Information Security Specialist

Location Birmingham
Contact name: Jonathan Savage

Contact email: jonathan.savage@graftonplc.com
Job ref: 029251
Published: 28 days ago

Job purpose

 

The Group Information Security Team is responsible for developing and managing technology solutions, services and processes that apply across all Grafton business units to reduce information security risk.

 

The role holder will work to improve information security controls in the business, adapting as new security threats emerge and the threat landscape evolves, to reduce the risk of losses to the business.

 

The role holder will provide specialist security knowledge, and technical architecture input, to projects of varying scale across technology and related process disciplines, with the focus expected to be in following areas:

  • Design and implementation of information security and data protection technologies (e.g. MFA, endpoint protection, SOC/SIEM, EDR, vulnerability monitoring, network segregation) and driving successful adoption of the technologies to enable the group to reduce information security risk.
  • Implementation of security controls. This will include controls which are provided centrally such as phishing simulations, and also supporting Grafton subsidiaries in implementing and managing controls locally.
  • Implementation and operation of information security processes such as incident response, alerting and monitoring, and third-party security assessments.
  • Working with subsidiaries to ensure that security tooling provided by group (for example EDR) is working correctly and implemented fully.
  • Designing and organising security testing, e.g. penetration testing or other technical control testing, working with third parties to execute testing where necessary.
  • Provide consultancy, advice, and support to Grafton subsidiaries on their management of controls and compliance with a NIST based information security framework.

The role holder will be a resourceful, self-motivated individual who is comfortable getting things done in matrix structures. They will have the opportunity to both shape and deliver projects and solutions. They will be expected to apply information security and data protection best practices with pragmatism and common sense.

 

Key Responsibilities 

  • Design, implementation, and maintenance of information security technical controls across all Grafton subsidiaries, such as EDR, vulnerability scanning, and security event management. This will include innovative technology solutions to enhance Grafton’s security posture against the rapidly evolving cyber threat landscape.
  • Creation, maintenance and communication of information security technology standards, procedures and guidelines.
  • Perform security reviews of third parties who provide IT solutions and/or process data for Grafton Group.
  • Implementing and overseeing ‘first line of defence’ security operation controls, including access control, security event monitoring, patch management, endpoint threat detection, data leakage prevention.
  • Participate in the information security incident management process, including updating the process when needed, training Group and business unit teams on the process, conducting incident scenario exercises, data breach reporting and post-incident reporting.
  • Reporting on security KPIs such as endpoint EDR coverage, unsupported OS, and vulnerabilities
  • Work closely with Group and business unit IT teams to ensure appropriate information security and data protection controls are embedded within projects.
  • Perform technical analysis and compliance reporting against appropriate control frameworks and international standards.
  • Providing information security architecture and technical consultancy across all Grafton business units and support the in complying with Grafton security standards and the Information Security Framework based on NIST.
  • Review the effectiveness of controls embedded in the business units to ensure compliance with internal security policies, regulations (e.g. GDPR) and industry standards (e.g. PCI DSS).
  • Organise and carry out technical security testing including penetration testing.

Qualifications/Knowledge/Skills/Experience

Essential

  • Experience working in an information security technology practitioner or related infrastructure management role, with knowledge of implementing security technology controls, secure configurations, and implementation of security projects.
  • Excellent written and oral communication skills, with the ability to effectively communicate at all levels of the organisation.
  • Build and maintain strong, collaborative relationships with technical and non-technical stakeholders
  • Ability to carry out high-quality data analysis and formal report writing.
  • Practical knowledge of information security risks management, controls and frameworks (e.g. NIST).
  • Experience in designing and implementing written and technical information security standards.
  • Passion for information security and supporting the business in reducing risk, with a proactive attitude toward maintaining up-to-date knowledge.
  • Broad experience and knowledge of IT systems, networking principles and associated technology-based security controls.
  • Knowledge and experience of logical access control management and administration.
  • Broad knowledge of GDPR and PCI DSS.
  • High level of personal and professional integrity.

Desirable

  • Holds one of the following certifications (EISM, CISM, CISSP, CISA or CEH).
  • Professional qualification (degree or equivalent industry qualification).
  • Knowledge of data protection and information security standards and processes, and delivery of information security projects.
  • Experience in delivering security projects relating to Microsoft technologies, including Office 365 security, Azure cloud services security
  • Experience of security incident handing and response.
  • Knowledge of technical architecture principles, frameworks and best practices.
  • Knowledge of cloud computing and the associated security and control considerations.
  • Subject matter expertise across the following technologies:

o   TCP/IP, LAN and WAN networking.

o   Network Security (e.g. firewalling, IPS).

o   Server operating systems and hardening techniques.

o   Endpoint security and EDR

o   Virtualisation and thin-client products.

o   SIEM and vulnerability management tools.

o   Data loss protection technology

 

Key Behaviours:

 

Thinking Things Through

  • Problem Solving: Getting to the root cause of problems and coming up with practical, commercial solutions.
  • Business & Customer Focus: Works consistently in the best interests of customers and the business. 

Delivering Results

  • Taking responsibility for results: Making things happen, going the extra mile to drive performance and standards. Proactively intervenes to maintain the integrity of information security practices.

Engaging Others

  • Skilful Communication: Communicating information clearly, openly and persuasively.
  • Relationship Building: Building positive relationships with colleagues and customers through respect, listening and teamwork.   

Adapting to Change

  • Flexibility: Updating skills and knowledge by assessing industry best practice, creating and maintaining relationships with colleagues, suppliers and partners, and responding positively to change.
  • Resilience: Demonstrating calmness, confidence and perseverance in demanding situations.

Leadership

  • Creating a virtual Team: Builds a high performing virtual team working with colleagues across the Group, providing clarity of direction and making the most of the collective strengths of the team.
  • Managing change: Helping others to embrace change and implement it successfully.

Suitable for someone who is:

  • Happy to work under their own steam and is comfortable working across multiple projects with multiple stakeholders.
  • Resourceful and innovative, and disciplined to get the job done.
  • Comfortable working at all organisational levels to drive real change and improvement.
  • Has a good broad understanding of IT landscapes combined with the ability to manage the human aspects of delivering technology change.