Senior Risk and Controls Consultant

Rothesay is the UK’s largest pensions insurance specialist, purpose-built to protect pension schemes and their members’ pensions. With over £70 billion of assets under management, we secure the pensions of more than one million people and pay out, on average, approximately £300 million in pension payments each month.

Rothesay is dedicated to providing excellence in customer service alongside prudent underwriting, a conservative investment strategy and the careful management of risk. We are trusted by the pension schemes of some of the UK’s best known companies to provide pension solutions, including Asda, British Airways, Cadbury, the Civil Aviation Authority, the Co-operative Bank, National Grid, Morrisons, the Post Office and telent.

At Rothesay, we are striving to transform our industry. We believe deeply in creating real security for the future and our leadership in finding new and better ways to do that is the key to our success. To do that, we need the very brightest original thinkers to bring creativity as well as rigour. Rothesay is a rewarding place to work, where quality people can thrive and prosper. We pride ourselves on the connections our people build, many of whom have been with us for over ten years

Job Title: Information Security Risk Manager – Controls
Contract: Permanent

Rothesay is investing heavily in a modern, secure, cloud-native technology stack, backed by executive sponsorship and a multi-year strategic transformation. As part of this journey, we’re expanding our Information Security team to embed security and good risk management into every component of the stack.

This is an opportunity to join a high-impact Information and Technology Risk Management team helping drive strong security practices in our business and with our strategic partners. If you are passionate about frameworks and controls, working with stakeholders to find practical ways to implement and measure controls, and want to be part of an innovative organisation who wants to be the best information security, we want to hear from you.

What you’ll do:

You’ll be a member of the Information and Technology Risk Management team, working with a team of experts to drive assurance and risk management activities across the firm.

Your primary focus will be managing our Controls practice. Your responsibilities will include:

• Implement the NIST CSF 2 framework at Rothesay, playing a leading role in mapping Rothesay Standards to controls, and working with Technology teams to find practical ways to operate and measure controls across a Cloud-first and everything in code technology stack.
• Represent the Information Security Department at strategic business projects implementing products, systems and vendors. Your role in these projects will be to identify key controls required, support the business in articulating and implementing control, and to coordinate security assessments.
• Contribute to the evaluation of security of Artificial Intelligence (AI) internally and in vendor products, and review whether Rothesay uses AI securely and responsibly.
• Collaborate on and document a comprehensive set of security Standards guiding the implementation of NIST CSF 2 controls throughout the organisation. Socialise and gain support for the standards in Technology functions.
• Identify and implement Key Control Indicators (KCIs) in Rothesay’s Continuous Controls Management system to monitor operation and alert when controls fail. Work with the vendor to create control dashboards regarding themes such as Identify and Access Management, or Ransomware related controls.
• Perform thematic security reviews in relation to control topics. Report issues identified and recommendations to senior management.
• Produce (and automate) regular information security reporting dashboards, KPIs, KCIs, and reporting packs for security topics.

The role is essential for ensuring implementation of the firmwide strategy within the Information Security team.

Other activities include project management, accurately and convincingly representing technical risk and security priorities, measuring key indicators, improving awareness of good security practices, and reporting.

What we’re looking for:

Required:

• Excellent knowledge of information and cyber security, networks, Cloud, and Internet technologies e.g. encryption, APIs and authentication techniques.
• Excellent knowledge of security risk management e.g. determining impact, likelihood and compensating controls.
• Solid understanding of the NIST CSF 2 framework, ISO 27001/2, and other related frameworks e.g. NIST 800-53 and COBIT.
• Experience in finding pragmatic solutions to implementing and measuring control operation.
• Experience in scoping and performing thematic security reviews in relation to various information security control topics.
• Adequate knowledge of modern Artificial Intelligence (AI) systems and security topics e.g. prompt engineering.
• Ability to develop security standards and guidelines based on best practices, regulatory requirements, and industry standards.
• Project management abilities (experience with the Atlassian suite of products would be highly advantageous).
• Strong oral and written communication skills, e.g. engaging workshop facilitation, high quality report writing, etc.
• Experience in information security risk management at a financial services institution would be advantageous.
• Ability to multi-task and manage multiple priorities.

Desirable:

• 5 or more years’ experience in an information security aligned role (e.g. Business Information Security Officer).
• Certification in Cyber Risk and Information Systems such as CISA or CRISC or equivalent (not required but desirable).
• Advanced security certifications such as CISSP or equivalent (not required but advantageous).
• Degree, diploma, or equivalent experience in a technology related field such as Computer Science or Information Sciences (not required but advantageous).

We’re not just looking for someone to implement controls — we’re looking for someone who wants to influence how we build securely, empower vendor owners to have productive conversations about security, and help shift security left in a meaningful, pragmatic way.

Disclaimer This position description is intended to describe the duties most frequently performed by an individual in this position. It is not intended to be a complete list of assigned duties, but to describe a position level.  The role shall be performed within a professional office environment. Rothesay has health and safety polices that are available for all workers upon request.  There are no specific health risks associated with the role.

Inclusion Rothesay actively promotes diversity and inclusivity. We know that our success depends on our people and that by nurturing a culture that values difference, we create a stronger, more dynamic business. We welcome applications from all qualified candidates, regardless of race, colour, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability or age.