Vice President - Head Of Security Assurance

Vice President - Head of Security Assurance Apply Now
Jobnumber
MGS01970
Closing date
26-Mar-2024 Job Purpose
The Head of Security Assurance will be responsible for enabling the security of Digital products and services by design and default. He/She ensures that Mashreq’s ICT (Information and communications technology) assets’ vulnerabilities are identified, risk assessed, reported and tracked for effective remediation by the IT asset owner. The scope of the IT assets includes, but is not limited to, Mashreq’s developed code, IT applications and products, IT infrastructure and network.
The Head of Security Assurance will conduct technical risk and exposure assessments, validate security control design and operational effectiveness, provide subject matter expertise on vulnerability management, confirm that IT assets vulnerabilities have been remediated.
The Head of Security Assurance will manage an annual offensive security agenda for the bank. Perform or coordinate penetration tests.
Key Result Areas
Governance

• Develop and manage a rolling 3-year Security Assurance roadmap. Update roadmap annually based on changes in business priorities and evolving threat and risk universe.
• Develop, implement, and maintain comprehensive policies and procedures related to Security Assurance in alignment with regulatory standards and best practices.
• Regularly review and update policies to adapt to evolving security threats and technological advancements.
• Engage and Influence Technology departments to ensure they maintain the appropriate tools and environment to optimise security testing and outcomes.
  

Leadership and Team Management

• Lead and manage the Information Security Assurance team, fostering a culture of continuous learning and improvement, and promoting the highest standards of professional conduct and ethical behavior.
  

Risk management

• Identify, assess, report and drive mitigation of security risks associated with code, application and infrastructure assets.
• Ensuring compliance with regulatory requirements and internal security standards.
  

Code, Application, And Infrastructure Vulnerability Management

• Introduce and drive the Secure Software development lifecycle program in the bank by ensuring security by design is embedded in all new development projects, including but not limited to secure code, applications, API and emerging technologies practices and trainings, with expanded DevSecOps, Security Champion and CI/CD focus.
• Oversee the identification, assessment, and remediation of vulnerabilities in the bank’s code, applications, and infrastructure. This includes conducting regular vulnerability assessments and penetration tests and working closely with IT and development teams to ensure timely remediation of identified vulnerabilities.
• Aid in the automation of implementing security controls within development lifecycle.
• Promote and develop vulnerability assurance initiatives work to improve existing security services, including the continuous enhancement of existing methodology material and supporting assets.
• Create threat modeling standards and practices based on best standards to ensure vulnerabilities being identified capture the risks and severities agreeable with all teams.
• Ensure effective reporting of open risks and vulnerabilities to different teams, business groups, country CISO’s and management committees.
• Identify and highlight the obsolescence in the bank’s infrastructure as reported through vulnerability tools.
• Ensure effective encryption and key management standards are adopted across Mashreq’s ICT to assure data and encryption keys are secured from unauthorized access.
  

Key Result Areas (Continued)
Lead the bank’s red team operations, simulating cyber-attacks to test the effectiveness of the bank’s security measures. This includes planning and executing red team exercises, analyzing the results, and making recommendations for improving the bank’s security posture.

• Calendarize and track tasks such as penetration testing, vulnerability management, Red Team Operations
• secure application development and remediation for identified vulnerabilities.
• Manage periodic security testing program for the existing and new production systems.
  

Security Assurance

• Provide assurance on the effectiveness of the bank’s information security controls. This includes conducting security reviews, reviewing security policies and procedures, and reporting on the bank’s compliance with information security standards and regulations.
• Define and maintain security baselines and technical standards for all technology platforms.
• Create and maintain the set of unified key performance and risk indicators aligned to stakeholder requirements.
• Work with digital teams to run an effective training program for secure development.
  

Collaboration and Stakeholder Management

• Collaborate closely with cross-functional teams including Technology, Fraud Prevention and Intelligence, Compliance and business units to align vulnerability management strategies with the bank’s goals and ensure that vulnerability management considerations are integrated into business processes and decision-making.
• Support and enable development teams and understand various development methodologies and frameworks in place and help augment existing secure coding practices within the development lifecycle.
• Lead and support ongoing work with the product teams to perform security design/code reviews and vulnerability management within CI/CD environments.
• Create and oversee threat hunting and emulation (red team/ purple team) efforts designed to detect and repair vulnerabilities across the enterprise network, determining where the architecture lacks sufficient security controls that could be exploited by an adversary
• Work with third parties to ensure all outsourced work related to Security assurance is as per expectations.
  

General

• Demonstrate adoption of ISG vision, mission, cultural and operational objectives. Support actively key ISG transverse initiatives
• Manage Security Assurance run the bank (RTB) and change the bank (CTB) activities to deliver quality results, on time and budget. Escalate in advance any alert, risk, critical dependency, and issue that arise with options for their management to ensure pro-active management and no surprises.
• Manage the Security Assurance RTB and CTB budget inside approved forecast.
• Ensure preparation, execution and follow-up of regulatory examinations, audits, and assessment. Those reviews shall not result in any critical or high-risk issue for ISG or for the Security Assurance.
• Ensure closing of all legal, regulatory and audit issues with the expected level of quality, in time and budget.
• Ensure Assurance tools being used by function are properly integrated and improved with time to have more automation and better DevSecOps practices as per bank’s digital transformation.
  

5
Key Result Areas (Continued)
Alignment with Business Priorities: the Head of Security Assurance aligns their actions and those of their departments with the strategic objectives of the business.

• Ownership and Accountability: the Head of Security Assurance takes full responsibility for their activities and their team’s, holding himself and their team accountable for their outcomes.
• Driving Security Risk Reduction: The Head of Security Assurance proactively drives initiatives that reduce security risks.
• Focus on Outputs and Impact: The Head of Security Assurance focuses on delivering outputs that create a meaningful impact.
• Innovation and Automation: the Head of Security Assurance continuously seeks innovative solutions and automate processes for efficiency.
• Continuous Learning and Improvement: the Head of Security Assurance is committed to learning from experiences and continuously improving their processes and outcomes.
  

Looking to get Placed? Try our Placement Guarantee Plan

Get Hired

HO and International Regulators and Supervisors across the bank is operating.

• Information Security / Cyber Security Regulations and Industry best practices.
• All business units including LOD 1-3 including LOD1 – Business, Tech GRC, Technology, LOD-2 Group Compliance, Fraud Prevention, Risk Management and LOD-3 Internal Audit.
• Cloud and Digital Ecosystem, Microservices and Open API Framework, Blockchain related technologyEnterprise Infrastructure, Business Technology, and related Application
• Security frameworks such as NESA, CIS, NIST, SOC2, ISO
• Information Security regulations: NY DFS CRR 500, FFIEC, RBI Cyber Security Framework, HKMA CRAF and SPM
• Information Security governance frameworks such as ISO27001, NIST 800 series, COBIT, SABSA etc.
• Data privacy regulations such as GDPR, PDPO, PDPB, PDPL etc.
• Payment industry standards including PCI DSS, PA DSS, PCI PTS, VISA PIN Security, SWIFT CSP etc
  

Ability to enable framework, solution, and processes for proactive management of code, application and infrastructure assets risks.

• Ability to understand regulatory language, can take decision on applicability, compensating controls and residual risk.
• Understanding the problem and analyze the trigger of the problem. Ability to enable agile framework, technology solution and processes for proactive management of the Digital ecosystem
• Ability to validate root causes and evaluate solutions for problem remediation.
  

The Head of Security Assurance is typically a high-ranking official within an organization who has overall responsibility for supporting Chief Information Security Officer (CISO) to achieve organization’s security strategy and goals.

• Consult and validate solutions to mitigate risks to the business and technology.
• Consult and provide solutions to mitigate the risk to a level aligned with the risk appetite of the bank.
• Ensure compliance to regulatory expectation.
  

Knowledge, Skills And Experience
A sufficiently senior level official who has management enterprise projects and has experienced coordinating direct and in-direct reports to senior management.

• Strong interpersonal, analytical, and technical skills.
• Strong in decision making and prioritization skills.
• Strong experience in Banking environment with strong understanding on key security frameworks such as ISO27001, PCI DSS, NIST 800-63
• Hands-on experience with tools such as Burp Suite and SAST/DAST/IAST tools
• Experience in practicing and following OWASP and W3C standards for secure developments.
• Knowledge and experience with CIS benchmarks
• Sound knowledge of evolving advanced tech stacks and related control and risk universe.
• Knowledge of general security concepts and methods such as vulnerability assessments, privacy assessments, intrusion detection systems, incident response, security policy creation, enterprise security strategies, etc.
• Understanding of networking (TCP/IP, OSI model), operating system fundamentals (Windows, UNIX), security technologies (firewalls, IDS/IPS, etc.) and application programming/scripting languages (C, .net, Java, Perl, Python, etc.) will be considered as a plus.
• Have over 10+ years of experience in information security with 5-8 years’ experience in managing Vulnerability Management and Application Security assessment in a financial institution/banks.
• Several certifications such as CISM, CEH, OSCP, OSCE, GCED, , CCSK, , Azure Security. Certifications such as CISSP, CISA, , SANS’, etc. preferred