Head of Cyber & IT Security

Mersey Care NHS Foundation Trust
£56,164 to £65,262 a year per annum
Closing date
30 May 2023

View more

Other Health Profession
Band 8B
Contract Type
Full Time
Job summary

Have you got what it takes to shape the future of Cyber security for our service users and colleagues?

We are looking for a IT/Cyber Security expert who can design and deliver our Cyber security strategy; leading and inspiring a growing team of Cyber security professionals to deliver benefits to colleagues, customers, and service users.

As a member of the Operational Management Team, you will be in a position to shape and influence the cyber agenda. Your technical expertise and ability to effect change in often complex environments will be critical to our success.

Shortlisting date is planned for 2nd June 2023

Interview date is planned for 9th June 2023

Main duties of the job

  • To be responsible for the leadership and effective management of the information security management system across all associated partner organisations and Informatics Merseyside, ensuring the protection of all data held within the organisations and third parties.
  • To lead and manage Information Governance and Data protection functions for the partner organisations to achieve the highest standards of information security, emphasising data protection issues.
  • Be responsible for the development of all aspects of Security strategies from short to long-term linking into regional and national requirements.
  • Manage partner organisations' Electronic Information Asset Registers to include auditing of all information systems, providing a significant level of assurance.
  • Maintain, improve, and disseminate knowledge of Data Protection relating to Information Security issues throughout IM and partner organisations.
  • To provide evidence for the achievement of Information Governance Toolkit standards in relation to Data Protection, Confidentiality, Information Security and NCSC which informs the 'Standards for Better Health' for the partner organisations, with the support of IM and Partner organisation teams
  • To have an in-depth understanding, and adhere to all informatics policies, and have an understanding, and adhere to all general partner organisation policies.
  • To ensure robust systems are in place for monitoring data protection and information security incidents.

About us

Founded in October 2006, NHS Informatics Merseyside is an established NHS digital technology organisation based in Merseyside, North West England.

The IT Security team has grown over the years in terms of both the scope/ variety of work, and the number of team members (currently 7).

We are close-knit team that enjoys sharing ideas and expertise to meet the daily challenges of managing risks and Cyber threats.

Job description

Job responsibilities

Key Responsibilities
  • Act as the subject matter expert in all matters relating to Information Security for IM and all partner organisations, working with departmental representatives to achieve and maintain the Information Security Framework.
  • Conduct Information Security risk assessments on sometimes highly intricate business decisions and systems and communicate these risks to non-technical leaders in partner organisations
  • The post holder will have an in-depth broad understanding of IM&T technologies and specialist knowledge in all areas of technologies such as firewalls, email filters, anti-virus and intrusion detection technologies.
  • To develop information security plans and lead the implementation and integration with wider business continuity plans and IM IM&T strategies.
  • Responsible for the formulation and development of information security plans and strategies to enable the successful completion and implementation of new systems.
  • Design, and maintain IM and all partner organisations Information Security Framework, Policies, Procedures and Standards based upon the requirements of the law, Information Governance (IG) Toolkit, NHS and industry best practice (e.g. ISO/IEC 27000 series standards, Cyber essentials). Perform full audits on all new information systems prior to installation. Research and recommend alternative technical solutions where risks are present.
  • Develop information security strategies, roadmaps, business cases and remediation plans.
  • As technology develops the post holder will need to regularly investigate developments assessing them for any potential security risks.
  • Create and maintain specialist Cyber Security Awareness Training for use for IM and all partner organisations
  • Undertake Privacy Impact Assessment (PIA) process to assess the privacy and data protection impact of new projects and/or third-party services.
  • Coordinate the necessary response and resolution activities following a suspected or actual security incident or breach. Keeping the information risk lead (SIRO) and information asset owners (IAOs) informed of security incidents, impacts and causes, resulting actions and learning outcomes.
  • Ensure that all work is undertaken for IM and partner organisations, whether in-house or by Third Parties, and adheres to the established IT Security standards.
  • Provide regular assurance reports & presentations to the Senior Information Risk Owner and Head of Information Governance on all information security matters as part of evidence for the IG Toolkit.
  • Investigate information security incidents, where required, or provide subject matter expertise on Information security incidents investigations.
  • Co-ordinate and manage the implementation of security controls to a sufficient quality required for IM and partner organisations to achieve compliance with relevant information security standards (e.g. IG Toolkit, DSPT, DCB1596, CE+ and ISO 27001 / 2002) as well as wider industry best practice.
  • Manage and commission annual penetration tests for Informatics Merseyside and all partner organisations infrastructure. Providing Management responses for testing reports and analysing/interpreting complex information and reporting information in a way understood by the intended audience.
  • Design, develop and maintain Business Continuity plans and carryout desktop exercises to prove the efficiency and accuracy of the plan.
  • Test and provide assurance reports on disaster recovery plans for the IT infrastructure.
  • Provide assistance in developing responses to Freedom of Information requests.
  • To develop Information Governance Toolkit Action plans for IM and partner organisations. This involves the assessment of Trust systems, processes and policies against the toolkit standards, and liaison with staff.
  • To ensure Information Governance toolkits are populated with supporting evidence in order to demonstrate the agreed achievement of specific standards.
  • Provide assessment of information processes for IM and partner organisations to maintain the Trusts annual Data Protection Registration.
  • To ensure that all information security incidents are recorded, and where necessary; to liaise with the Risk Manager of each partner organisation.
  • Investigate IT security incidents as required, this may involve audit trails, manually checking individual accounts, interviews, and producing system reports regarding the activity. Formally track evidence in the chain of custody.
  • To regularly report on information security incidents to Trusts Information Governance Groups.
  • To compose and ensure that Information Governance Policies in relation to information security are implemented, enforced and monitored and ensure all Trusts embrace a culture of confidentiality.
  • To plan and implement a system of full data protection audit within Trusts. This will involve liaison with staff within Trusts and assessing systems and processes against regulations.
  • To report on the results of the data protection audit making recommendations for improvements. This will involve liaison with senior staff within Trusts.
  • Ensure that data protection and information security training for each Trust is up-to-date and incorporates current Trust policies and practices.
  • Ensure that data protection and information security training is monitored for quality and understanding. This is usually achieved by post-training questionnaires and interviews.
  • To keep abreast of IT Security developments and ensure partner organisations are adhering to national cyber security initiatives and maintain awareness of cyber threat trends.
  • Direct responsibility for the managing, planning, and monitoring of IT & Cyber security services expenditure, providing management oversite of revenue expenditure and providing statistical reporting on the current position as required by the Senior Leadership Team (SLT)

Person Specification



  • Relevant Master's degree or equivalent experience
  • Minimum 3 years experience in a senior management role
  • Certified Information Systems Security Professional (CISSP) qualification (or working towards), or an equivalent level of system security experience.


  • Formal project management qualification (PRINCE2 or MSP).
  • ITIL foundation

Knowledge/ Experience


  • Substantial NHS management & leadership experience including line-managing staff
  • Significant experience in a technical Information security position including implementation and maintenance of complex security policies & technologies
  • Experience working within a large complex shared service environment
  • Specialist knowledge and expertise in IT systems and infrastructure. This should include knowledge and expertise in design, systems implementation, IT security, IT standards and best practice
  • Wide-ranging knowledge and experience of software packages related to the entire range of IT systems provision
  • Experience in successful collaborative and partnership working and ability to encourage others likewise
  • Significant experience in risk management, business continuity management, procurement, corporate governance and corporate performance reporting principles.
  • Expert knowledge of internet security devices such as firewalls, web proxies, email filters and intrusion detection devices.
  • Experience being responsible for Financial and physical assets, holding and managing budgets, acting as a signatory and authorising the purchase of IM&T equipment


  • Previous experience of managing network, telephony and infrastructure services
  • Experience of clinical practices and working within specialist environments



  • Extremely well-developed interpersonal skills to deal with staff at all levels within Informatics Merseyside, its Partner Organisations and with service providers, service users, and professional bodies outside of Informatics Merseyside.
  • Ability to persuade & challenge senior managers and frontline staff of the importance of successfully and positively managing change
  • Ability to deal with conflict and disagreement on a frequent basis, and to facilitate an appropriate satisfactory outcome. This will include dealing with disciplinary proceedings as appropriate
  • Make formal presentations to large groups
  • Ability to negotiate with key stakeholders.
  • Ability to make judgments on multi-stranded or complex information security problems, which may have no precedent or where there are conflicting opinions.
  • Ability to manage numerous conflicting priorities and effective time management
  • Ability to frequently concentrate for prolonged periods of time managing interruptions as appropriate
  • Use of own vehicle and ability to travel across Cheshire & Merseyside as required.

Any attachments will be accessible after you click to apply.


Get job alerts

Create a job alert and receive personalised job recommendations straight to your inbox.

Create alert