will be screened and if evidence of plagiarism or copying examples/answers from other sources is found, your application will be withdrawn. Internal DWP candidates may also face disciplinary action.
Reasonable Adjustment
At DWP we value diversity and inclusion and actively encourage and welcome applications from everyone, including those that are underrepresented in our workforce.
We consider visible and non-visible disabilities, neurodiversity or learning differences, chronic medical conditions, or mental ill health. Examples include dyslexia, epilepsy, autism, chronic fatigue, or schizophrenia.
If you need a change to be made so that you can make your application, you should:Contact Government Recruitment Service via DWPRecruitment.grs@cabinetoffice.gov.uk as soon as possible before the closing date to discuss your needs.
Complete the Reasonable Adjustments section in the Additional requirements page of your application form to tell us what changes or help you might need further on in the recruitment process. For instance, you may need wheelchair access at interview, or if youre deaf, a Language Service Professional.
If you are experiencing accessibility problems with any attachments on this advert, please contact the email address in the 'Contact point for applicants' section.
Feedback will only be provided if you attend an interview or assessment.
Security
Successful candidates must undergo a criminal record check.
Successful candidates must meet the security requirements before they can be appointed. The level of security needed is security check (opens in a new window) .
See our vetting charter (opens in a new window) .
People working with government assets must complete baseline personnel security standard (opens in new window) checks.
Nationality requirements
This job is broadly open to the following groups:

• UK nationals
• nationals of the Republic of Ireland
• nationals of Commonwealth countries who have the right to work in the UK
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities with settled or pre-settled status under the European Union Settlement Scheme (EUSS) (opens in a new window)
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities who have made a valid application for settled or pre-settled status under the European Union Settlement Scheme (EUSS)
• individuals with limited leave to remain or indefinite leave to remain who were eligible to apply for EUSS on or before 31 December 2020
• Turkish nationals, and certain family members of Turkish nationals, who have accrued the right to work in the Civil Service

Further information on nationality requirements (opens in a new window)
Working for the Civil Service
The Civil Service Code (opens in a new window) sets out the standards of behaviour expected of civil servants.
We recruit by merit on the basis of fair and open competition, as outlined in the Civil Service Commission's recruitment principles (opens in a new window) .
The Civil Service embraces diversity and promotes equal opportunities. As such, we run a Disability Confident Scheme (DCS) for candidates with disabilities who meet the minimum selection criteria.
The Civil Service also offers a Redeployment Interview Scheme to civil servants who are at risk of redundancy, and who meet the minimum requirements for the advertised vacancy.
Diversity and Inclusion
The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see the Civil Service People Plan (opens in a new window) and the Civil Service Diversity and Inclusion Strategy (opens in a new window) .