Job Description

Are you ready to make a real impact in cyber security? We’re looking for an experienced Senior Information and Cyber Security Officer to join our Digital Risk and Security branch at Social Security Scotland. In this key role, you’ll help drive our Security Risk and Assurance programme and strengthen our governance, risk management, and compliance frameworks.

You’ll work at the heart of our security function—partnering with the Cyber Security Risk and Assurance Manager and contributing to the ongoing development of our governance, risk, and compliance capabilities across the organisation.

The ideal candidate can:

• Apply deep expertise in governance, risk management, and assurance, using ISO 27001, NIST 800‑53, GDPR, and DPA 2018 to strengthen organisational security.
• Identify, analyse, and mitigate cyber risks, giving stakeholders clear, actionable advice that enables well‑informed, auditable decisions.
• Engage and influence stakeholders, lead policy, compliance, and third‑party assurance activities, and drive the maturity of security frameworks and the ISMS.
• Contribute to security projects, build security awareness across the organisation, and support incident response to contain and resolve threats.

Responsibilities

• The Senior Information and Cyber Security Officer identifies, understands and mitigates cyber-related risks. They provide risk or service owners with advice to help them make well informed risk based decisions.
• Independently undertake risk management activities within a given area of practice or expertise, usually within established security and risk management governance structures.
• Lead the analysis and derivation of business-supporting security needs, undertake Cyber Security related risk assessments, conduct tailored threat assessment and other risk management activities, and ensure activities are consistent with applicable regulations and legislation.
• Provide tailored advice to a range of stakeholders on how to remedy identified risks by proportionately applying security capabilities, using published guidance, standards, and drawing on a range of experts as well as personal expertise.

• Provide expert security advice that highlights Cyber Security related risks, so risk or service owners can make well-informed and auditable decisions.

Security Leadership & Governance

• Serve as a key point of contact for security advice and guidance.
• Lead security governance groups to promote and maintain strong security practices.
• Help maintain the organisation’s desired cyber security posture in line with its risk appetite.
• Provide leadership and guidance to a small team of security professionals to ensure high quality service delivery.

Risk Management & Compliance

• Identify, assess, and manage cyber threats and risks to protect organisational assets.
• Conduct compliance audits to ensure adherence to internal and external security requirements.
• Perform internal and external security assessments to evaluate controls and drive continuous improvement.
• Support teams in identifying vulnerabilities, conducting risk and impact assessments, and implementing protective actions.

Policies, Standards & ISMS

• Develop and maintain information security policies, procedures, standards, and guidelines.
• Provide guidance to support the effective adoption of security policies and standards.
• Support and enhance the organisation’s Information Security Management System (ISMS).

Third Party & Supplier Assurance

• Work with third parties to obtain independent assurance on the effectiveness of security controls.
• Oversee third party security by assessing supplier controls and ensuring compliance with organisational requirements.

Security Projects & Consultancy

• Lead the design, procurement, and implementation of security projects to strengthen the organisation’s security posture.
• Deliver specialist security consultancy to support successful project outcomes.

Awareness & Incident Response

• Contribute to the development and delivery of a security awareness programme that strengthens the organisation’s security culture.
• Support incident response activities to contain, investigate, and resolve security incidents.

Success Profiles 
We use an assessment framework called ‘Success Profiles’ which lists the elements we test and provides detailed descriptions of each. Find out more about the framework here

For this post, the following Success Profile elements will be assessed:

Essential Experience

1. In-depth knowledge of information security standards like ISO/IEC 27001 and NIST SP 800-53, combined with understanding of current legislation such as DPA 2018 and GDPR. Proven ability to interpret and apply these standards and legal requirements to ensure compliance and integrate best practices into organisational operations.
2. Comprehensive understanding of internal and external information security risks, and proficiency in identifying, assessing, and implementing administrative, physical, and technical controls to mitigate these risks effectively.

Behaviours

• Leadership – Level 3
• Delivering at Pace – Level 3

You can find out more about Success Profiles Behaviours here: Success Profiles - Civil Service Behaviours (publishing.service.gov.uk) 

Technical / Professional Skills: 
This role is aligned to Lead Cyber Security Risk Manager within the Digital, Data and Technology Profession.

These skills will be tested during the Technical Assessment if you are successful at sift stage. They will be not be assessed at application stage. Please review the following to understand the skill expectations: Cyber Security Risk Manager - Cyber security: advisory - gov.scot

How to Apply 
Apply online, providing a CV and Supporting Statement (of no more than 750 words) which provides evidence of how you meet the experience and behaviours listed in the Success Profiles above. Be sure to provide specific examples of work that you’ve done that showcase your relevant experience.

Artificial Intelligence (AI) tools can be used to support your application, but all statements and examples provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, and presented as your own) applications will be withdrawn and internal candidates may be subject to disciplinary action.

Please see our candidate guidance for more information on acceptable and unacceptable uses of AI in recruitment

Should a large number of applications be received, an initial sift may be conducted using the CV and Supporting Statement on the first Experience criteria. Candidates who pass the initial sift will have their applications fully assessed.

Candidates who are successful at sift stage will be invited to attend an Interview and Technical Assessment. The interview will further assess the Experience and Behaviours listed in the job advert and the Technical Assessment will evaluate the Technical Skills relevant to the role.

Candidates who pass the sift and are invited to the Interview and Technical Assessment stage will receive a Technical Assessment Candidate Pack, which will outline the skills to be assessed and the assessment methods to be used.

Following the application sift, there may be a telephone interview as part of the assessment process before the main interview.

We aim to provide feedback on request. However, if we receive a large number of applications it may not be possible for us to provide specific feedback on your application. We will provide feedback on request to candidates who attend an interview/assessment.

Information Session
We are holding a candidate information session for this role to provide you with information about the application and interview process as well as further information on the role and team.

The session will be held on Thursday 9th April at 12:30 pm – 1:30 pm

We will be talking about:

• The Senior Information and Cyber Security Officer role and team
• About Social Security Scotland
• Our recruitment process
• Q&A with the hiring manager

Please join us using the link below to find out more about the role and working for Social Security Scotland:

Join the meeting now

Expected Timeline (subject to change)
Sift – w/c 20th April
Interview – w/c 4th May
Location – In Person in either Dundee or Glasgow

Reserve List 
In the event that there are more successful candidates than posts available, a reserve list will be kept for up to 12 months. 

About Us 
Social Security Scotland is an Executive Agency of the Scottish Government. Our benefits help people from all walks of life in Scotland. We offer rewarding careers and employ people across Scotland in a wide range of professions and roles. We are committed to recruiting a diverse workforce that is representative of the clients we serve.  Find more about us here  

We offer a supportive and inclusive working environment along with a wide range of employee benefits. Find out more about what we offer 

As part of the UK Civil Service, we uphold the Civil Service Nationality Rules   

DDaT Pay Supplement
This post is part of the Scottish Government Digital, Data and Technology (DDAT) profession and as a member of the profession you will join the professional development system. This post currently attracts a £5,000 annual DDAT pay supplement, applicable after a 3 months competency qualifying period. The payment will be backdated to your start date in the role. Pay supplements are reviewed regularly and there is one currently underway. Changes will be communicated when the review is concluded.

Working Pattern 
Our standard hours are 35 hours per week and we offer a range of flexible working options, depending on the needs of the role. We embrace a hybrid working style where all colleagues will spend time in either our Glasgow or Dundee offices. There is an expectation of a minimum 2 days per week in your assigned location, which will be either Glasgow or Dundee.  If you have specific questions about the role you are applying for, please contact us. 

Security Checks
Successful candidates must complete the Baseline Personnel Security Standard (BPSS), before they can be appointed. BPSS is comprised of four main pre-employment checks – Identity, Right to work, Employment History and a Criminal Record check (unspent convictions).

This post also requires the successful candidate to clear additional National Security Vetting clearance (Security Check) before a start date can be offered. Further information regarding BPSS and National Security Vetting clearance can be found here -  National security vetting: clearance levels - GOV.UK

Equality Statement 
Social Security Scotland are committed to equality and inclusion, and we aim to recruit a diverse workforce that reflects the population of our nation.   

Social Security Scotland are a Disability Confident Employer. We will consider and implement any reasonable adjustments you may require throughout the recruitment process and during the course of your employment, should you be successful in securing a post. If you feel you may require assistance with any part of our recruitment process, please contact us at Recruitment@socialsecurity.gov.scot.

Find out more about our commitment to diversity and how we offer and support recruitment adjustments for anyone who needs them.

Right to Work in the UK
Social Security Scotland is an approved sponsor under the UK Visa and Immigration (UKVI) Skilled Worker route. Please note that UK immigration guidance, including skill and salary thresholds and eligible occupations, is reviewed regularly and subject to change. If you require visa sponsorship, you should check the latest criteria to confirm whether this role meets current requirements before applying. You can find further advice on Gov.UK - Skilled Worker visa: Overview - GOV.UK

Further Information
The successful candidate will be expected to remain in post for a minimum of 3 years unless successful in gaining promotion to a higher Band or Grade.

Social Security Scotland’s recruitment processes are underpinned by the recruitment principles of the Civil Service Commissioner, which outline that selection for appointment be made on merit on the basis of fair and open competition - Recruitment - Civil Service Commission (independent.gov.uk)

If you feel at any time your application has not been treated in accordance with the values in the Civil Service Code and/or if you feel the recruitment has been conducted in such a way that conflicts with the Civil Service Commissioner’s Recruitment Principles, you can make a complaint, by contacting Social Security Scotland at recruitment@socialsecurity.gov.scot in the first instance. If you are not satisfied with the response you receive you can contact the Civil Service Commissioner.

Find out more about our organisation, what we offer staff members and how to apply on our Careers Website 

Read our Candidate Guide for further information on our recruitment and application processes. 

If you experience any difficulties accessing our website or completing the online application form, please contact the Resourcing Team via recruitment@socialsecurity.gov.scot    

Apply before 23:55 on 16th April 2026

Contact Name - Resourcing Team 
Contact Email – Recruitment@socialsecurity.gov.scot