Information Security Risk Manager – External Assurance

Rothesay is the UK’s largest pensions insurance specialist, purpose-built to protect pension schemes and their members’ pensions. With over £68 billion of assets under management, we secure the pensions of more than one million people and pay out, on average, approximately £200 million in pension payments each month. Rothesay is dedicated to providing excellence in customer service alongside prudent underwriting, a conservative investment strategy and the careful management of risk. We are trusted by the pension schemes of some of the UK’s best known companies to provide pension solutions, including British Airways, Cadbury, the Civil Aviation Authority, the Co-Operative, Morrisons, Smiths Industries and Talent.

At Rothesay, we are striving to transform our industry. We believe deeply in creating real security for the future and our leadership in finding new and better ways to do that is the key to our success. To do that, we need the very brightest original thinkers to bring creativity as well as rigour. Rothesay is a rewarding place to work, where quality people can thrive and prosper. We pride ourselves on the connections our people build, many of whom have been with us for over ten years.

Job Title: Information Security Risk Manager – External Assurance
Contract: Permanent

Rothesay is investing heavily in a modern, secure, cloud-native technology stack, backed by executive sponsorship and a multi-year strategic transformation. As part of this journey, we’re expanding our Information Security team to embed security and good risk management into every component of the stack.

This is an opportunity to join a high-impact Information and Technology Risk Management team helping drive strong security practices in our business and with our strategic partners. If you are passionate about securing integrated systems spanning a multiple firms and providers, building relationships across security teams to achieve mutually secure environments, and designing complex recovery plans including multiple organisations, we want to hear from you.

What you’ll do:

You’ll be a member of the Information and Technology Risk Management team, working with a team of experts to drive assurance and risk management activities across the firm.

Your primary focus will be managing our external assurance practice. Your responsibilities will include:

• Collaborate, build relationships with security teams at our important vendors, and work towards best-in-class mutual security. Design and lead activities such as joint incident response testing.
• Build a strong understanding of how 3rd party systems are used to deliver services to Rothesay pension holders, how they integrate with Rothesay systems, and how to secure the combined systems.
• Contribute to strategic business programs, supporting the business in securing the technology partners it chooses to deliver products and services to our stakeholders.
• Manage an outsourcing arrangement with a vendor who performs security reviews at 3rd parties. Review and challenge assessments the vendor has performed.
• Perform thematic security reviews in relation to vendor and Rothesay systems e.g. SaaS and API security. Report issues identified and recommendations to senior management.
• Build and maintain lightweight processes to ensure new features in vendor systems are identified and evaluated before use.
• Produce (and automate) regular information security reporting dashboards, KPIs, KCIs, and reporting packs for security topics.
• Contribute to the evaluation of security of Artificial Intelligence (AI) internally and in vendor products, and review whether Rothesay uses AI securely and responsibly.

The role is essential for ensuring implementation of the firmwide strategy within the Information Security team.

Other activities include project management, accurately and convincingly representing technical risk and security priorities, measuring key indicators, improving awareness of good security practices, and reporting.

What we’re looking for:

Required:

• Excellent knowledge of information and cyber security, networks, Cloud, and Internet technologies e.g. encryption, APIs and authentication techniques.
• Solid understanding of security in an environment leveraging 3rd party systems.
• Ability to build strong relationships with peers and at key vendor partners.
• Experience in scoping and performing thematic security reviews in relation to Internet based systems e.g. SaaS authentication.
• Adequate knowledge of security risk management e.g. determining impact, likelihood and compensating controls.
• Ability to develop security standards and guidelines based on best practices, regulatory requirements, and industry standards.
• Broad knowledge of information security controls and good practices (experience with the NIST publications and specifically CSF2 would be advantageous).
• Broad knowledge of modern Artificial Intelligence (AI) systems and security topics e.g. prompt engineering.
• Project management abilities (experience with the Atlassian suite of products would be advantageous).
• Strong oral and written communication skills, e.g. engaging workshop facilitation, high quality report writing, etc.
• Experience in information security risk management at a financial services institution would be advantageous.
• Ability to multi-task and manage multiple priorities.

Desirable:

• 5 or more years’ experience in information security aligned roles (e.g. Business Information Security Officer).
• Certification in Cyber Risk and Information Systems such as CISA or CRISC or equivalent (not required but desirable).
• Advanced security certifications such as CISSP or equivalent (not required but advantageous).
• Degree, diploma, or equivalent experience in a technology related field such as Computer Science or Information Sciences (not required but advantageous).

We’re not just looking for someone to implement controls — we’re looking for someone who wants to influence how we build securely, empower vendor owners to have productive conversations about security, and help shift security left in a meaningful, pragmatic way.