Job Specifications
Join us as an IT Security and Information Risk Advisor (SIRA) within Scottish Government’s Cyber Security Unit (NCSR), where you’ll play a key role in protecting our digital services, helping ensure they remain secure, resilient, and well‑positioned to respond to evolving cyber threats.
As a valued member of the team, you will play a crucial role in helping the Scottish Government and service owners develop policy and apply standards, manage cyber and information risk, identify mitigations, and obtain assurance and compliance.
In this role you will help system owners, projects, and procurements understand, assess, and manage cyber and information risks, ensuring systems and data stay secure and compliant. Providing clear, practical advice to support risk-based decisions you will help build resilience against evolving threats from both inside and outside the organisation.
Responsibilities
Provide advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
Carry out assessments to identify and define security requirements that enable business operations, ensure regulatory compliance, and align with strategic objectives.
Undertake Cyber Security related risk assessments and business impact analysis, conduct threat assessments, carry out threat modelling, and other risk management activities on complex information systems.
Contribute to development of information security policy, standards, and guidelines.
Interpret information assurance and security policies and applies these to manage risks.
Provide advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards, and guidelines.
Provide advice to validate the effectiveness of risk mitigation measures, including an understanding of how to use different assurance activities (such as a pen test) and make recommendations for improvement and support information assurance assessments.
Communicate with internal and external stakeholders at all levels of technical ability, on high risk or complex topics or under constrained timescales.
Success Profile
Success profiles are specific to each job, and they include the mix of experience, skills and behaviours candidates will be assessed on.
Experience
Lead Criteria 1: Demonstrable IT‑related knowledge and skills to identify appropriate security solutions, with awareness of how security architecture supports integrated solution design.
Lead Criteria 2: Experience managing internal and external cyber security risks to IT systems, services, and data storage, particularly within digital cloud environments.
Experience advising on security standards (ISO27001, Cyber Essentials, CAF & GovAssure, HMG GovS 007, NIST, PCI DSS).
Experience working across multiple stakeholder groups (including senior officials, customers, suppliers), with good written and verbal communication skills.
Experience is assessed at sift, along with a more in-depth assessment at interview.
Technical Skills
This role is aligned to the Security and Information Risk Advisor and General Security and Information Risk Advisor within the Cyber Security and Information Assurance.
You can find out more about the skills required, here.
These skills are assessed by technical assessment, designed to represent the role. Candidates reaching this stage will receive a Technical Assessment Candidate Pack which outlines the specific skills to be assessed, plus the method of assessment.
Behaviours
Delivering at Pace (Level 3)
You can find out more about Success Profiles Behaviours, here.
Behaviours are assessed at interview. Full details will be shared in advance with all candidates invited to this stage.
How To Apply
Apply online, providing a CV and Supporting Statement (of no more than 750 words) which provides evidence of how you meet each of the four Experience criteria listed in the Success Profile above.
Candidates will have their applications assessed against all Experience criteria. If a large number of applications are received an initial sift will be conducted on the Lead Criteria highlighted above. Candidates who pass the initial sift will have their applications fully assessed against the remaining Experience criteria.
Artificial Intelligence (AI) tools can be used to support your application, but all statements and examples provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, and presented as your own) applications will be withdrawn and internal candidates may be subject to disciplinary action.
Please see our candidate guidance for more information on acceptable and unacceptable uses of AI in recruitment.
If invited for further assessment, this will consist of an in-person interview and DDaT Technical assessment where the behaviours, experiences and technica
About the Company
The devolved government for Scotland is responsible for matters that are devolved from Westminster. Areas of responsibility include the economy, health, education, justice, rural affairs, environment, and transport.
Know more