Cybersecurity & Compliance Specialist

About Salvone

Role Purpose

Key Responsibilities

• Security operations & posture
• Run vulnerability management end-to-end: scanning, triage, remediation tracking, and verification with the infrastructure team.
• Oversee patch compliance and hardening baselines across cloud, servers, and endpoints.
• Monitor security events and alerts through our SIEM (Wazuh), investigate anomalies, and tune detection.
• Maintain endpoint protection coverage and review logs for early signs of compromise.
• Track and reduce security debt with clear owners and dates.
• Compliance & certifications
• Drive the ISO 27001 programme day-to-day: maintain the ISMS, implement and evidence controls, and prepare for internal and external audits.
• Deliver Cyber Essentials Plus and the NHS DSPT submission, keeping evidence current year-round rather than scrambling at deadline.
• Assemble and maintain NHS DTAC assessment packs for our platforms — clinical safety, data protection, technical security, interoperability, and usability.
• Maintain a single, audit-ready control and evidence library; run and improve compliance tooling (e.g. Vanta, Drata) where adopted.

Data protection (UK GDPR / DPA 2018)

• Maintain the Record of Processing Activities (ROPA) and data-retention schedules.
• Run Data Protection Impact Assessments (DPIAs) for new systems and data flows.
• Operate the data-subject-request and breach processes, including ICO notification timelines.
• Support our obligations as a data processor to our clients — security questionnaires, contracts, and assurance.
• Identity, access & resilience
• Run quarterly access reviews and enforce least privilege across systems.
• Apply a security lens to joiner / mover / leaver and to secrets hygiene, partnering with infrastructure on MFA and conditional-access posture.
• Maintain incident-response runbooks, run tabletop drills, and lead post-incident reviews.
• Verify backups and recovery from a security standpoint — tested, not assumed.
• Vendor security & awareness
• Complete inbound client security questionnaires and run outbound supplier security reviews.
• Run security-awareness training and phishing simulations, and write policies people will actually follow.

Required Qualifications

• 2–4 years in a cybersecurity, GRC, or security-focused IT role.
• Hands-on contribution to at least one compliance framework — ISO 27001, Cyber Essentials, SOC 2, or NHS DSPT.
• Working knowledge of UK GDPR / Data Protection Act 2018 (or an equivalent data-protection regime) in practice, not just theory.
• Familiarity with cloud security (AWS preferred): IAM, security groups, GuardDuty, Config, and logging.
• Microsoft 365 / Entra ID security: conditional access, MFA, and Secure Score.
• Exposure to vulnerability management and SIEM tooling (Wazuh, Sentinel, Splunk, or similar).
• Scripting for automation: Python, Bash, or PowerShell.
• Strong documentation discipline. If it isn’t written down, it didn’t happen.
• Clear written and spoken English; able to write a policy someone will actually read.

Desirable Skills

• ISO 27001 Lead Implementer or Lead Auditor certification; Cyber Essentials assessor experience.
• NHS DTAC, DSPT, or clinical-safety exposure (DCB0129 / DCB0160).
• Security certifications: CompTIA Security+, SSCP, AZ-500, AWS Security Specialty, CEH, or working towards CISSP.
• Compliance automation tooling (Vanta, Drata, or similar).
• Experience in a regulated industry — healthcare, finance, or public sector.
• Penetration-testing fundamentals and a solid grasp of OWASP.
• Container and image scanning; zero-trust networking (Tailscale or similar).
• Healthcare integration or data context (HL7, FHIR, Mirth).

What We’re Looking For

• Beyond the checklist, we value people who are methodical, evidence-driven, and pragmatic about risk.
• The ideal candidate treats compliance as something you build into operations, not bolt on at audit time.
• Ownership mentality: you see a gap, you log it, you close it, and you evidence it.
• Pragmatism: you can tell a real risk from a theoretical one and prioritise accordingly.
• Documentation discipline: policies, runbooks, and evidence kept current as a matter of habit.
• Calm under pressure: some of what we protect runs 24/7 in clinical settings.

What Success Looks Like

• By 90 days
• A clear inventory of systems, data flows, identities, and secrets, with the riskiest gaps logged and owned.
• ISO 27001 gap analysis supported and the evidence library structured.
• ROPA started and the first DPIAs underway.
• Early, visible posture wins shipped with the infrastructure team.
• By 6 months
• ISO 27001 certification achieved.
• Cyber Essentials Plus passed, and DSPT submitted at “Standards Met” or higher.
• DTAC packs assembled and current for our in-scope platforms.
• Quarterly access reviews, incident drills, and supplier reviews running as routine.

Application Question(s)

• What is your current visa status in the UAE? (e.g. employment visa, own visa / freelance, spouse/dependent visa, visit visa, not currently in UAE
• What is your current notice period, and what is your earliest realistic start date
• What is your current/last salary, and what is your expected monthly salary in AED (total package)?
• Do you have at least 2 years of hands-on experience in a cybersecurity, GRC, or security-focused IT role?
• Have you personally contributed to implementing or evidencing at least one of: ISO 27001, Cyber Essentials, SOC 2, or NHS DSPT?
• Do you have practical experience applying UK GDPR / Data Protection Act 2018 (or an equivalent regime) — not just theory
• Have you worked hands-on with vulnerability management and SIEM tooling (e.g. Wazuh, Sentinel, Splunk, or similar)?
• Can you write automation scripts in at least one of Python, Bash, or PowerShell?

Location

• Dubai (Preferred)