Information Security Lead

FCMS, a social enterprise for health and wellbeing services, is seeking a dedicated and forward-thinking Information Security Lead to strengthen our information governance and data protection principles across the organisation. We're looking for somebody passionate and proactive to champion a positive and secure culture, who can also provide professional challenge where required with solutions offered or sought out through knowledge, skillset and experience.

Hours: 37 hours per week, Monday-Friday 9am-5pm (with some evening and weekends required for training delivery across sites and services)

Salary: £29,540 - £33,391 per annum - depending on experience and qualifications

Main duties of the job

The post requires the ability to link together a multitude of different compliance elements within a dynamic and fast-paced environment; in order to deliver exceptional care to our patients, who are the central focus of all that we do.

This role is a key part of our Quality & Risk Team and central to maintaining the integrity, safety, and resilience of our clinical and corporate systems. This is a pivotal role that blends leadership with hands-on influence, empowering staff and managers to embed a strong security culture while keeping our digital landscape safe and resilient.

This is more than just your average IT/IG role - this is about safeguarding the trust that underpins every patient interaction!

About us

The ethos of FCMS as a social enterprise and health and wellbeing services provider is to be passionate in its drive to ensure that patients and callers remain the central focus of all that it does. Coupled with excellent and well-established clinical governance systems and extremely effective operational expertise, it has meant that the company has the ability to strategically visualise, develop, and implement award-winning services.

Over many years we have invested in our staff so that we have a core team of highly trained individuals who can manage the needs of our patients and callers. Our staff are able to significantly improve the service delivery and user experience due to their considerable experience and commitment to what they do.

Job responsibilities

Key duties and Responsibilities

As our Information Security Lead, you'll be at the forefront of driving a security by design mindset across all teams. You will be responsible for:

1. Training & Culture: designing and delivering engaging data security training and driving initiatives for staff and managers. You'll be a coach instilling the best practices in a way that sticks, adapting styles as required for the audience, ensuring data security awareness becomes part of everyday working culture.
2. Information Governance and Data Protection: design and chair information governance and information asset owner working groups including agenda creation, minutes, action plans, and reports. Implementing and overseeing policies and frameworks that ensure data is handled responsibly, legally, and securely in line with NHS, ICO, and regulatory standards and to coach and support IG champions. Provide assurance and evidence to support NHS DSPT toolkit completion.
3. Cyber Security Assurance: conducting regular risk assessments, audits, and reviews to identify vulnerabilities and strengthen our defences within digital systems, processes, or people and environments. Support FCMS with the vision of further developing our digital landscape and the future of health systems, as the world moves into AI and cloud-based products for support with compliance monitoring, reports, and recommendations. Support working towards gaining cyber essentials accreditation for any in-house elements outside outsourced ICT services.
4. Internal ICT Oversight: managing relationships with outsourced ICT service providers who provide the ICT infrastructure, networks, cyber division, and ICT helpdesk, ensuring ICT services meet security, performance, and user experience expectations for FCMS. You will be the conduit between external ICT services and FCMS to escalate any issues that arise and seek key assurances and KPIs required for data protection and cyber assurances, using frameworks such as the NHSE DSPT and overseeing the SLA. You will manage all ICT equipment requests and procurement systems and processes (IT, telephony), manage ICT stock delivered, logistics of distribution and installation, and work towards streamlining ICT solutions for end-user ease. You will maintain and support the development of asset registers. Develop a robust system for policy-based access controls working with external ICT services and internal departments for a robust and secure starter and leaver process to be in place across FCMS. Assist FCMS to fully understand our complex ICT infrastructure, including network perimeters and security architecture so we can always be on the front foot with setting up any new systems or services across locations for a proactive approach to further build and support our digital landscape.
5. Incident Response & Resilience: review data/security breaches or incidents in a timely manner and support teams in any investigations required and produce reports as needed. Shape our response protocols and business continuity plans, testing these and supporting services with BCP and incident responses so we are always ready for the unexpected!

Other duties are required:

This Job Description will be periodically reviewed in the light of developing work requirements. This is an evolving role and therefore, these duties are not exhaustive. The role may change via discussion between the post-holder, line managers, and relevant others. The individual in post will be expected to contribute towards that revision. The post holder will be expected to cover the reception desk and administration tasks of Newfield House during sickness and annual leave additionally and carry out any other duties as required and delegated by the Head of Quality and Risk.

General:

To have responsibility for all things under the umbrella of Quality and Risk, maintaining a level of understanding regarding working practices and to always comply with local Safety Policies and Procedures. To observe national and local policies and procedures in respect of: health and safety, Fire and electrical safety, data security and GDPR, counter fraud, Basic Life Support, safeguarding, and Infection Control. The post will primarily be based at Newfield House, Blackpool and there is a requirement to travel to other sites and deliver training or help resolve issues within an out-of-hours setting (evenings and weekends), as required. All mandatory and additional training must be kept up to date as a requirement for this role. Additional training is further required to be undertaken for this post.

What You'll Bring:

• Confidence in training and communicating with non-technical audiences
• Strong knowledge of GDPR, NHS data security requirements, and cyber security principles and able to champion good practices in a way that people can easily understand and apply day-to-day
• Proven experience in information security, data governance, cyber security, or a similar field
• A practical understanding of cyber risk management and assurance methodologies
• Ability to work across teams, bridging the gap between IT, compliance, and business functions
• Familiarity with regulatory frameworks (e.g. ISO 27001, GDPR, NCSC, or similar)
• Experience overseeing outsourced IT service providers and liaising with other third parties
• Relevant certifications (e.g. CISSP, CISM, ISO 27001) are a plus but not essential if your experience shines through
• Attend relevant study/induction days, seminars, courses etc. for individual development and for the benefit of the organisation.

Our key expectations are:

• Self-awareness Living authentically
• Adaptability- Being ready to adjust depending on the situation
• Openness What you see is what you get
• Positivity with a real sense of being able to strive for the impossible
• Generosity of spirit- Everyday should be an opportunity to act with kindness
• Ability to have fun Taking the role seriously, whilst being yourself

Disability Confident Employer

As users of the disability confident scheme, we guarantee to interview all disabled applicants who meet the minimum criteria for the vacancy.

DBS - This post is subject to the Rehabilitation of Offenders Act (Exemption Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions. This will require three forms of valid ID to be produced and verified. The onboarding process is also subject to an Occupational Health check, suitable professional references, and eligibility to work in the UK (with the requirement to provide relevant documentation as evidence).

The organisation is committed to safeguarding and promoting the welfare of children, young people, and vulnerable adults and expects all staff to share this commitment. You will be expected to fulfil your mandatory safeguarding training at the level applicable to this role.

We reserve the right to close this vacancy early if we receive sufficient applications for the role. Therefore, if you are interested, please submit your application as early as possible.

Person Specification

Qualifications

• 5 GCSEs A* - C including English Language or equivalent training of management or healthcare related qualification. (Experience or qualifications required)
• Project management
• Strong knowledge of GDPR, NHS data security requirements, information governance, and cyber security principles
• Extensive knowledge and understanding of information security principles and practices
• Attention to detail, Process driven, understanding of own behaviour and skill set, Able to organise own workload
• IT skills, Enjoy networking and forming new relationships
• Challenge the norm, Calm under pressure
• *Strong analytical skills.
• Knowledge of data protection, GDPR, and information governance
• Proficient in the use of a PC and computer skills; including the use of email, word processing, and spreadsheets.
• Excellent communication skills, An elevated level of diligence
• Negotiation and influencing skills.
• An IT whizz
• Knowledge of cyber security frameworks in a Healthcare Environment particularly Data Protection, Subject Access Requests, IG Toolkits, and DPA/GDPR

Other

• Self-motivation
• Confidentiality
• Flexibility
• Pragmatism
• Initiative
• Curiosity

Specific Job Requirements

• Prepared to develop and learn new skills
• Prepared to be willing to work towards frameworks and Qualifications
• Prepared to undertake formal workshop training/qualifications
• Manual handling tasks required for taking office/IT deliveries/organising/distributing stock and inventories, organising filing and archive record systems, disposing of old equipment/items
• A driver's licence, for cross-site working

Experience

• Proven experience in information security, data/information governance, cyber security, or a similar field and experience of cyber risk management and assurance methodologies
• Communicating with non-technical audiences with self-awareness and emotional intelligence, adapting styles as required
• Experience of working with IT systems
• Experience overseeing outsourced IT service providers and liaising with other third parties
• Experience of implementing & monitoring processes
• Demonstrated ability to operate in an environment of fast-paced change.
• Demonstrated ability to meet deadlines, schedules, set goals/objectives
• Able to demonstrate effective partnership/team working but also experience of working well on your own initiative.
• Problem-solving
• Ability to work across teams, bridging the gap between stakeholders and functions
• Experience working within regulatory data security frameworks (e.g. GDPR)
• Experience working with Microsoft 365 products
• Chairing meetings and confidence in delivering training in a dynamic and engaging way
• Experience of working within a healthcare environment.
• Experience of Cyber Essentials or ISO 27001 or have worked towards accreditation
• Analysis and report writing skills
• Experience of setting up internal reporting systems such as information trackers, performance reports, cascade systems etc.
• Experience delivering training and conducting audits
• Experience in writing policies and guidance

Disclosure and Barring Service Check

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

£29,540 to £33,391 a year Depending on experience & qualifications