Blogs from
our Security Team

What’s it like working in cyber security?

Lamisah, Cyber Security Analyst

I’ve always had an interest in technology, but I knew I didn’t want to go
to university after sixth form. So I explored other options and that’s when
I discovered apprenticeships.
My friends all chose to do the traditional university route since there was a whole stigma around apprenticeships that you’re overworked and underpaid. I wasn’t sure if I’d even find an apprenticeship in tech.
After plenty of research I came across the Government Cyber Security apprenticeship. I’d heard of cyber security before but not knowing much about it, I was curious to find out more and I’ve not looked back since.
I’m responsible for protecting the HMRC estate from cyber-attacks through e-mail channels. Once I identify a threat, I quickly ensure it’s isolated, cleansed and blocked. Cyber is a team sport so I also share intelligence with other teams, to strengthen the department’s security collectively. I also help develop phishing simulation exercises to educate staff and raise their awareness of phishing campaigns that they may receive.
Every day is different. Each day I learn about cyber criminals and their numerous attack methods.
As an apprentice, I thought I might have been treated differently but I have always felt included within my team since I joined. My manager is great and is keen to help me develop and grow.
Don’t forget that you’re getting paid too whilst you’re doing your apprenticeship so yes, you’re getting paid to learn. I’m continuously building my knowledge and developing new skills. I have attended training courses, learnt about topics like networking, open-source intelligence and cryptography. I’ve also been able to pick up new skills from my colleagues.
In the future, I hope to continue my security career developing my skills and knowledge through different projects and training courses and maybe gaining more qualifications in the process.

Jordan, Cyber Security Analyst

A few years back I did an HMRC industrial placement as a cyber security analyst. Now having finished university, I work full-time with the team. I was studying Computer Science at Northumbria University and applied to join HMRC on an industrial placement due to my interest in security. Early on I was asked to lead a project to develop a phishing detection tool to find phishing pages before they were ever sent out to the public. The project allowed me to show off my knowledge and I was given time to learn new tooling that I could then implement.
Working as an industrial placement is great for knowledge sharing. The team wanted to learn from what I had learnt at university, while a lot about the working environment and applied skills fed back into my degree. I could reuse many of the skills I had learnt to help with my dissertation, as well as the security-focussed modules.
After finishing my degree, I went straight back to HMRC, as I had enjoyed it so much the first time.
Since re-joining, the training opportunities have been great, I have already been put on two industry-leading courses with one ending in a certification. These cover incident handling, ethical hacking and open source intelligence. Long term I’m looking to get into more training to develop my cyber security skills further and become more well-rounded in cyber security.
Overall, the experience has been very positive, both as an industrial placement and upon my return. I have learnt a lot and have been allowed to develop further with great training opportunities. I’d highly recommend anyone who’s considering an industrial placement to apply for one at HMRC.

What’s it like working in incident response?

Helen, Security Incident and Analysis Manager

I have been a civil servant for over 30 years and spent the first 24 years of
those working in the Department for Work & Pensions (DWP) before moving to the Ministry of Justice (MOJ) to run criminal and civil courts. After that I started my role as part of the HMRC Security Incident Management Team. Whilst I was at MOJ, General Data Protection Regulation (GDPR) was introduced and I started working within my courts to look at GDPR, focusing on retention periods whilst touching on all aspects. This led me to do more complex GDPR work on how MOJ was responding to the challenge, and when I saw a role advertised for HMRC which dealt with incidents and GDPR, I applied.
The Security Incident Management Team responds to incidents that are reported within HMRC.
The team highlights any trends and works with other stakeholders to reduce the risk, improve education, and ultimately aims to reduce the impact of the issues. HMRC has a good reporting culture, and the team must decide on what action needs to be taken for each.

For example, notifying the Information Commissioners Office (ICO) or if the incident needs to be reported to the top of the department and recognised as high severity.
Additionally, HMRC is keen on training, and I have completed HMRC’s security and risk training courses and UKGDPR courses. There are also many opportunities to attend security and incident management workshops and to network with other incident teams across government.
I enjoy the fact that the work is not routine, no two days are the same as you never know what is going to be reported and how it needs to be tackled.

What’s it like working in personnel security?

Ben, Vetting Officer

I originally joined the Government Security Profession working with the security team at the Department for Business, Energy and Industrial
Strategy (BEIS) before moving seamlessly to HMRC, where I still
enjoy working in the Security Profession.
In BEIS, I managed security vetting for new entrants joining the department. I was supported with very good courses giving an overview and introduction to the security profession.
I currently work within HMRC Security on the vetting team. Vetting is an important aspect of personnel security, involving background checks for officials likely to be exposed to sensitive information. My primary focus is managing the many transfers and share requests that come into the department, which is an important role as this helps ensure that new staff and contractors joining hold the correct level of clearance for their line of work.
On joining the security team, I went on the Introduction to Protective Security course run by MI5 which covered the principles of physical and personnel security. We learnt about the risk of insider threat to government and some elements of cyber security such as the dark web, and at the end, we ran a simulated attack on an organisation.
Personnel Security work is varied and has given me the opportunity to work in other areas, such as vetting approval decisions, enquires and initiating new vetting applications, which helps to keep the work fresh. I hope to continue working in this area to learn and further develop my personnel security skills and am keen to find out more about the other pillars of security, cyber and physical.
HMRC Security is a great place to work with team members who are inclusive and engaging. My team is very open to my accessibility needs and are always available and willing to help with my day-to-day needs.

Katie, Vetting

After 22 years working with HMRC as an Executive Officer (EO) in a variety of tax roles, I decided it was time for a new challenge. I wanted to broaden my skillset and set out to explore the opportunities available to me. I attended an information session promoting security roles within HMRC Security which opened my eyes to the number of opportunities available, I hadn’t realised how much HMRC had to offer. National Security Vetting was something I had never really considered before as an option, however through the session I learnt about the importance of this role within HMRC Security. National Security Vetting is a process that staff working in government departments go through if their role requires them to have access to sensitive material. It provides a level of assurance to HMRC of its of employees and contractors, while protecting HMRC’s most sensitive information and valuable assets. 

The role appealed to me on many levels not only being able to take my career in a new direction but also to use my passion and strengths for helping people and providing excellent customer service.

And so, one successful application later I become a Vetting Officer.

Getting the hang of things

On joining the vetting team my training was delivered by my new colleagues who were very welcoming and supportive. Over the following months I gradually learnt the various activities carried out by the vetting team from new clearance applications, transferring clearances into and out of HMRC and making decisions on whether clearances should be granted. 

The role I enjoyed the most and quickly settled into was covering the vetting enquiries mailbox, responding to enquiries from HMRC and across other government departments. The questions ranged from simple confirmation of clearance requests and application updates to more complex questions about whether clearance would be appropriate due to a particular set of circumstances. I soon found that I was quickly able to expand my vetting knowledge while also building up strong working relationships with the team, across HMRC and other Departments.

I also got the opportunity to get involved in other areas of vetting work and taking advantage of the note-taking skills and experience I had gained over the years in my previous tax roles, I became the lead note taker at appeal hearings. This gave me the opportunity to travel across the country to other HMRC offices and get to know a variety of different people. The pandemic also gave me the chance to further strengthen these skills and to learn new ones when the appeal hearings became virtual rather than face-to-face.

My managers encouraged me to get involved with non-vetting activities to help with my development. I became the vetting team representative for the People Engagement Group, working with colleagues from across HMRC Security to improve staff engagement matters such as health and wellbeing. This activity helped me to strengthen my skills in communication and people engagement where I participated in forums, engaging my peers and senior leaders to support the vetting team across the wider community.

Onwards and Upwards

My confidence grew as I gained more experience which led to a temporary promotion on the team to a Higher Vetting Officer. This role involved managing the enquiries mailbox and two members of staff.

I was now dealing with more complex queries, helping my team to answer any queries they had difficulty with and working with colleagues across departments to resolve issues and manage expectations.

As I was new to managing staff, I was able to take advantage of HMRC’s Management Development Programme which gave me the skills and confidence to become an effective manager, supporting my team members with their daily activities and own career development.

Today

Having successfully gained a permanent promotion to HEO (Higher Executive Officer), I now manage a small team who deal with new applications for vetting clearance and support applicants through the application process, resolving any issues that they might encounter completing the relevant security forms.

A typical day for me includes reviewing the priority work areas and advise my team on the priorities for the day ensuring variety in their work to keep it interesting and to keep them motivated. I also support my team to respond to any queries and to deal with any complex issues they are working on. My role also involves reviewing vetting applications as they arrive into the mailbox to ensure they contain all the expected information needed for them to be processed as well as many other ad hoc duties. Depending on the priorities across the wider team I may also jump across to other areas of work to lend a hand if required to do so, enabling me to keep my knowledge base up to date.

Since joining HMRC Security I have faced new challenges and developed new skills which have boosted my confidence to go for promotion. I have developed my leadership and management skills, which I am not sure I would have done in previous roles. This has meant I have been able to support my team with their own development and look forward to seeing them grow. 

The ever-changing landscape of HMRC Security often opens up the possibility of new areas of work and development opportunities both in vetting, and the wider security directorate so if you have an interest in security or just fancy a change of direction, come join us.

What’s it like working in physical security?

Munawwar, Security Manager

I got into security as a part-time job when I was studying at university
and ended up working in the sector for 14 years. During this time, I did all
sorts of physical security work (retail, corporate and event security) and I’m
currently a Security Manager for HMRC. I decided to take a break from security and worked as a self-employed contractor in transport, but this all changed in March 2020 when the pandemic started. I struggled to get work but managed to get into HMRC, working for the Surge and Rapid Response Team.
I also worked on a Foreign, Commonwealth and Development Office (FCDO) deployment dealing with applications for emergency travel documents. Six months later I noticed a job advert for Security Manager, and I decided to apply for the role.

I started as Security Manager in Bristol. My main role is to carry out assurance checks on our security contractor. I act as a conduit between HMRC and our contractors, supporting with incident management, access control and providing advice on security policies, procedures and industry best practices.
I enjoy the dynamic nature of my job. I take great pride in being part of the solution, engaging with people and working to keep our building and occupants safe.
My plan is to stay in the security profession to use the experience and skills I have acquired over the last few years. I am currently working to complete my Level 5 Diploma in Security Management to give me an industry-recognised qualification alongside working on the threat risk assessment pathway. This will teach me how to assess threats faced by businesses, which will benefit my future career in security.

• Facebook
• Twitter
• LinkedIn
• Instagram
• YouTube