Chief Information Security Officer at Stanbic Bank

Job Purpose:

To drive the organisation’s Security vision and strategy, execute security governance and execute/oversee all organisational security capabilities.

Key Responsibilities:

Technology & Architecture

• Implement the technology risk management capability in country in collaboration with the
• Head, GRC realising the achievement of the targeted assurance outcomes
• Actively drive effective risk management by engaging and influencing Country CIO, managers and staff to embrace a risk-aware culture and implement and adhere to Group Technology minimum standards
• Implement Group Technology minimum standards in country, and provide independent assurance on the adherence thereto to Country CIO and provide assurance regarding risk and controls pertaining to the risk type Technology Risk
• Collaborate with suppliers and or contractors to explain and enforce SBG Information security
• to ensure the protection of intellectual property and data in Country
• Implement information security standards as directed by Group Information Security to allow
• legitimate, reputable information security solutions in Country
• Implement other local security initiatives based on unique country requirements driven by risk or regulation
• Provide security consulting on all new systems, applications and/or infrastructure, define
• requirements, manage expectations on the end-to-end security engagement and
• the CIO and/or business owner on the security readiness as part of the go/no-go decision process
• Identify root causes, have a clear plan of action and work collaboratively with the relevant on the remedial actions to prevent recurrence, ensuring adequate coverage of all security capabilities within appetite and confirming that all gaps are appropriately escalated to the CIO and country technology risk committees
• Establish a comprehensive security awareness program for country covering all stakeholder leveraging the tools and practices established by Group
• Account for the implementation of appropriate technology governance, structures and risk to provide assurance regarding governance, technology risk and related controls in
• Examine and oversee adherence to Group Information security practices, protocols, standards, guidelines as well as industry best practices, in Country
• Lead and drive effective risk management within a small / medium Country to implement and to Group Technology and Operations minimum standards.
• Plan and execute regular awareness initiatives (road shows) focusing on relevant emerging
• Information Security technologies, industry trends, specific strategies, tools and technologies to relevant stakeholders
• Identify, report and recommend remediation for cyber and technology risks and support the Head of Technology and Operations to drive adoption of minimum security and GRC standards and monitor adherence thereto
• Conduct information security assessments against all critical third parties / material outsource in country against Group standards and ensure that risks are appropriately managed
• Monitor processes that maintain the platform health of country technologies in accordance with Group standards

Risk, Regulatory, Prudential & Compliance

• Conduct reviews and provide assurance regarding the design and operating effectiveness of controls such as Group Technology standards to address Technology risks in country.
• Execute on the risk management processes, procedures, frameworks, methods, standards and toolboxes, aligned to SBG and Group Technology standards and regulatory requirements, in Country
• Provide management attestation that risk mitigation strategies and the associated trade-off decision making mandates in Country are aligned with and comply with good risk, regulatory, prudential and compliance governance
• Guide the implementation of risk intervention programmes in Country and provide assurance that these are effective responses to address identified risks in Country and are aligned to Group Technology standards and Group Technology Risk Framework
• Partner with the CIO and provide the security support to lobby regulators for a more progressive position on technology transformation e.g. through cloud adoption, SaaS, fintech and open banking. Notify and consult with Group on any imminent information and cyber security regulations
• Develop fit for purpose risk remediation plans, supported by the country security RVF strategy, based on identified information security risks, vulnerabilities, audit findings, policies and regulatory requirements and follow up on all audit findings and provide guidance, supervision and assistance in the implementation of remedial action to prevent significant reputational, financial or other losses in country
• Partner with security vendors and or providers through a preferred suppliers list, and coordinate across Group Information Security to manage the RfI/RfP processes and procurement activities required
• Partner with the Risk and Audit functions to ensure sufficient challenge and support of the country security priorities as represented in the RVF
• Adhere to all local regulations as it relates to reporting of security incidents or getting approval for any outsource arrangements / offshoring where applicable
• Participate in incident simulations and post-mortems and ensure that all lessons learnt are tracked and implemented
• Drive and champion a positive risk culture and attitude and establishing appropriate risk and security oversight and governance and compliance processes and structures, taking responsibility for ensuring compliance to the implementation of the Group Technology standards and Group Technology Risk Framework, as well as compliance to technology, information and cyber security country regulations in Country
• Assess the effectiveness of risk governance structures related to process changes and improvement, technology upgrades and new technology implementations in country and confirm that these remain effective
• Manage and execute the security governance model, overseeing the composition and terms of reference for key governance committees, forums and working groups. Coordinate the scheduling, manage governance meeting inputs/outputs/actions and attendance tracking for Security structures.

Product

• Provide input into risk reports regarding technology risk in Country and adherence to technology standards, in support of reporting to relevant risk governance forums including GT RCC, GORC, GROC, GRCMC and GT&IC

Strategy

• Develop and maintain the security strategy for the organisation; aligned to the IT and business strategy, security vision, industry standards and regulations, periodically review and refresh the strategy, driven by specific landscape and oversee establishment of programme/projects/initiatives to achieve the strategy.
• Develop and maintain the security strategy for the organisation; aligned to the IT and business strategy, security vision, industry standards and regulations, periodically review and refresh the strategy, driven by specific landscape and oversee establishment of programme/projects/initiatives to achieve the strategy.
• Manage the establishment and periodic review of the security target operating model, organisational structure, and roles and responsibilities for organisational Security in line with the Group's security strategy.
• Manage the Security budget to forecast the capacity for increased resourcing and / or financial investment in security services, in collaboration with Group Security leads.
• Develop and maintain the security resourcing strategy with consideration for appropriate balance between FTE’s, contractors, consultants and third-party provided services (such as managed services). Coordinate the design of training and learning curriculum.
• Manage security vendors/providers through a preferred suppliers list, and coordinate across Group Security to manage the RfI/RfP processes and procurement activities required.
• Implement the Group Cyber Resilience Technology Standard in country and adapt based on country context
• Anticipate local trends, identify probabilities and interpret impact in the country technology, use as input to adapt the country security strategy
• Work closely with Group Information Security in translating Information Security strategies and capabilities for mandatory execution in country, review and update Information Security policies aligned to the Country Technology and Group Information Security strategy
• Adopt the Risk Viability Feasibility (RVF) framework to ensure sufficient protection of clients money, data and time (aiming to reduce / mitigate the three risks that security strategies).
• Assess information security risks and trends in attacks and tactics in Country, and develop the overall Information Security strategy in Country, in collaboration with Group Information Security
• Execute the defined risk assurance strategy regarding Technology Risk or risk types in Technology and related controls and adherence to minimum technology standards in Country ensuring that the overall Group Technology objectives are achieved

Qualification:

• Degree in IT and Computer Science
• Must possess at least one internationally recognizable IT Risk/security certification such as CISM, CISSP, CISA, CRISC, CGEIT,ISACA or IIA

Skills and Experience:

• 8 to 10 years' Experience in an information security or Audit role within the banking and /or financial services sector. Experience working in a multi-vendor and outsourced and multi-system IT environment. Proven experience in IT management activities including IT Portfolio delivery planning, investment control and risk identification and management, regulation of statutory reporting, monitoring, and managing the required software and hardware licenses