Chief Information Security Officer at Standard Chartered Bank
Standard Chartered Bank - We're an international bank, nimble enough to act, big enough for impact. For more than 160 years, we've worked to make a positive difference for our clients, communities, and each other. We question the status quo, love a challenge and enjoy finding new opportunities to grow and do better than before. As a leading international bank, we strive to help people and businesses prosper across Asia, Africa and the Middle East.
We are recruiting to fill the position below:
Job Title: Chief Information Security Officer
Job ID: 711
Location: Victoria Island, Lagos
Area of interest: Technology
Job type: Regular Employee
Work style: Office Working
Job Summary
- We are establishing a capability to successfully implement and embed the new Information and Cyber Security (ICS) Risk Type Framework (RTF) across the Group and countries in the region/cluster to bring consistency in the identification and mitigation of ICS Risks.
- The CISO (Nigeria) will drive the adoption and implementation of the framework across the delegated countries.
- This role will require hands on approach to understand, embed, and guide Nigeria on the ICS RTF to maximize risk reduction and capability improvement, while meeting compliance and legal obligations, and minimising client impact.
- The role will require to have end-to-end view of all ICS activities with regular risk assessment, tracking, follow up and reporting at the relevant forums.
- The role will provide exceptional leadership, maintain highly constructive relationships with key stakeholder, and possess strong security risk framework knowledge to mobilize effort and commitment.
- He/she will execute a robust and efficient plan to rollout ICS RTF by working with key stakeholders including Chief Technology & Operations Officers (CTOOs)/ Chief Information Officers (CIOs) direct teams, CISO teams and Security Technology teams.
- The plan will incorporate digital footprint discovery, risk assessment, definition and implementation of controls as guided by the ICS RTF and tailored to the relevant areas.
- CISO authority for countries in scope (Nigeria, rest of Africa countries).
- Supporting Africa and Middle East in the implementation of the ICS Risk framework including working with stakeholders to identify, assess and rate the information assets, build out the risk profile per the framework, initiate risk assessments and put together treatment plans.
- Use qualitative and quantitative data sources to validate Key Control Domains (KCD) and associated controls, accelerate risk assessment process, validate business risk profile, and develop action plans to remediate to bring ICS risk back into appetite.
- Undergo the Threat Scenario-based risk assessments in-country.
- Development of risk treatment plans for the assigned areas in conjunction with the business and technology teams. Interface with other areas to ensure dependencies are known and prioritised. Negotiate timelines to ensure proper remediation by maintaining support and organizational alignment.
- Adapt to emerging and horizon risks and address issues to maximize outcomes. Urgent and timely action for risks and issues which adversely impact cyber risk profiles.
- Coordinate and plan for cyber crisis management exercises, build response and recovery capabilities, workarounds, ensure up to date playbooks etc. Assist with other cyber activities underway.
- Follow up on identified thematic cyber issues, develop processes to address issues from re-occurrence and ensure cyber hygiene across the whole portfolio.
- Provide regular status updates including progress, top risks and issues to the respective country and regional forums for the relevant domains. Track RAG status, key milestones, risks, dependencies, and issues.
- Interface into Technology forums to ensure security technologies are operating with input from countries and be actively involved in the roadmap of these technologies.
Key Responsibilities
Business:
- Ensure ICS risks in the respective market are proactively managed and effectively controlled, mitigated and remediated with senior stakeholder’s support and buy-in, in line with Group, Region, Country, Business/Function risk appetite and regulatory driven requirements.
- Assist in establishing priorities in partnership with the C-level Management and take responsibility for resolving security issues.
- Ensure Critical Information Assets are identified and graded appropriately. Monitor changes in the risk profile of the highly critical systems.
- Support Group initiatives ensuring the respective business / function / region needs are represented effectively.
- Face off to the ICS subject matter experts in Group Business lines
- Ensure that the management of ICS risk is effective and operating efficiently in the respective business / function for the country.
- Assist in driving security culture/awareness and help improve readiness for a cyber event.
- Ensure information risks are identified, assessed, mitigated, and controlled.
Governance:
- Monitor ICS risk profile and posture and report any non-compliance to senior management or governance committees.
- Participate and represent the respective business / function / region in Risk Committees, ICS working groups, Programme Steer Cos etc. to provide updates and influence positive outcomes for the Business/Function/Region/Country.
- Validate the accuracy and consistency of Key Risk Indicators (KRIs), Key Control Indicators (KCIs) and other risk ratings/assessments.
- Support the Third-Party Security Assessment team during 3rd party reviews.
Regulatory & Business Conduct:
- Display exemplary conduct and live by the Group’s Values and Code of Conduct.
- Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across Standard Chartered Bank. This includes understanding and ensuring compliance with, in letter and spirit, all applicable laws, regulations, guidelines and the Group Code of Conduct.
- Effectively and collaboratively identify, escalate, mitigate, and resolve risk, conduct and compliance matters.
- Manage the regulatory expectations of the Central Bank of Nigeria.
Risk Management:
- Drive compliance with Group policies standards, and local regulatory requirements.
- Work closely with Information Security Risk Officers (ISROs), Regional CISO, Business and C-level Management to provide oversight, governance and monitoring, and work with various delivery owners to embed the ICS RTF.
- Understand and assess the impact of changes in the policy or procedures on the respective business / function / region and engage with the respective business / function / region Heads to ensure the impact is understood.
- Recommend additions/enhancements/changes to the ICS policy, procedures, and RTF.
Key stakeholders:
- Country C-level Management
- CTOO, West Africa
- Regional CISO and Regional ICS Team
- ICS Controls Owner
- WRB & Markets CISO team
- Banking Regulators
Qualifications
- Minimum of 10 - 12 years’ experience with at least 7 years in senior position of Information and Cybersecurity capacity.
- Training:
- Strong knowledge of ICS products and operations will be preferred.
- Ability to articulate gross and residual risk with specific ability to communicate complex technology and process risk clearly, concisely and accurately to non-technical stakeholders in a lucid way.
- Strong analytical skills and ability to prioritise, make decisions, and work to tight timeframes.
- Strong business acumen and deep knowledge and experience in the ICS field.
- Proven ability to lead highly complex, global activities through influence and credibility rather than command and control.
- Ability to both assess strategic priorities and to focus on detailed aspects of a function in order to drive effective delivery.
- Strong integrity, independence, and resilience.
- Strong interpersonal and stakeholder management skills, across various levels in the organization including senior leadership teams, in influencing key decisions taken in the business and in support teams.
- Strong communication skills – oral, written and presentation. Sound knowledge of MS-Excel, PPT, and Word.
- Must be a self-starter who is able to initiate and successfully drive programs and projects to completion with little or no management supervision.
- Degree in Engineering, Computer Science/Information Technology, or its formally recognised equivalent is preferrable.
- One or more of the following certifications will be preferred:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Payment Card Industry – Quality Security Assessor (PCI-QSA), etc.
- ISO 27001/22301 Lead Implementor or Lead Auditor
- Certified Information Systems Auditor (CISA)
- Certified Chief Information Security Officer (CCISO)
- SANS Global Information Assurance Certifications (GIAC)
- Certified in Risk & Information Systems Control (CRISC)
- Strong integrity, independence, and resilience
- Willing and capable of travel across the countries in the portfolio if required
- A Master’s degree is desirable
Role Specific Competencies:
- Understanding of the Cyber landscape and ICS Controls within the technology environment
- Excellent organisation and leadership skills with ability to manage multiple deadlines and effectively prioritise.
- Proven ability to lead highly complex, global, pan-bank, multi-year programmes by driving collaboration and participation by Business, Functions, Regions and countries.
- Extensive change and programme management experience, ideally gained in the financial industry
- Ability to foster positive relationships with internal and external stakeholders at appropriate level ensuring open C-level management environment. Be a Team player