Job Purpose:

As cyber threats continue to diversify and grow, so too does TfL’s need to develop our cyber security culture and capabilities to ensure we continue to protect the services and systems which keep London moving.  TfL’s cyber security professionals play a critical and ever-increasing role in protecting these services and systems, safeguarding our customers as they travel across the capital’s network, and ultimately helping to realise the Government’s ambition to make the UK the safest place in the world to be online and do business.

This role provides specialist Industrial Control Systems/Operational Technology (ICS/OT) cyber security advice and guidance, supporting the organisation to align with organisational policies, standards and good practice. You will support cyber security risk owners to manage their cyber security risks and engage in activities to improve TfL's cyber resilience.

The ability to build relationships and manage multiple stakeholders is essential in this role. We’re looking for a great communicator, able to make the complex understandable for a wide range of stakeholders.

Prior experience in cyber security would be advantageous but is not essential as the successful candidate will receive a combination of formal and on-the-job training to develop their cyber security skillset.

Key Accountabilities:

•    Provide consultation, advice and guidance to First Line cyber security risk owners and to Second Line Cyber Security team including TfL's Security Operations and Assurance functions and Third Line internal audit teams

•    Consult and advise on the secure design, build, implementation, testing and delivery of systems to ensure the secure operation and ongoing verification and validations of systems

•    Consult and advise stakeholders in assessing, understanding and managing cyber security risks in project and operational systems, including meeting regulatory obligations

•    Consult, advise and develop incident response capability

•    Contribute to the development and maintenance of cyber security standards and guidance, architectural patterns and strategies, and the continuous improvement of Cyber Security’s internal processes, capabilities and tools

•    Preparing, presenting and/or supporting reports on the current status of cyber security assurance, deliverables, risks and KPIs/KRIs

•    Sponsor, facilitate, support and/or implement cyber security capabilities and improvements to the security and resiliency of technology systems

•    Chair, facilitate and contribute to technology and cyber security governance groups and approval bodies

•    Promote cyber security and contribute to developing a cyber secure culture

•    Provide consultation, advice and guidance on the Network and Information Systems (NIS) Regulations

Knowledge:

•    Telecommunications and IP networking,

•    Network and computer system architecture, operations and protocols,

•    Network infrastructure, system and application architecture and associated cyber security controls,

•    Enterprise-level cyber security technologies for use in complex environments,

•    Information security management concepts to support solutions and processes.

Desirable knowledge of: 

•    Relevant legislation and Regulation such as:

-    Data Protection Act (DPA) 2018

-    Network and Information Systems (NIS) Regulations 2018

-    Payment Card Industry Data Security Standard (PCI DSS)

•    Industry best practice and frameworks such as: 

-    ISO27001

-    IEC62443

-    NIST Cyber Security Framework

-    CIS Critical Security Controls 

•    Cyber security management and its application to Operational Technology,

•    Cyber security technologies and controls and their application to Operational Technology,

•    Cyber security threats, vulnerabilities and risks to Operational Technology,

•    Operational Technology and accompanying industrial control systems,

•    Resilient and secure design of network infrastructure, systems and applications,

•    Principles of secure by design,

•    Principles of secure by operation,

•    Principles of engineering safety.

Qualifications:

Desirable Qualifications:

•    Degree level education or equivalent experience, ideally in science, engineering, technology, computing, cyber security or a related field,

•    Qualifications and certifications from information security bodies such as: GIAC, ISC2, ISACA, ISA, CompTIA.

Skills:

•    Analytical thinking, identifying many possible causes for a problem based on prior experience and current research,

•    Highly effective written and verbal communications, employing appropriate methods of persuasion when soliciting agreement and demonstrating both empathy and assertiveness when communicating a need or defending a position,

•    Selecting security controls with meaningful measures to monitor their effectiveness and identify improvements. 

Be able to:

•    Understand infrastructure, application and enterprise designs,

•    Troubleshoot issues and apply logical and practical problem solving,

•    Make accurate and independent analytical judgments regarding security designs,

•    Maintain excellent stakeholder management and build strong relationships,

•    Present and engage with large groups as well as end users and senior stakeholders,

•    Swiftly build an understanding of a business area, 

•    Plan and prioritise multiple workstreams in response to rapidly developing and changing workloads,

•    Identify, understand, articulate & record risks,

•    Demonstrate hands on and theoretical experience in Operational Technology and accompanying industrial control systems (PLCs, HMIs, SCADA and DCS) and industrial networks.

Experience:

•    The project delivery and operational lifecycle of Operational Technology systems,

•    Time critical, complex and technical environments including safety related systems,

•    Creating and reviewing technical engineering designs,

•    Creating and reviewing standards, processes and architectural patterns,

•    Requirements definition, design and testing.

Desirable experience in:

•    Working with different security technologies,

•    Applying security by design and defence in depth,

•    Creating and presenting cyber security reports and recommending solutions,

•    Successfully engaging with internal stakeholders and third parties to achieve business objectives,

•    Delivering cyber security in a large organisation,

•    Risk identification, assessment and treatment,

•    Delivering and leading technology projects and initiatives,

•    Planning and coordinating cyber security testing,

•    Undertaking assessments / audits of systems.

Closing date for applications:         Sunday 9th January 2022 @ 23:59

Security Clearance 

This role requires a minimum of BPSS and CTC security clearance, however the required level of clearance may change. Should an offer of employment be made, continued employment is subject to you obtaining the required level of clearance and maintaining this throughout your employment. 

Inclusivity statement 

We are committed to equality, diversity and inclusion. We want to have a workforce that is truly representative, at all levels, of the city we serve. We welcome applications from all people to ensure we have diversity in background, thought and experience. This will enable us to become a more innovative and efficient organisation and help us meet the needs of our customers. 

Our goal is to make our recruitment practices as bias-free and inclusive as possible. We are a disability confident employer who guarantee an interview to any disabled candidate who meets all of the essential criteria. 

We also use anonymising software that removes identifying information pertaining to your protected characteristics such as your name, gender, faith, ethnicity, disability status, age, sexual orientation, from CVs and cover letters to make the shortlisting process fair. When applying for this role, please make sure your application clearly outlines your relevant skills, knowledge and experience, detailing in each previous job what you were responsible for, what you delivered and what your achievements are. 

Additional Information 

Please note that you must apply by using your CV and a covering letter. Please think carefully about the skills, knowledge and experience outlined in the job description and ensure your CV reflects the requirements of the role. 

Due to the pandemic, we’re conducting interviews by MS Teams however the usual interview preparation tips still apply. 

We will endeavour to give candidates as much notice as possible however some interviews/assessments will be organised at short notice and will require a degree of flexibility.

Benefits

In return for your dedication and expertise, you will enjoy excellent benefits and scope to grow.  Rewards vary according to the business area and role, but may include:

•    Final salary pension scheme 

•    Flexible working with a great work/life balance

•    Free travel for you on the TfL network 

•    A 75% discount on National Rail Season Ticket and interest free loan 

•    30 days annual leave plus public and bank holidays

•    Private healthcare discounted scheme (optional) 

•    Tax-efficient childcare payments

•    Tax-efficient cycle-to-work programme

•    Retail, health, leisure and travel offers 

•    Discounted Eurostar travel

Crime & Disorder Statement

It is a statutory requirement for all departments in TfL to follow Section 17 of the Crime and Disorder Act 1998.

Section 17 requires authorities to consider the likely affect on crime and disorder and community safety in all that they do, and take action to prevent crime and disorder, substance misuse, anti-social behaviour and behaviour that adversely affects the environment.

TfL has voluntarily been committed to following Section 17 since 2006, but we must all make sure that it is considered in decision making, policies and procedures in the same way that equality and health and safety are.

Health & Safety Statement

All employees have a general duty in law to take reasonable care for the health and safety of themselves and of other persons who may be affected by their acts or omissions.

All employees must understand and be committed to Transport for London’s Health and Safety Policy statement and the Company’s safety priorities and be aware of their contribution to such priorities.

All employees must also be aware of and comply with the current health and safety legislation and other Company requirements that are relevant to their job.