Job Purpose:
To develop, manage, and execute Information Security Governance, Risk and Compliance across Mashreq to:
- Contribute strategically to the bank’s success and enable the business and technology strategy of the bank to expand with secure and reliable service offering.
- Navigate compliance complexities and support compliance with information security requirements across regions,
- Ensure the confidentiality, integrity, and availability of our sensitive information and IT assets and a proactive approach to build a resilient security posture and
- Empower a security-conscious culture - all while.
Knowledge, Skills, & Experience:
Policy, Governance & Culture:
- Information Security Framework, Policy, and Standards: Lead the development and implementation of a comprehensive information security framework, policies, and standards to ensure the organization’s information assets are adequately protected.
- Ensure group practices are in line with security standards like ISO 27001, NIST and others.
- Security Governance and Reporting: Ensure preparation, delivery and follow-up of the key ISG committees, including Information Security Committee, Business Engagement meetings, ORC, BRC in quality and time. Get all pre-required reviews and approvals in a timely manner.
- KPI & KRIs: Enable and monitor key security metrics, Key Performance Indicators (KPIs), and Key Risk Indicators (KRIs) as required to measure the effectiveness of the information security program.
- Cyber Culture: Promote a culture of cyber security awareness across the organization.
- Develop and deliver training programs to enhance employees’ understanding of cyber threats and preventive measures.
- Facilitate and foster activities to create information security culture and behavior across the organization.
- Peer Security Engagement: Collaborate with peers across the organization to share and implement best practices for information security. Foster a culture of continuous learning and improvement. Develop and implement, in collaboration with FP&I, HR and Communication at minimum, a Security behavior and culture program. Update and align existing content, particularly online training, induction training to ensure continuous alignment with business needs, the internal and external threat landscape, and regulatory requirements.
- Audit Support: Enable the Information Security department in preparation for internal and external audits and be at the front-line to support audit activities. Manage internal and external audits on ISG; track and managing timely remediation.
- Global Support: support regional CISOs with governance activities including formulation and adherence to local policies and procedures in line with Group policies and local regulatory requirements.
- ESG (Environmental, Social, and Governance): Ensure that the organization’s cyber security policies align with ESG principles. Monitor the impact of these policies on the organization’s ESG performance and reporting as required.
Cyber Strategy & Program Management:
- Cyber Strategy: Support Head of IS GRC in developing and managing the bank’s 3-year Information Security strategy. Update annually based on changes in business priorities and evolving threat and risk universe.
- Regularly review and provide feedback to improve the organization’s cyber security practices, the policies and procedures to reflect changes in the cyber threat landscape.
- Cyber Planning & Budgeting: Support Head of IS GRC in budget planning and managing ISG budget and expenses globally.
- Cyber Strategic Initiative/Program Management (PM): Oversee the implementation of cyber security initiatives sponsored by Head of Information Security to ensure their success and completion in line with strategy, budget approvals and business priorities.
- Security Service Management: Manage the Information Security services related to IS GRC and review and provide feedback on other information security services from ISG to assure that these services effectively mitigate cyber risks and comply with relevant regulations.
- Cyber Workforce Alignment/Talent Management: Align the cyber security workforce with the organization’s needs.
- Consult with business heads to enable BISO (Business Information Security Officer) to drive Mashreq’s information security and privacy agenda within the business unit.
- Cyber Organization Alignment: Align the organization’s cyber security strategies and policies with its business objectives. Ensure that all departments understand and adhere to important cyber security protocols.
- Bank’s Security Posture Management and Benchmarking: Regularly assess and benchmark the organization’s security posture against the industry and peers.
- Cyber Best Practice Sharing: Regularly share updates on the latest cyber security best practices. Encourage teams to incorporate these practices into their daily operations.
- Cyber Risk Quantification: Quantify the organization’s cyber risks. Use qualitative or quantitative methods to assess the potential impact of cyber risks on the organization.
Risk & Compliance:
- Risk Life-Cycle Management: Define risk lifecycle management process for the bank in alignment with ERM and ORM and enable the same in ISG GRC solution to support the unit.
- Act as a trusted advisor to Business when supporting risk-based decisions.
- Assure Information Security exceptions are documented, effectively assessed and approved from respective risk owners and tracked for closure.
- Third-party Risk Management: Oversee the management of third-party risks. Ensure that all third parties that the organization deals with comply with the organization’s information security requirements and in alignment with Bank’s TPRM framework.
- Perform Security risk assessments as per annual plan and ensure documentation of all key risks in GRC platform for tracking and remediation tracking.
- Information Security RCSA (Risk Control Self-Assessment): Enable and monitor the effectiveness of the Information Security Risk Control Self-Assessment process to identify and manage information security risks.
- Cyber Risk Management: Manage the organization’s cyber risks by having a mechanism to identify the key cyber risk to the organization and documenting and reporting to effectively tracked for closure.
- IS GRC Solution Management: Be the business owner of the bank’s GRC platform for ISG and oversee the management of the organization’s IS GRC solution.
- Support local CISO’s / IS SPOCs in regulatory audit discussion and data required from ISG and enabling the local CISOs with Prism access to onboard the open issues for centralized tracking and governance.
- Internal IS Controls & Reporting: Enable Information Security control framework for the bank and provide regular reports on the effectiveness of these controls.
- Regulatory Compliance Management: Oversee the organization’s regulatory compliance with respect to information security. Ensure that all regulatory requirements are identified, documented, and complied with. Oversee and assure compliance to Cyber Security Frameworks of various Central Banks including HO and International operations.
- IS Regulatory Obligation Register: Develop and maintain a register of all information security regulatory obligations. Ensure that the register is regularly updated and reviewed.
- IS Regulatory Calendar & Task Management: Manage the IS regulatory calendar and ensure that all regulatory tasks are completed on time. Identify frequency based regulatory requirements related to ISG from HO and International regions, develop and release an annual regulatory activity calendar on GRC solution for effective tracking and governance.
- Oversees and support key regulatory projects: from a 2nd line perspective to ensure the bank is compliant with key regulatory frameworks i.e. PCI-DSS, SWIFT CSP and NESA IAS (Information Assurance Standard). Identify and ensure compliance with regulatory requirements by proactive collaboration with business units and local CISOs.
- Regulatory Submission: Govern all regulatory submissions related to information security/ cyber security across the regions with supporting data required from ISG.
- Govern regulatory mandated information security / cyber security regulations and standards across the regions including cyber security framework in India, Kuwait, Egypt, NESA, SWIFT-CSP, PCI-DSS, DFS500, FFIEC, and HKMA-CFI etc.
- Regulatory Liaising: Act as a regulatory liaison officer co-ordinate with government officials within central banks and other government entities to facilitate security agenda.
- IS Regulatory Watch Forum Governance and Reporting: Govern the IS Regulatory Watch Forum and provide regular reports on its activities and awareness to senior managers of the bank on potential regulatory risk.
Knowledge, Skills, & Experience:
- A mid senior level officer with sound knowledge and expertise in information security risk management with experience of managing enterprise projects and of direct and in-direct relationship with senior and executive management.
- Strong experience and knowledge across the Information Security and Cyber Security domains including governance, policy procedures, compliance management, risk management and security incident response etc.
- Strong experience in Banking environment with strong understanding on key security frameworks such as ISO27001.XX, NIST 800.xx, PCI-DSS, SWIFT CSP, COBIT etc.
- Strong interpersonal, analytical, and technical skills with strong in decision making and prioritization skills.
- Sound knowledge of evolving advanced tech stacks and related control and risk universe.
- Sound knowledge and expertise in conducting risk assessment.
- Have over 10+ years of rich experience in information security domain and at least 2-3 years of dedicated experience in one of the GRC domain (Policy, Governance and Culture, Cyber Strategy & Program Management and Risk and Compliance).
- Professional certifications: CISA, CISSP, PCI-QSA, SABSA etc