Job Description
Information Protection Director is a key leadership business facing position with primary focus is to act as conduit between the Information Protection organizational goals and business line interests. Acting as the primary delegate for the business line International Markets Chief Information Security Officer, you will oversee the development and execution of the Cyber / Information Security Strategy at a granular level.
Strategically you will be responsible for delivery of the ‘last mile execution’ of all Information Protection global Shared Services, developing and measuring capabilities whilst running subsequent risk mitigation Cyber Information Security Management programs.
Being the local evangelist and expert, you will focus on local stakeholder business management and also wider stakeholders such as regulators, clients and external parties.
Responsibilities
Manage all external local client and regularity engagements, including fielding queries, regulatory & compliance submissions in conjunction with matrix Information Protection Shared Service Partners and governance stakeholders, legal, compliance and data privacy.
Lead localized Controls Assurance activities, define and track effectively control testing and remediation risks for local business line. Coordinate Shared Service benchmarking exercises (NIST etc.) using Information Protection standards.
Leverage the Enterprise Risk Management framework, perform focused localized risk assessments of existing or new services and technologies in line with policies and standards, and manage the risk exceptions process. Develop residual risk registers and integrate into Shared Service Integrated Risk Management Framework.
Coordinate the local delivery of global Cyber & Privacy portfolio risk mitigation projects and programs into business line / region. Conversely feed the portfolio by registering local business line residual risk outputs driving controls mitigation activity.
Evolve Information Protection security policies and processes, aligning to local business requirements and operate the policy exceptions management process. Coordinate security education & awareness initiatives in line with policy framework, integrate with the Shared Service overall thematic awareness program.
Partner with business line / regional CIOs and technology stakeholders to educate and integrate risk management activities in first and second line of defence governance.
Coordinate with Shared Services to provide localized risk and vulnerability management information and reporting and embed Cyber / Information Security into business operational governance forums enabling data driven decision making.
Develop organizational wide Cyber / Information Security risk views by collaborating with internal control groups e.g. Audit, Compliance, Enterprise Risk Management, Legal and Privacy.
Liaise across Legal, Privacy and Sourcing teams to manage 3rd party risks. Conduct 3rd Party Assessments, including evaluations, contract reviews and onsite visit where appropriate
Embed secure development practices, working with local business and technology teams to implement enterprise tooling and processes to ensure secure code implementation. Embed risk management practices into Agile / DevSecOps pipelines to minimizing production vulnerabilities.
Qualifications
- Proven track record of successfully influencing and leading peer and matrix teams where direct and in-direct reporting relationships exists. Strong leadership qualities and business acumen able to deal with all levels of the organization. Demonstrable experience developing and leading organizations autonomously. Appreciation of global organizational culture variances.
- Minimum 10+ years of Information Security / Cyber or related risk management experience. Ability to translate information security and technical controls into business terms that are easily understood. CISSP or other security related certification preferred (CISM / CISM etc.).
- Implementation level knowledge of information security standards and frameworks (e.g. ISO/IEC 27001/27002, PCI-DSS, NIST Cybersecurity Framework, etc.) and attestation reports (e.g. SOC 1/2). Awareness of Governance, Risk and Compliance and workflow management tools, e.g. Archer, Brinqa etc.
- Experience within the Insurance or Financial Services industry preferred.