Share this Job

Security Consultant and Risk Assessments Lead

Date: Feb 22, 2021

Location: London, United Kingdom

Company: KPMG UK

The virtual SCRA team is made up of the, the Security Consultancy team and the Security Quality Assurance team (both in Security Operations) and the Risk Assessments team (in Information Assurance). Each of the three teams house specialists who provide subject matter expertise, such as providing risk-based advice, technical security input, recommending security controls, providing remediation strategies and providing advice on configuration changes.
The services to be delivered by the virtual SCRA team include information security design and implementation consultancy, rapid information risk assessment, and technical security quality assurance services to internal customers for the following case-types:

- Technology solutions (new and significant change)
- Supplier assessments (new and significant change)
- Significant business changes (e.g. acquisition and divestment, major internal projects, new platform provider onboarding etc.)
- Specific business areas

The SCRA does not provide services directly to KPMG clients, but may be involved with suppliers (such as IBM) and KPMG Alliance partners.

Examples of sub-services on KPMG managed technology solutions include, but are not limited to, security by design services, risk assessments, solution design assessments, penetration testing, security configuration reviews and change reviews.

Examples of sub-services in relation to Supplier assessments include, but are not limited to, interviewing supplier technical security representatives, penetration testing and red team testing.

Currently the SCRA component teams do allocate resource in relation to significant business change, but this is performed in an ad hoc manner.
No risk assessments of specific business areas are carried out currently except for Business Continuity purposes.

Role
The SCRA Lead will:

• Work with the named Security Operations Senior Manager/Director to develop quality, efficient, business enabling services;
• Oversee and be accountable for SCRA delivery - appoint or maintain Service Leads for each of the Services operated; work with the Service Leads to deliver the service goals for each service, in line with strategy; support the Service Leads as necessary; ensure good collaboration within the virtual team; manage demand and prioritise appropriately (sometimes with senior assistance as needed);
• Monitor service quality & escalate issues as necessary;
• Participate in the Information Risk Assessment Board as a core member, with the Head of Security Operations, the Head of Information Assurance, and the named Security Operations Senior Manager / Director completing the core group;
• Identify information security issues & risks for ongoing management in the wider Information Security teams; from time to time participate in the Information Risk Management Board meetings as necessary;
• Improve the Customer Experience, through process improvement and organised communication;
• Obtain regular customer feedback to continue to drive the performance improvement of the services;
• Be responsible for building and maintaining strong relationships with key stakeholders, such as customer groups, Information Security leadership, CTO’s, Technology Engineering and Operations, business service owners and certain 3rd parties;
• Further develop the services using automation, digitisation, and metrics as appropriate (and funded);
• Feed into budget discussions and develop a clear forward plan for resourcing requirements;
• Understand the dependencies and work collaboratively with aligned services & departments such as Engineering, Enterprise Wide Technology, Risk & Legal and Data Privacy to provide a consistent and reliable service;
• Provide opportunities and on-the-job training in the teams to develop the skills needed to meet the future needs of the service; monitor the need for off-the-job training and request as appropriate;
• Be accountable for ensuring service documentation, such as process guides, are maintained and kept up to date;
• Be accountable for lifecycle ownership of in-scope technology that supports the security consultancy and risk assessments service;
• Be responsible for providing reporting to leadership and other service stakeholders on service performance (against KPIs) and risk exposure (against KRIs);
• Be responsible for inputting to and reviewing information security policy and standards related to security consultancy and risk assessments;
• Be responsible for attending and supporting internal and external audits from a security consultancy and risk assessments service perspective;
• Provide advice to senior leadership on ways to improve control mechanisms, identify, evaluate, and mitigate risks;
• Work towards and achieve or extend professional certifications as part of personal development (as agreed with Performance Manager);
• Share experiences with others to assist their learning and understanding.

Prior experience
The successful candidate should be able to demonstrate most of the following:

• Ability to lead a team and work collaboratively
• Ability to learn from difficult experiences and adapt accordingly
• Experience of leadership of diverse and technical teams
• Good understanding of security risk assessment and risk management methodologies
• Experience and knowledge in performing security risk assessments of applications and infrastructure
• Experience of Security Consultancy (e.g. advising customers/stakeholders in relation to technology security by design, local security policy/standard/control development, setting up virtual and physical secure environments etc)
• Understanding of software development lifecycles, preferably in the context of building secure solutions in the public cloud
• Experience with managing senior stakeholders and developing trust with those stakeholders
• A good knowledge of wider concepts of Information Security (which could be demonstrated through CISM/CISSP/CCSP certification or similar), to facilitate good team working across Information Security and wider
• Be able to demonstrate the ability to adapt communication style to explain technical concepts to different people within an organisation whether advising stakeholders, directing teams or sharing experience;
• Experience of successfully working in a fast paced, customer service environment, delivering high quality information security services whilst managing customer expectations; and
• Ability to be calm in challenging situations, while navigating complex security problems to find a root cause and balanced outcome.

It would also be advantageous if the successful candidate can demonstrate some, or all of:

• Experience scoping and overseeing security testing (especially within a DevSecOps pipeline);
• Experience with managing a service and developing a product lifecycle;
• Experience with managing third parties to deliver elements of your service;
• Experience and knowledge of container or serverless platforms;


Job Segment: Risk Management, Database, Cloud, QA, Finance, Security, Technology, Quality