Job Purpose: 

The role holder will be responsible for defining and running the service management framework of the Group Information Security organization in order to ensure optimal performance of the Information Security function. The role holder will establish the measuring, monitoring and reporting standards for Information Security services and establish robust internal & external stakeholder engagement.

Job Responsibilities/ Accountabilities:

• Define a security service assurance model for Group Information Security services
• Develop and establish service standards for services offered by Group Information Security to technical and business stakeholders
• Develop metrics and monitoring thresholds and reporting for the Group Information Security function. This includes people functions, projects, internal services, vendors, operations etc.
• Define a GIS reporting framework for Group and Subsidiaries, relevant to various stakeholders and governance committees, including but not limited to Board, Exco, MDs of Subsidiaries, CIOs and Business Unit Heads, business and operational teams.
• Measure, track and report on performance of programme delivery, projects and roadmap activities delivered by Group Information Security teams (Cyber Defence Operations, Enterprise Security Architecture)
• Define SLAs (Service Level Agreements) for services offered by Group Information Security and by outsourced suppliers, and manage and report on SLA achievement
• Work with the Group Information Security teams to define and measure their process outputs and establish regular reporting of the same.
• Develop and provide regular reports on the effectiveness of Group Information Security management to Senior Management and manage and track the outcomes related to security.
• Setup and manage internal and external stakeholder forums & meetings for deliberation on service outcomes, and track the outcomes.
• Track and monitor vendor and partner service deliverables and SLAs, and report on deviations to agreed service levels.
• Conduct regular benchmarking with industry peers on service standards, for improvements and adoption within the Bank
• Group Information Service management across at least 13 domains in all the Technology functions and in at least 7 markets of Equity Group

Qualifications
Knowledge and Experience

• Bachelor’s Degree in Information Technology, Information Security, Engineering or similar area of study
• Hold relevant industry certifications (ISO 27001, ITIL etc.)
• Minimum 6 years of experience in Information Technology.
• Knowledge of information security operations and concepts such as cyber-attacks and techniques, threat vectors, risk management, incident management etc.
• Experience with industry standard frameworks (ISO 27000, ITIL, NIST, PCI DSS).
• Experience in project & vendor management
• Ability to effectively provide briefings to business and technical stakeholders on Information Security performance

Key Critical Competencies

• Excellent in preparation of reports, dashboards and documentation
• Excellent communication and leadership skills
• Ability to handle high pressure situations with key stakeholders
• Good analytical skills; ability to provide intuitive reports & dashboards from a variety of data sources.
• Good problem solving and Interpersonal skills
• Good knowledge of Bank’s infrastructure, networks and systems

The role holder will be responsible for overseeing the security framework to ensure security controls are in place in the Bank, identify threat scenarios, quantify risks and work with stakeholders to ensure effective mitigation controls are in place, and ensure compliance with all relevant regulatory requirements. Additionally, he/she will be responsible for overseeing group vulnerability posture (vulnerability management), performing Risk & Control Assessments and design of cybersecurity controls.

Job Responsibilities/ Accountabilities:

• Implement the Bank’s cyber security assurance program, enforce the cyber security policy / framework and ensure up-to-date information security policies, standards and cyber risk management plan are in place.
• Drive security and risk assessments with Technology, and work with the Information Security, Enterprise Risk and Audit teams across the Group to review compliance and audit requirements for Information Security and ensure they are addressed.
• Analyse and provide remediation guidance for identified weaknesses or vulnerabilities; validating and verifying appropriate remediation
• Ensure that Equity Group maintains a current and comprehensive cyber asset and user register.
• Ensure that the Bank maintains a current enterprise-wide knowledge base of its users, devices, application and their relationships
• Design cybersecurity controls with the consideration of users at all levels of the Bank, including internal (i.e. management and staff) and external users (i.e. contractors/consultants, business partners and service providers), and work closely with the various business and technology teams to identify and select the right security controls to protect Equity’s network & IT infrastructure, cloud and IoT solutions
• Monitor the control environment, identifying security gaps, evaluating and implementing enhancements
• Incorporate the utilization of scenario-based analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.
• Ensure that the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
• Conduct assessments on the effectiveness of the approved cybersecurity program and provide detailed exceptions to the approved cybersecurity policies and procedures.
• Report on any residual risk or security exposures against the security standards, policies and noncompliance and provide actionable recommendations.
• Work with the application functions, network teams and IT infrastructure teams to identify and assist with the implementation of Security policy, process, people and technology improvements.
• Ensure that information systems meet the needs of Equity Group and that they comply with the overall business strategies, ERM framework, risk appetite and ICT policies.
• Evaluate outsourced/third-party technologies and hosting environments to ensure they provide adequate protection for the processing, transmission, and storage of Equity Group’s information; validating that security controls are designed properly, perform effectively and align to Group Information Security
• Keep up to date with the latest security and technology developments, research/evaluate emerging security threats and ways to manage them.
• Participate in organizing of professional cyber related trainings to improve technical proficiency of staff and user awareness trainings for improved cyber hygiene.
• Recommend implementation of capabilities to enable an optimal Information Security control environment; directly responsible for significantly contributing to the overall security posture, stability and resiliency to the Equity environment and security solutions
• Use of advanced analytic tools to determine emerging threat patterns and vulnerabilities.
• Ensure timely update of the incident response mechanism and Business Continuity Plan (BCP) based on the latest cyber threat intelligence gathered.
• Put in place BCP and disaster recovery test plans to ensure that the Bank can continue to function and meet its regulatory obligations in the event of an unforeseen attack through cyber-crime.
• Ensure adequate backups of critical IT systems and data, in line with predetermined recovery objectives,  are carried out to a site that is unlikely to be affected by a disaster event at the main processing site.
• Conduct regular benchmarking with other companies and organizations within and outside the industry
• Technical assurance including vulnerability management and management of security controls environment across at least 13 domains in all the Technology functions and in at least 7 markets of Equity Group

Qualifications
Knowledge and Experience

• Bachelor’s Degree in Information Technology, Information Security/Assurance, Engineering or similar area of study
• Hold relevant industry certifications (CISSP, CEH, CISA, CISM, etc.)
• Minimum 6 years of experience, with at least 2 in management and 4 years in technical assurance.
• Experience in vulnerability management and penetration testing in applications, APIs, network devices configuration review, network architecture review etc. 
• In-depth knowledge of security concepts such as cyber-attacks and techniques, threat vectors, risk management, incident management etc.
• Experience with industry standard frameworks (ISO 27000, NIST, PCI DSS).
• Knowledge of various operating system flavors including but not limited to Windows, Linux, Unix
• Knowledge of applications, databases, middleware to address security threats against the same.
• Knowledge of a number of the following security concepts & controls: Strong Authentication, End Point Security, Internet Policy Enforcement, Firewalls, Web Content Filtering, Database Activity Monitoring (DAM), Public Key Infrastructure (PKI), Data Loss Prevention (DLP), Identity and Access Management (IAM).
• Ability to effectively provide briefing to the business stakeholders regarding ongoing security incidents and threat Levels.

Key Critical Competencies

• Proficient in preparation of reports, dashboards and documentation
• Excellent communication and leadership skills
• Experience in vendor management
• Ability to handle high pressure situations with key stakeholders
• Good Analytical skills, Problem solving and Interpersonal skills
• Deep knowledge of Bank’s infrastructure, networks and systems