This opportunity is closed for applications

The deadline was Tuesday 2 February 2021
London Borough of Hackney

Hackney Council is building new security assurance capabilities, following a Cyber attack in 2020.

30 Incomplete applications

22 SME, 8 large

18 Completed applications

14 SME, 4 large

Important dates

Published
Tuesday 19 January 2021
Deadline for asking questions
Tuesday 26 January 2021 at 11:59pm GMT
Closing date for applications
Tuesday 2 February 2021 at 11:59pm GMT

Overview

Summary of the work
Our security risks are known and managed across all our ICT environments so that we minimise the threat of a future cyber attack on Council services and the residents and businesses we serve.
Latest start date
Monday 1 February 2021
Expected contract length
Location
No specific location, for example they can work remotely
Organisation the work is for
London Borough of Hackney
Budget range
£200,000 - £250,000 + VAT

About the work

Why the work is being done
Hackney Council is reviewing the way we deliver security assurance, following a Cyber attack in October 2020 and implementing changes to where required. This work will include a review of some of our technological tools as well our governance arrangements and processes. This work will be underpinned by a concurrent piece of work focused upon the security culture within the team.
Problem to be solved
We are delivering two key strands of work:

Behaviour, Culture & Skills (Analysis, recommendation & implementation)
Policy, Process & Procedure (Review, recommendation, change/strengthen)

We have identified some skills gaps and capacity shortages that would hinder rapid delivery of a high quality set of outcomes.

User Research (to help design, conduct and understand behavioural and culture now)

Business/Procedure/Policy Analysis (to help create and distill user stories, conversations and data and turn into actionable procedures/practice).

Senior Security Practice to act as a second pair of eyes and to help design new processes, deliver training and best practice to our teams.
Who the users are and what they need to do
As a Head of Platform, I need…

● to have a detailed understanding of how staff understand their responsibilities towards security and value its governance, so that we address cultural risks that leave us vulnerable to future attacks and implement the changes necessary to prevent them

● the team to create and the department (and wider organisation) adopt effective security policies and practices that are straightforward to adopt and monitor so I am assured that Council data and systems are protected.
Early market engagement
Any work that’s already been done
Existing team
Head of Platform (Project Sponsor)
Service Delivery Manager (Product Owner - Policy & Procedure)
Senior Delivery Manager (Acting as Product Owner - Behaviour & Culture Discovery)
Delivery Manager
Core Team members responsible for security knowledge
Security Apprentices
Lead Technical Architect
Current phase
Not applicable

Work setup

Address where the work will take place
Almost certainly remotely via google suite tools. If Covid restrictions lift, possibly in the Hackney offices, London, E8.
Working arrangements
The internal team will work with Hackney Council staff in an agile project style of working, most likely remotely, although perhaps in the office sometimes if Covid restrictions allow.

Security assistance 5 days per week for 6 months

Research assistance 5 days per week, 3 months initially

Business analyst 5 days per week, 3 months initially
Security clearance

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Ability to design an internal research campaign exploring skills, culture & behaviour
  • Extremely strong interpersonal skills and the ability to help people feel at ease during exploratory conversations.
  • Have led significant user research that has helped to uncover unknown insights about users and groups of people.
  • Create high quality interviews and research programmes that can be iterated as they progress.
  • Ability to independently to find their way through large organisational structures to reach all of the relevant voices and users that may not be immediately obvious.
  • Understanding of what is not being said as well as what is being said and probing further to get to the underlying issues.
  • Ability to distill high volumes of information and opinions into key insights about policy and procedural positions.
  • Excellent listening skills to be able to understand and assimilate the multitude of requirements and opinions in the space of policy and procedure development
  • Be able to analyse data and information and spot trends and patterns that might not have been immediately obvious to the organisation
  • Have informed and intelligent conversations with large numbers of users, stakeholders and interested parties and translate them in to applicable user stories
  • Using data gathered from users, collaborators, team members and stakeholders, be able to model various ‘how might we’ and ‘what if’ scenarios to deliver solutions to complex problems.
  • Translate complex data insights into approachable concepts and strategies.
  • Exceptional knowledge of Cyber Security for large organisations with complex ICT systems.
  • Has helped in developing and enhancing major ICT cyber security projects from a number of angles, including policy, procedure, culture and technical architecture.
  • A detailed and up to date knowledge of the (ICT) security risks posed to a large political organisation and the most up to date methods and strategies to prevent them.
  • Ability to listen to, absorb and carry forward strategic direction from senior staff members and stakeholders
  • Experienced in being hands on in a team, being able to lead from the front when upskilling and from the back when encouraging the team to implement new learnings
  • Highly articulate, being able to converse coherently at all levels of technicality, from senior engineers who are designing our systems, through to non-technical users who use every day conversational language.
  • Comfortable in leading meetings, workshops, training sessions and presentations that are relevant and engaging for the audience they are aimed at.
  • Know how to impart knowledge effectively enough that they are able to leave the project team as an ongoing self sufficient unit.
Nice-to-have skills and experience
  • Familiar with Agile working practices and project delivery
  • Knowledge of behavioural insights and behavioural science
  • Use of Gsuite business tools (docs, sheets, slides, chat, meet)
  • Have been involved in and assisted with cultural change within an organisation
  • Ability to upskill other team members in the art of user research

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • Understanding of organisational needs
  • Understanding of user needs
  • Quality of the technical solution
  • Clarity of approach
  • How they’ve identified risks and dependencies and offered approaches to manage them
  • Team structure, including skills, experiences and relevance of individuals
  • Experience from a similar project
  • Estimated time-frame for the work
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Work openly
  • Be comfortable with an agile working culture
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence

60%

Cultural fit

20%

Price

20%

Questions asked by suppliers

1. Could we please ask for confirmation of the latest start date listed in the opportunity? It states the 1 February, but the DOS Stage 1 submission is the 2nd Feb.
The start date will be the end of February. 1st Feb was published in error.
2. Hi, would you consider splitting this work for example taking a bid for the security aspects and not for the BA?
We are looking for bids covering all the roles described.
3. Please can you confirm the latest start date as it appears currently to be before your request is closed for applications.
The start will be the end of February. 1st February was published in error.
4. Please could you clarify if this opportunity relates to digital outcomes or digital specialists?
We are looking to address skills gaps and capacity in the following areas: user research, business analysis and security. These roles will work with an in-house team to fulfil the user needs described in the brief.
5. Can you please provide details of what tools will be part of the review process.
Tools and ways of working will be defined by the team. We anticipate tools would be based on user research and service design practices.
6. Can you please provide details of what tools will be part of the review process. Also ‘is your intention that we review the adequacy of those tools for the job and/or the configuration of those tools for the function they perform’?
The scope of review will be defined with team. The configuration of tools could be looked at in the context of assessing whether they are fit for purpose and meet our user needs.
7. Do you require security clearance from day 1 from the consultant or are you happy to sponsor this process and have them onsite without this initially?
The successful supplier will be required to sign an NDA.
8. Is there any level of security clearance required for those undertaking the work? If yes will Hackney Council sponsor obtaining the clearance?
The successful supplier will be required to sign an NDA.
9. Re Question 3: Do all Hackney Council staff (including ancillary / support staff) have access to IT (laptops, desktops etc.) or council information systems?
In principle, staff have devices and access to the relevant information systems they need to perform their roles. Post the cyber attack, access to information systems is limited for some teams.