Careers at Equity Bank Kenya

The CISRO Function

The Group Chief Information Security Risk Officer (CISRO) function is instrumental in protecting and ensuring the resilience of Equity Group’s data and IT systems by managing information, cybersecurity, and IT risk across the enterprise. As a critical function reporting into the Group Chief Risk Officer (CRO), the CISRO function serves as the second line of defence for assuring ICS controls are implemented effectively and in accordance with the Risk Framework and for instilling a culture of cyber security within the Bank. The Group CISRO is responsible for ICS governance, strategy, policy, risk assessments, industry partnerships, and regulatory engagement. The Office of the CISRO is central to ensuring the Bank’s ability to meet its ICS commitments to internal and external stakeholders, including regulators, as well as maintaining an acceptable ICS risk profile that is regularly reported to the Board.

The Role

The Cyber Risks & Red Team Specialist role is highly technical and challenging with opportunities to be part of a team that will have a meaningful impact. The is expected to possess a adequate understanding of both cyber security and information technology and should understand concepts including computer networking, web and native application functionality, operating system functionality, cloud services, corporate network environments and operations. He should be able to learn advanced concepts such as endpoint protection evasion, covert operations, and tailored exploit development.

The role leverages previous penetration testing and Red Team experience. This may involve delivering Threat Intel-led Red Team exercises, developing social engineering test campaigns and the associated collateral, executing phishing campaigns and attempting to compromise internet-facing systems, conducting privilege escalation and lateral movement within the group’s networks, hunting for objectives with little-to-no information provided at hand and attempting to exfiltrate data from the network;  all while avoiding detection from the bank’s security operations teams. The role will require you to perform exploits at scale while remaining stealthy, identify and exploit misconfigurations in the corporate infrastructure, quickly and effectively parse data, present relevant data in a digestible manner, think well outside the box.

Responsibilities

• Set-up internal second line of defense red team lab to enable targeted testing of the group’s environment as well as effective follow up of vulnerability remediations.
• Manage external red team exercises ensuring that noted risks are remediated and tracked.
• Review and propose updates to cyber risk management and information security frameworks and policies on an annual basis at a minimum.
• Enforce implementation of the cyber risk management and information security framework ensuring that key gaps and risks noted are well discussed, actioned and escalated.
• Support is ensuring the architecting and creation of secure solutions for the cloud that adhere to industry best practices through detailed risk assessments.
• Support the evaluation of security controls against the SaaS, IaaS and PaaS offerings provided.
• Support the creation and management of a new security risk management process to approve and authorize new capabilities and monitor the output of the process.
• Perform risk assessments on network architecture and artifact configurations (Firewalls, Routers, Switches, IDS, IPS), data protection strategies, Host and endpoint protections, security resilience and monitoring, applications and APIs protections and give practical recommendations.
• Review and advice on the risk control self-assessments (RCSAs) performed by 1 LOD teams for the allocated risk subtypes.
• Support first line IT units in coming up with baselines for implementation and in accordance with best practices these include baselines for secure coding, custom scripts and programs.
• Support in other reviews that might be allocated from time to time.
• Monitor and report on Key risk indicators affecting various cyber risks while planning remedial actions
• Present findings with clarity to management and get buy-in for implementation of controls.
• Have the capability to mine forensic data for investigative and forensic if called upon.
• Support cyber forensic investigation and root cause analysis when required.

Qualifications
 
Ideal Candidate

• Bachelor’s degree in Computer Science, Information and Cyber Security, Technology or equivalent
• 5 years of relevant in information security or risk management, preferably in Banking and Financial sector, with hands-on experience in penetration testing red teaming and information assurance assessments
• Minimum of CEH (Certified Ethical Hacker) certification or LPT (Licensed Penetration Tester)
• Any one ISACA related Certification (e.g. CISM, CISA, CRISC and CGEIT) * Added advantage
• CISSP (Certified Information Systems Security Professional) * Added advantage
• OSWP (Offensive Security Wireless Professional) * Added advantage
• OSEE (Open System Engineering Environment) * Added advantage
• OSCP (BEST) (Offensive Security Certified Professional) * Added advantage
• Consistently able to demonstrate or articulate value proposition
• Candidates must have demonstrated skills in penetration testing and ethical hacking having carried out:
  • Password guessing and cracking attacks. 
  • Session hijacking and spoofing attacks.
  • Network traffic sniffing attacks.
  • Denial of Service attacks.
  • Exploiting buffer overflow vulnerabilities.
• Good understanding of networks and networking elements.
• Good understanding of web pages and it's technology.
• Expertise in Linux machine recommended Kali and parrot.
• Familiar with various operating systems and databases
• Red team experience
• Ability to both assess priorities and to focus on work in a structured fashion which delivers results
• Sound judgement and anticipation
• Strong integrity, independence, and resilience 

go to method of application »

The Role

This Head of Technology Risk Management role is a 2nd line of defense role which encompasses creation/improvement/execution of Information and Technology risk governance across the Group, including partnership with 1st line front line business and risk units, in alignment with the Enterprise Risk Framework. The role will be providing Risk Management leadership across the Group’s Information and Technology risks. The candidate is expected to possess a deep understanding of information technology and should understand concepts including computer networking, web and native application functionality, operating system functionality, cloud services, corporate network environments and operations.

Responsibilities

• Perform external/internal/cloud/wireless network assessments, web and mobile application testing, source code reviews, network security and IT architecture reviews.
• Provide both subject matter expertise and project management experience to serve as the “point person” for external IT risk assessments engagements and where required, supervise the scoping of prospective engagements by external vendors, participating in engagements from kickoff to completion.
• Interface with the relevant internal and external teams to clarify and provide support to address concerns, issues, or escalations; track and drive to closure any issues that impact the service and its value to the bank’s customers
• Develop comprehensive and accurate reports and presentations for both technical and executive audiences
• Oversee and manage implementation improvements to the group’s business processes, methodologies, tools, and client communication methods
• Provide expert experience building information, cybersecurity and it risk programs to include hands-on implementation and/or assessment of relevant controls
• Make use of formal project management skills in planning, tracking, and reporting on project progress
• Perform IT General Controls Testing and IT Application Controls Testing
• Identify key risks and evaluate effectiveness of controls in mitigating risks and meeting IT objectives.
• Identify potential process improvement opportunities.
• Support the review and update of the Information, Cybersecurity, and IT risk management framework on an annual basis with the changes in the environment.
• Review technology policies, processes and procedures identify potential opportunities for improvement and alignment.
• Working across the technology department to analyze and better understand their risk profile.
• Review IT initiatives from technology risk perspectives and provide advisory and recommendation.
• Supervise the IT disaster recovery measures deployed across the group.
• Support the review and update of IT risk and control methodology used in conducting risk assessments.
• Proactively managing risks so that there are no major incidents, breaches, or examples of non-compliance.
• Support the definition of the technology risk appetite statements
• Review and advice on the risk control self-assessments (RCSAs) performed by 1 LOD teams for the allocated risk subtypes.
• Monitor Key Risk Indicators (KRIs) and report on deviation from defined technology risk appetite.
• Assist with the Technology Risk reporting operations, including scheduling key monthly meetings, monitoring key milestones, escalation of past due activities, problem triage and management.
• Increase awareness and enhance risk culture across the organization and provide day to day risk and control advise as trusted 2nd line subject matter expert.

Processes

• Provide assurance that the first line implements controls to comply with applicable laws and regulations and escalate significant policy and regulatory non-compliance matters and developments to the Group CISRO;
• Support the global thematic reviews and assurance testing process, stress tests, regulatory submissions, and Internal audit reviews;
• Establish and maintain strong relationships with identified stakeholders and understand their strategic goals to ensure IT alignment
• Assist with the articulation of the value of IT controls and their bottom-line impact;
• Represent EGHL in internal and external meetings where required;

Risk Management

• Highlight gaps or control weaknesses against security controls and standards, raising concerns to the CISRO and relevant forums;
• Provide recommendations and feedback based on IT Risk assessments and assurance experience within EGHL and the subsidiaries;
• Provide input into Group wide ICS assessments, reporting, and strategies

People and Talent

• Lead through example and help to create the appropriate culture and values.
• Work in collaboration with risk and control partners.
• Work collaboratively with the wider CISRO Team
• Effective staff management to achieve operational objectives
• Agility to manage and balance own time among multiple tasks, and lead junior staff when required
• Uphold and reinforce the independence of the second line ICS Risk function.
• Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across EGHL. This includes understanding and ensuring compliance with, in letter and spirit, all applicable laws, regulations, guidelines and the Group Code of Conduct.
• Effectively and collaboratively identify, escalate, mitigate, and resolve risk, conduct and compliance matters.

Key Stakeholders

• Group Chief Risk Officer and other senior Risk management teams,
• Group CISRO, Head of IT and Cyber risk governance, Group Directors, Group CISO and other senior management
• 1LOD risk management and cloud governance heads and teams
• Group Internal Audit and other Business stakeholders 

Qualifications
 
Ideal Candidate

• Bachelor’s degree in Computer Science, Information and Cyber Security, Technology or equivalent
• Minimum of 7 years of relevant in information security or risk management, preferably in Banking and Financial sector, with 5 years hands-on experience in risk, control, and assurance assessments / testing.
• Minimum of at least a CISSP, CISA, CISM or CRISC certification
• CoBiT or Risk IT Frameworks (Added advantage)
• Experience with the establishment of IT risk management frameworks
• Consistently able to demonstrate or articulate value proposition
• Prior positive interaction with C-level executives or senior executive personnel
• Technical report writing and documentation of risk management activities
• Presentation of technical details to both a technical and executive audiences
• Support the review and update of the technology risk management framework on an annual basis with the changes in the environment.
• Must have hands on experience in performing risk assessments in diverse technology environments
• Good understanding of technology infrastructure, networks, and database management systems.
• Good understanding of cloud computing technologies and Microsoft Azure environment.
• Familiar with various operating systems and databases
• Ability to both assess priorities and to focus on work in a structured fashion which delivers results
• Sound judgement and anticipation
• Strong integrity, independence, and resilience
• Deliver with minimal supervision.
• Avid researcher of best practices and happenings in the global cyber space.
• Engage key stakeholders on actions required.
• Team player and contributor.
• Strong problem-solving, persuasive skills and an ability to grasp abstract concepts and complex technology situations to challenge the status quo and further develop and build on our IT Risk Management Framework.
• Excellent communication skill, both verbal and written, with the ability to initiate and lead conversations with technology and business leaders and risk colleagues regarding anticipated and emerging issues.

go to method of application »

Description

• Plan and execute operational audits to assess the effectiveness of internal controls and identify process inefficiencies.
• Identify and evaluate risks associated with key business processes, systems, and controls. Assess the adequacy of the control environment, including design and operating effectiveness of controls. Provide recommendations for control enhancements and risk mitigation strategies, with focus on leveraging technology and IT solutions to strengthen controls.
• Apply data analytics techniques to identify trends, anomalies, and patterns within large datasets. Develop and execute data-driven audit tests to assess the accuracy, completeness, and validity of financial and operational data. Utilize tools such as data visualization and statistical analysis to present audit findings effectively.
• Collaborate with various stakeholders including business units, senior management, and IT teams in identifying constructive and value-added solutions to address issues identified. Recommend operational improvements which ensure that proper controls are exercised over all aspects of the business. Maintain strong working relationships to foster cooperation, support, and knowledge exchange.
• Prepare concise and well-structured audit reports that highlight findings, risks, and recommendations in a clear and actionable manner. Present audit results to senior management and other stakeholders. Communicate effectively with audit clients, providing guidance on control improvements and addressing any concerns or questions.
• Follow up of audit issues with management and report the status of remediation monthly.
• Stay abreast of emerging audit practices, industry trends, and regulatory changes. Identify opportunities to enhance audit methodologies, data analytics techniques, and the utilization of IT in the control environment.

Qualifications

• Auditing experience of not less than 6 years in either a big 4 audit firm or a financial institution;
• Working knowledge of computer assisted audit techniques (CAATs) and Teammate audit software;
• Knowledge of auditing core banking systems, Enterprise Resource Planning systems and digital business processes.
• In-depth knowledge of IFRSs, IIA Standards and regional banking industry regulatory framework.
• Exceptional communication and interpersonal skills, with the ability to build relationships and influence stakeholders at all levels of the organization.

go to method of application »

The Role

The Information and Cyber risk governance, policies and framework specialist role is highly technical and challenging with opportunities to be part of a team that will have a meaningful impact. The incumbent is expected to support all the 6 subsidiaries that Equity has presence and should possess an adequate understanding of governance of both cyber security and information technology and should understand concepts including computer networking, web and native application functionality, operating system functionality, cloud services, corporate network environments and operations. She/He should be able to quickly learn and keep up with the ever-changing landscape of technology. The candidate should have strong policy making skills, processes and procedures mapping, compliance reviews and technical reporting skills.

Responsibilities

•  Support the review and update of the Technology, Information and Cyber security (TICS) risk management framework across the group on an annual basis with the changes in the environment.
•  Review Technology, Information and Cyber security policies, processes and procedures across the group identify potential opportunities for improvement and alignment.
•  Conduct risk assessments covering strategic arm of IT dealing with projects, 3rd party risks, people, measurement of the risk culture with metrics such as count and closure rates of audit and risk issues.
•  Conduct risk assessments in areas on IT asset management lifecycle both logical and physical and make appropriate recommendations. Prior experience in assets management software such as CMDB is an added advantage.
•  Conduct risk assessments incident management and response measures.
•  Perform compliance reviews against various laws and standards including Data protection, PCI DSS, ISO 27001, SWIFT CSP etc.
•  Work with first line of defense IT team to get buy in on recommendations and walk with the team to ensure full implementation.
•  Assist in compiling and reviewing management and board reports to ensure consistency and accuracy of information contained and proper follow through of actions.
•  Monitor allocated Key Risk Indicators ensuring clear escalation and action on detected breaches.
•  Maintain the risk registers with updated risk treatment plans and dates to ensure effective control design and operations.
•  Ensure sufficient coordination across all subsidiaries to ensure that technology, information and cyber risks are sufficiently identified and reported upon.
•  Track major IT and cyber security incidents both internal and external ensuring that lessons learnt are appropriately documented and implemented.
•  Assisting in setting out the methodology and templates to be used across the group for TICS risk assessments and reporting.
•  Work closely with the IT teams to ensure that innovative ideas are implemented through a clear risk and opportunity assessment.
•  Support the definition of the TICS risk appetite statements.
•  Review and advice on the risk control self-assessments (RCSAs) performed by 1 LOD teams for the allocated risk subtypes.
•  Assist in investigations when required to.

Qualifications
 
Ideal Candidate

•  Bachelor’s degree in computer science, Information and Cyber Security, Technology or equivalent
•  5 years of relevant in information security or risk management, audit, information assurance preferably in Banking and Financial sector
•  Must have CISA (Certified Information Systems Auditor) certification
•  Must have CCSP (Certified Cloud Security Professional) certification
•  Other ISACA related Certification (e.g., CISM, CRISC or CGEIT) * Added advantage
•  Consistently able to demonstrate or articulate value proposition
•  Candidates must have hands on experience in performing risk assessments in diverse technology environments
•  Good understanding of technology infrastructure, networks, and database management systems.
•  Good understanding of cloud computing technologies and Microsoft Azure environment.
•  Expertise in Linux machine recommended Kali and parrot.
•  Familiar with various operating systems and databases
•  Ability to both assess priorities and to focus on work in a structured fashion which delivers results
•  Sound judgement and anticipation
•  Strong integrity, independence, and resilience 
•  Deliver with minimal supervision.
•  Avid researcher of best practices and happenings in the global cyber space.
•  Engage key stakeholders on actions required.
•  Team player and contributor.
•  Strong problem-solving, persuasive skills and an ability to grasp abstract concepts and complex technology situations to challenge the status quo and further develop and build on our TICS Risk Management Framework.
• Excellent communication skill, both verbal and written, with the ability to initiate and lead conversations with technology and business leaders and risk colleagues regarding anticipated and emerging issues.