Chief Information Security Officer

Role Responsibilities

Strategy

Identify and independently drive strategic change initiatives to deliver on the ICS agenda with a forward-looking view. Develop insightful strategies for engaging business on information security matters, ensure investments are prioritised and funding is approved. Support delivery of the Bank’s enterprise wide risk management plan and strategy. Work with application development organisations to assist in the development of strategies and plans for improving both Architecture and application security.

Business

Ensure ICS risks in the respective market are proactively managed and effectively controlled, mitigated and remediated with senior stakeholder’s support and buy-in, in line with Group, Region, Country, Business/Function risk appetite and regulatory driven requirements. Assist in establishing priorities in partnership with the C-level Management and take responsibility for resolving security issues. Ensure that the management of ICS risk is effective and operating efficiently in the respective business / function / region Assist in driving security culture/awareness and help improve readiness for a cyber event. Ensure information risks are identified, assessed, mitigated and controlled. Ensure Critical Information Assets are identified and graded appropriately. Monitor changes in the risk profile of the highly critical systems. Work with IT to validate the resilience of data and IT systems. Support Group initiatives ensuring the respective business / function / region needs are represented effectively. Face off to the ICS subject matter experts in Group Business lines.

Processes

Drive the continuous improvement of practices. Drive the implementation of the ICS agenda for the respective business / function / region by working with the respective Business/Function Heads, Region / Country Management Team, C-level Management /CIO teams, ISOs and senior ICS leadership. Manage ICS risk remediation initiatives and activities including incident responses, crisis exercises, risk assessments, stress testing, regulator engagement. Drive the implementation of the ICS RTF in in the respective business / function / region with a focus on key countries. The plan will incorporate digital footprint discovery, threat/risk assessment, definition and implementation of controls as guided by the ICS RTF.

People & Talent

Maintain strong stakeholder engagement and serve as the business-facing lead with Group, Regional and Country IT, Business/Function, C-level Management, ISOs, Risk & Control stakeholders to bring alignment across stakeholder groups in conjunction with ICS risk management. Collaborate with Corporate Communications, threat intelligence and other functions to lead and coordinate the information security change management effort around branding, communications, staff awareness and training. Maintain relationships with key service and product owners within Security Technology Services / Cyber Security Services to keep abreast of changes that may affect ICS’s risk landscape. Help to interpret and translate the ICS requirements of the ICS programmes into technical requirements when needed. Engage external agencies / third parties to understand the threat environment and reported events; assess impact for the respective business / function / region.

Risk Management

Drive compliance with Group policies standards, and local regulatory requirements. Work closely with CISRO, Regional ISO, Country ISO, Head of ICS Governance, TISO, Business and C-level Management to provide oversight, governance and monitoring, and work with various delivery owners to embed the ICS RTF. Understand and assess the impact of changes in the policy or procedures on the respective business / function / region and engage with the respective business / function / region Heads to ensure the impact is understood. Recommend additions/enhancements/changes to the ICS policy, procedures, and RTF.

Governance

Monitor ICS risk profile and posture and report any non-compliance to senior management or governance committees. Participate and represent the respective business / function / region in Risk Committees, ICS working groups, Programme Steer Cos etc. to provide updates and influence positive outcomes for the Business/Function/Region/Country. Validate the accuracy and consistency of KRIs, KCIs and other risk ratings/assessments, as well as process designs using available MI. Support the Third-Party Security Assessment team during 3rd party reviews. Help design and embed ICS RTF controls in ORF across the respective business / function / region

Regulatory & Business Conduct

Display exemplary conduct and live by the Group's Values, Valued Behaviours, and Code of Conduct Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across the Bank. Effectively and collaboratively identify, escalate, mitigate, and resolve risk, conduct and compliance matters.

Key stakeholders

CISO, WRB and Markets Region CISO Market C-level Management and CIO ICS Control owners

Our Ideal Candidate

Education - Degree in Engineering, Computer Science/Information Technology or its equivalent. Training Strong knowledge of ICS products and operations will be preferred.Ability to articulate gross and residual risk with specific ability to communicate complex technology and process risk clearly, concisely and accurately to non-technical stakeholders in a lucid way.Strong interpersonal and stakeholder management skills, across various levels in the organization including senior leadership teams, in influencing key decisions taken in the business and in support teams.Strong communication skills – oral, written and presentation. Sound knowledge of MS-Excel, PPT, and Word.Must be a self-starter who is able to initiate and successfully drive programs and projects to completion with little or no management supervision.Strong analytical skills and ability to prioritise, make decisions, and work to tight timeframes.Strong business acumen and deep knowledge and experience in the ICS field.Proven ability to lead highly complex, global activities through influence and credibility rather than command and control.Ability to both assess strategic priorities and to focus on detailed aspects of a function in order to drive effective delivery.Strong integrity, independence, and resilience. Certifications One or more of the following certifications will be preferred:Certified Information Security Manager (CISM)Certified Information Systems Security Professional (CISSP)SANS Global Information Assurance Certifications (GIAC)Certified in Risk & Information Systems Control (CRISC)Certified Information Systems Auditor (CISA) Languages - English

Role Specific Competencies

Understanding of the Cyber landscape and ICS Controls within the CCIB environment Excellent organisation and leadership skills with ability to manage multiple deadlines and effectively prioritise Proven ability to lead highly complex, global, pan-bank, multi-year programmes by driving collaboration and participation by functions, Regions and countries. Extensive change and programme management experience, ideally gained in the financial industry Ability to foster positive relationships with internal and external stakeholders at appropriate level ensuring open C-level managementperative environment. Be a Team player.

---