OT Security Risk Manager

The purpose of this post is to lead the Security Risk Team to ensure that cyber & physical risks facing the business are assessed and data is available to inform business-level and Exec decision-making. The scope includes (but is not limited to), Operational Technology (OT) and associated IT environments comprising of

• Control centres
• Optel Network & Services
• Critical data centres
• Substations.

The focus being on critical systems that support the operation of the essential service to deliver electricity transmission across England and Wales and that form the scope of NIS Critical Systems.

Responsible for setting the strategy and leading the formation of a consistent cyber risk management framework. The framework will ensure risks are understood by stakeholders, are documented, assessed and appropriate risk mitigation strategies are in place.

The role will lead the engagement on the Cyber Risk Framework with senior leadership, group security and external bodies including Ofgem, DESNZ and NCSC.

You will lead a team of specialists, collaborate with cross-functional teams, and implement risk management strategies tailored to the unique cyber challenges.

Key stakeholders will include:

• Control & Cyber Strategy NIS system leads.
• ET Asset Operations (AO)
• Global Strategic Risk group who provides a risk framework for high level risks

This role will:

• Ensure a regular cadence for OT Cyber risk capture, appraisal, and assessment for NIS critical systems.
• Ensure there is consistent document and justification of NIST CSF controls process maturity and coverage of these systems.
• Ensure Improvement plans are underpinned by comprehensive risk registers that quantify gaps in our controls that support our NIS critical environment.
• Take a lead in ensuring our regulatory submissions have strong risk-based justifications in order to ensure our Improvement plans financed.

Key Accountabilities include:

• Defining the OT Cyber Risk Framework
• Driving a consistent approach to the capturing, recording and management of OT Cyber Security risks across the business
• Take a lead in OT Cyber Risk Management Governance Forums
• Collaborate with Group security to ensure OT Risk Framework aligns to and support group strategic risk assessments.
• Leading the business to deliver frequent risk assessments for approval by supported business functions and the Control & Cyber Strategy Manager, ensuring registers are maintained/amended as required.

• Leading and managing a team of Operational Technology Cyber risk specialists who will conduct risk assessments of NIS Critical systems.
• Ensuring risk assessments are resourced appropriately.
• Leads the development of risk assessment processes for ET NIS critical system level risks.
• Ensuring risk assessments are completed according to agreed processes and the timescales demanded by the risk assessment programme and supporting group security's strategic risk assessment processes.
• Directly supporting selected risk assessments as required.
• Ensuring data resulting from risk assessments is shared with the Control & Cyber Strategy team, Cyber risk governance forums and senior managers as required in accordance with agreed processes.
• Work closely with leadership to report on risk posture, metrics, mitigation strategies and investment priorities.

Experience

• Demonstrable experience utilising risk assessment methodologies (e.g., NIST 800-30, ISO27005, IEC 62443, FAIR).
• Demonstrable experience working with industry best practices and security control frameworks (e.g., NIST 800 53, ISO 27001, IEC 62443, NIST CSF, NCSC CAF).
• Demonstrable experience implementing security risk management frameworks (e.g., NIST 800-39, 800-37)
• Ability to communicate complex messages both orally & in writing using quantitative & qualitative measures to senior leaders across the business.
• Confidence to challenge, take ownership of complex challenges, lead risk assessments, agree and build future improvement plans.
• Moderate understanding of ICS/SCADA (e.g., IEC 62443 framework).
• Understanding of UK Network & Information Systems (NIS) Regulations desirable.
• Communicating complex messages both orally & in writing using quantitative & qualitative measures.
• Experience with MITRE ATT&CK desirable
• Able to operate as a highly independent motivated worker and as part of a strong team with a collaborative approach, delivering high-quality outputs.
• Previous experience of risk management within an Operational Technology environment