Digital Risk And Compliance Mgmt.

Experience: 8 to 10 yrs.

Core Skills/Expertise

• Assess and manage cyber, information, and security risks associated with the technology environment, digital business processes, and third-party/partner engagements.
• Drive internal audit and compliance to industry standard frameworks (NIST, CIS, PCI DSS, OWASP SAMM, ISO ISMS, ISO BCMS, ISO Risk Mgmt. etc.).
• Build a culture of cyber judgment through awareness and education.
• Conduct periodic cyber drills, and BCP drills to assess and address gaps in critical response processes.
• Coordinate periodic security testing (e.g. penetration testing) and prioritize and manage response activities.
• Establish, evolve and govern security metrics L1, L2, L3 for operational governance and executive reporting.
• Conduct Risk Assessments, identify security risks, and develop Risk Treatment Plans for risk mitigation and track for implementation
• Develop/update information security and privacy policies, procedures
• Perform security and compliance assessments on new and existing systems, processes, and technology.
• Perform and investigate internal and external information security risk and exceptions assessments.
• Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test results, phishing, and social engineering tests and attacks.
• Work with various business units to ensure controls are adequate, appropriate, and effective.
  
• Work closely with the Security Operations team; assist the CISO in providing oversight and challenge to the First Line of Defence team.
• Assist with updating the Third Party Risk Management framework including policy, procedures, due diligence questionnaires, and the monitoring of third parties adherence to information security and data privacy obligations.
• Assist with the client management aspects of the Information Security team, including client and potential client questionnaires; help design a more effective process including a self-service process and a library of standard responses.
• Develop relevant metrics, analyze data, identify trends, and help drive improvements to the control environment.
• Assist the CISO in GRC and general information security issues as required, including interaction with the Security Operations team, Technology teams, and business leaders.

Technical Qualifications:

• Experience in leading an ISMS as part of an ISO 27001/NIST-compliant programmer.
• Significant experience with security standards and frameworks such as ISO 27001, ISO 22301, NIST CSF, NIST 800-53, SOC 2, etc.
• Recent experience of working in a similar capacity in a retail industry firm.
• Excellent interpersonal skills, comfortable working at all levels within an organization and in a wide variety of situations.
• Relevant industry certifications (e.g. CISSP, CISM, CCSP, etc.)
• Broad level of knowledge of security and risk issues and techniques across platforms.
• Excellent knowledge of methodologies, processes, and tools associated with supporting this function effectively.

Educational Qualifications:

• Bachelor or higher education in Computer Science, IT, Information Security or similar.

Indicative KPIs

• Number of Critical or High Audit Findings
• Audit Exceptions Index (this can be calculated by: Audit Exceptions / Audit Findings)
• Control Test Failures (by Criticality)
• Number of Policy Exceptions and/or violations
• Avg. Duration of Policy Exceptions
• Number of Open Critical / High findings (via Risk Assessment)
• Average Time to Remediate Risk
• Number of Incidents by Category
• Critical or High Incidents Frequency
• Vendor privacy reviews/risk assessments (Planned, Completed, Findings)
• Vendor control assessments (Planned, Completed, Findings)