Information Security (Infosec) Officer
Country : United Kingdom
Region : London
County : Greater London
Town : London
Category : Logistics
Contract type : Permanent
Availability : Full time
Working in close partnership with the brands, the team strive to be a catalyst for business transformation, showcasing industry leading technology solutions with the aim of making Arcadia as well known for how it uses technology, as its brands are known for their fashion.
The Information Security Function is no different. In an almost greenfield environment for security, the team work hard to deliver an effective business-centric security transformation through collaboration within the technology domains and wider business units, maximising productivity and scalability, while developing a strong security posture in line with organisational priorities.
Reporting to the Head of Information Security, you will be helping to deliver the security strategy through governance, risk management, alignment to best practice, project/design security assurance and security operations.
You will use your knowledge and experience, communication skills and creative initiative to develop and maintain strong relationships across the business; from Senior Leaders to Software Developers in order to ensure compliance with best practice through guidance and consultancy. You will identify report and advise on emerging risks; and work closely with the third party Security Operations Centre to manage escalations, threat intelligence and emerging vulnerabilities.
Day to Day
As a Team, working closely with the Head of Information Security, you will be expected to...
- Lead in the management of the Security Working Group in a federated model, providing expert assistance and guidance to Security Champions holding distributed security responsibilities across the technology domains and varied areas of the business;
- Assist in the management of the Information Security Risk Register in line with the Arcadia Risk Methodology, conducting dynamic risk assessments on emerging situations and reporting accordingly, presenting to the Technology Leadership Team or Key Stakeholders across the wider business and advising on Risk Treatment recommendations;
- Analyse existing business processes and work with the operational teams to develop improved, more secure working practices, solidifying new ways of working through policy and procedure development;
- Lead and coordinate Best-Practice Assessments in line with the ISF and baseline assessments in line with CIS, collating results and cross-referencing to the risk register, designing remediation plans and escalating risks where required
- Experience in prioritising Information Security in line with business objectives, with a greater perspective than compliance and framework implementation alone;
- Hands-on experience with Risk Management Frameworks or best practice Risk Methodology such as IRAM2 or ISO27005;
- Excellent verbal communication skills with the ability to translate technical information into business-relevant information, and develop and maintain close working relationships, presenting the need for security to all personnel from senior leaders to specialist roles in a manner that encourages positive engagement and demonstrates the benefits of security in improving performance and profitability;
- Excellent written communication skills with the ability to articulate risks in both a technical and business-relevant format, develop training and awareness campaigns in a clear and concise manner, and write policies and procedures in an understandable and unambiguous style;
- Developed theoretical knowledge of OWASP required, with experience reviewing solution designs to identify risks and ensure adherence to secure design principles desirable;
- Knowledge of Penetration Testing methodologies and Vulnerability Management, with the ability (experience preferred) to scope Penetration Tests and escalate results or vulnerability reports to remediation plans or information security risks;
- Experience in Incident Escalation and Management in any capacity, with knowledge of best-practice Security Incident Management practices;
- Foundational Security Certification such as CISMP or Security+.
- Hands-on experience with PCI DSS and the ISF Standards of Best Practice;
- Experience with Third Party Risk Management and Supplier Security Agreements;
- Hands-on experience with security analysis tooling such as EDR, NDR, SIEM or SOAR, or network security tooling such as NAC, SWG, SEG or NGFW.
- Any area of technical security expertise is not required but is welcome and will be strongly considered, including: Hands-On Network Security and Configuration, Penetration Testing, Hands-On Cloud Security Architecture, Intrusion Analysis or Computer Forensics, and Security Engineering, Secure Code Analysis or DevSecOps;
- Any recognised certification relating to the above areas of technical security expertise;
- Senior Security Management Certification not required but is welcome and will be strongly considered, including: CISM, CISSP, CASP or similar.