The role is digital security SME for the Upstream Global Projects Organisation (GPO). The role will encompass acting as primary digital security SME for major projects in GPO, including creating and owning an overall security plan, delivering design consultancy, commissioning and managing assurance activities and advising on all aspects of cyber security risk. It includes the security of both ‘traditional’ IT systems and automation systems (a.k.a. Operations Technology (OT) or process control network (PCN) systems). It requires close working with both IT&S and engineering disciplines supporting the Upstream business, under the overall direction of the Upstream Head of Digital Security & Risk, and with technical direction from the Head of the PCN Security Centre of Excellence.
Within GPO and the businesses it supports:
- Develop and maintain relationships and build trust across stakeholders in IT&S, Engineering and the Upstream business, supporting them in meeting BP’s security requirements for information & IT systems as well as those for automation systems (currently GP 3.5 and GDP 30-60).
- Provide security design consultancy for major projects as a key member of the IT&S project teams supporting them.
- Manage consistency and quality of risk assurance framework engagements, including triage and managed-service delivered outcomes, for projects, assets and suppliers.
- Review, manage and escalate findings & actions from assurance activities.
- Participate as required in major project risk governance, identifying & raising risks, coordinating risk remediation, etc.
- Drive the right security behaviours and awareness within major project teams, in conjunction with the DSR behavioural change team
- Provide additional security & risk advice and guidance as required.
Candidates should have a good track record in applying information security knowledge and processes to real-world business problems in a complex, global organisation. This should be based a strong background in automation systems and information security methods, operational risk, or on an intimate working knowledge of a relevant part of the Upstream oil & gas business; ideally, all three. It should include experience of applying a formal risk assessment process.
Key competencies are:
Business Risk Management – Able to apply risk management practices to ensure that digital security and IT operational risks are identified and properly managed.
Being influential – Gravitas and confidence to drive change. Excellent communications skills including the ability to explain technical issues in business language
Working with Autonomy – Ability to deal with a broad set of activities across a broad stakeholder group and manage ambiguity well.
A good degree in a numerate or scientific discipline is advantageous but not essential .
External accreditation in both information and automation systems security, as recognised by the IT&S Information Security & Risk Profession (e.g. CISM, CISSP, M.Inst.ISP in information security; GISCP in automation systems security) is highly desirable.