Hybrid Information Security Risk Analyst Information Security Risk Analyst with verification

We are Centrica! We’re so much more than an energy company. We’re a family of brands revolutionising a cleaner, greener future. Working here is #MoreThanACareer - we’re powered by purpose. Together we can make an impact that will truly change tomorrow. Whether you’re developing cutting-edge green tech, helping customers on the front line or simplifying operations behind the scenes.

Your work here isn’t just a job – it’s a mission. We all play a vital role in energising a greener, fairer future.

An opportunity to play your part – As the successful candidate you will join the Centrica Centre of Excellence, focusing on Cyber and Information Security Risk management. Operating as the second line of defence within the Group IT function, Digital Technology Services (DTS), you will facilitate interactions between the team, DTS, and Centrica business units. Your collaborative efforts will ensure that Cyber and Information Security risks are identified and managed to protect Centrica’s customers, data, services, and systems.

You will support the Cyber and Information Security Risk Manager by performing analytical work on Risk Posture and appetite, providing insights to the Board of Directors about current threats and the landscape. Additionally, you will help manage the Technology risk posture for the entire Centrica group. This role involves analysing existing risk mitigation strategies and cyber controls, communicating their effectiveness to the Manager, and suggesting improvements.

Location: UK (talk to us about flexible working)

The day to day –

• Assist in implementing the Information Security risk framework and ensure timely assessment and treatment of security risks, including threat assessments and mitigating controls.
• Ensure Information Security risks are either treated or accepted in accordance with the risk appetite.
• Work with the IT teams to identify and assess Information Security risks, including Cyber risks.
• Ensure periodic Information Security risk assessments of key services, third parties, and regulatory commitments are performed, and remediation plans are monitored.
• Ensure services are assessed and classified based on their Confidentiality, Integrity, and Availability.
• Use the output of Information Security risk assessments to identify control gaps and weaknesses and provide direction to strategy and change programs to improve control efficacy.
• Work with the business units to understand their key Information Security risks and agree on actions to mitigate or monitor and improve their controls.
• Produce the quarterly IT Risk submission to the business units and work with Group level risk functions on Information Security risk.
• Inform senior leadership of risks and recommendations in non-technical terms, considering cost/benefit, to ensure the security of Information Systems.
• Support Legal and Compliance teams, such as Data Protection and Privacy, regarding Information Security risks.
• Understand the external security environment and emerging trends to support Information Security risk management.
  
  

About You –

• Extensive knowledge of Cyber Security risk assessment methods.
• Strong knowledge of Information Security technologies, such as identity and access management, encryption, and multi-factor authentication.
• Proficiency with risk and threat assessments and skill in understanding compensating controls.
• Understanding of power utilities, retail energy, and oil & gas industry trends and emerging threats would be useful but not essential.
• Ability to draw upon external networks to understand emerging Cyber Security threats and events.
• Knowledge of internal and/or external regulatory policies, standards, procedures, and controls (e.g., NIST, ISO27xx).
• Ability to drive technical consensus and facilitate agreements with challenging stakeholders, establishing collaborative relations across Group and other lines of business.
• Experience in a Cyber Security risk function would be ideal, otherwise 3 years’ experience within 2nd or 3rd line.
• Performed Cyber Security risk assessments following an industry framework.
• Modelled threat scenarios to identify Cyber Security threats arising from new or changing systems and applications.
• Experience of OT/IoT and Cloud Cyber Security threats, controls, and risks, though not essential.
• Produced communication material and reporting suitable for CxO level and senior leadership.
• Produced effective reporting for the CxO level and undertaken briefings with technology and business leaders.
  
  

What’s In It For You –

• Competitive salary and bonus potential.
• Employee Energy Allowance at 15% of the government price cap.
• Pension scheme.
• Company Funded Healthcare Plan.
• 25 days holiday allowance, plus public holidays, and the option to buy up to 5 additional days.
• Excellent range of flexible benefits, including technology vouchers, electric car lease scheme & travel insurance.