Chief Information Security Officer
- Full-time
- Business Segment: Group Functions
Company Description
Standard Bank Group is a leading Africa-focused financial services group, and an innovative player on the global stage, that offers a variety of career-enhancing opportunities – plus the chance to work alongside some of the sector’s most talented, motivated professionals. Our clients range from individuals, to businesses of all sizes, high net worth families and large multinational corporates and institutions. We’re passionate about creating growth in Africa. Bringing true, meaningful value to our clients and the communities we serve and creating a real sense of purpose for you.
Job Description
To provide Information Security services i ensuring that technology policies and controls are in place to prevent reputational, financial or other losses through the efficient and effective application of InfoSec expertise as per Group guidelines and standards. To execute security governance (Business-As-Usual (BAU) and Cyber Resilience Programme, Data Protection, platform partner relationships) and execute and oversee all local organisational InfoSec capabilities
Adhere to all local regulations as it relates to reporting of security incidents or getting approval for any outsource arrangements / offshoring where applicable
Adopt the Group Information Security measurement and reporting frameworks and processes in Country, report on Information Security breaches, non-compliance and deviations, achievement of Group KPIs and recommend mitigating strategies based on Information Security trends
Adopt the Risk Viability Feasibility (RVF) framework to ensure sufficient protection of clients money, data and time (aiming to reduce / mitigate the three risks that security strategies).
Analyse critical vulnerabilities, establish country applicability and formulate plans and actions to address security issues in the short and long run as needed
Anticipate local trends, identify probabilities and interpret impact in the country technology, use as input to adapt the country security strategy
Apply knowledge of domestic banking industry, including knowledge of regulatory requirements of local markets e.g., SARB, UK, Nigeria to make visible and influence data protection information security requirements enabling Country Business strategies, and ensuring that personal data is handled in accordance with an individual's rights and privacy as determined by the Risk Reporting and Rest of Africa implementation of the Risk Data Aggregation and Risk reporting (RDARR) programme
Assess information security risks and trends in attacks and tactics in Country, and develop the overall Information Security strategy in Country, in collaboration with Group Information Security
Collaborate with suppliers and or contractors to explain and enforce SBG Information security policies to ensure the protection of intellectual property and data in Country
Conduct information security assessments against all critical third parties / material outsource arrangements in country against Group standards and ensure that risks are appropriately managed
Develop fit for purpose risk remediation plans, supported by the country security RVF strategy, based on identified information security risks, vulnerabilities, audit findings, policies and regulatory requirements and follow up on all audit findings and provide guidance, supervision and assistance in the implementation of remedial action to prevent significant reputational, financial or other losses in country
Develop internal Information Security expertise and awareness through regular updates, awareness sessions and coaching of Technology staff to improve the security posture in Country
Develop situational awareness by attending industry forums (e.g. financial institutions, professional bodies) to build networks, share knowledge, keep abreast of trends, and obtain knowledge that will contribute to the Groups situational awareness, and enable the achievement of Information Security strategies and objectives in Country
Drive and champion a positive risk culture and attitude establishing appropriate Information Security risk oversight and governance processes and structures in Country, taking responsibility for ensuring compliance to all information and cyber security country regulations
Drive strategic engagement with the wider Group entities, enhancing collaboration and understanding of the security capabilities across the organisation, to harness synergies
Establish a comprehensive security awareness program for country covering all stakeholder groups leveraging the tools and practices established by Group
Establish and periodically review the information security organisational structure, and roles and responsibilities for organisational Security in line with the Group security strategy and toolbox. Develop and maintain the security resourcing strategy with consideration for appropriate balance between FTEs, contractors, consultants and third-party provided services (such as managed services)
Examine and oversee adherence to Group Information security practices, protocols, standards, guidelines as well as industry practices best practices, in Country
Identify and address areas where Country needs to review Data protection security strategy, policy, or procedure, and increase employee awareness and training accordingly
Identify root causes, have a clear plan of action and work collaboratively with the relevant stakeholders on the remedial actions to prevent recurrence, ensuring adequate coverage of all security capabilities within appetite and confirming that all gaps are appropriately escalated to the Chief Risk Officer and country technology risk committees
Implement and oversee the required local information security capabilities when local partners are selected and onboarded onto platforms in support of engineering partnerships strategies, and information security services that provide adequate protection during the delivery of solutions to Clients
Implement guidelines, as developed by the Head Data Governance, for maintaining the security of the systems and platforms to protect client information and to build an ecosystem of trust and integrity with users, partners, suppliers and clients to create new and more value-driven opportunities for clients through data in country
Implement information security standards as directed by Group Information Security to allow for legitimate, reputable information security solutions in Country
Implement InfoSec solutions such as, but not limited to, Data protection Security solutions and engineering partnership solutions by working with projects and business areas from initial design through build and test, as required ensuring the compliance to SBG Information security policies and protection of intellectual property and data
Implement other local security initiatives based on unique country requirements driven by risk or regulation
Implement the Engineering & Technology partnership strategy to support Client Segments, Client Solutions, Innovation function in delivering to the SBG platform aspirations by enabling interoperable information security partnerships that will secure 3rd party involvement in ecosystems in country
Implement the Group Cyber Resilience Technology Standard in country and adapt based on country context
Interpret local and international legislation, and lobby industry thought leaders in country to implement appropriate safeguards to secure engineering partnerships, satisfying the relevant regulator and aligned to a risk-based Group information security strategy applicable in country
Lead local execution of the information security strategy, to ensure a consistent customer experience, aligning and innovating on toolbox to increase the efficacy in the local market
Lead the selection of local partners and vendors to implement the required local information security capabilities and services in Country
Monitor processes that maintain the platform health of country technologies in accordance with Group standards
Participate in incident simulations and post-mortems and ensure that all lessons learnt are tracked and implemented
Partner with security vendors and or providers through a preferred suppliers list, and coordinate across Group Information Security to manage the RfI/RfP processes and procurement activities required
Partner with the CIO and provide the security support to lobby regulators for a more progressive position on technology transformation e.g. through cloud adoption, SaaS, fintech and open banking. Notify and consult with Group on any imminent information and cyber security regulations
Partner with the Risk and Audit functions to ensure sufficient challenge and support of the country security priorities as represented in the RVF
Plan and execute regular awareness initiatives (road shows) focusing on relevant emerging Information Security technologies, industry trends, specific strategies, tools and technologies to relevant stakeholders
Plan relevant penetration testing throughout the year in accordance with the penetration testing standard using Group approved partners (if outsourced).
Prepare annual financial forecasts and budgets to facilitate the management and operations of Country Information Security formulating and gaining acceptance for annual budgets
Provide information security expertise during implementation of InfoSec strategies relating to data protection such as authorised access to data, protection of data in transit across networks, sensitive data with appropriate measures for compliance and privacy constraints in country
Provide security consulting on all new systems, applications and/or infrastructure, define security requirements, manage expectations on the end-to-end security engagement and advise the CIO and/or business owner on the security readiness as part of the go/no-go decision process
Provide thought leadership and share knowledge on InfoSec trends and data protection security to influence the information security community and increase expertise and knowledge in country
Work closely with all relevant stakeholders to ensure a safe and secure technical integration of partners, including API management, into SBG ecosystem, providing InfoSec expertise and guidance in country
Work closely with Group Information Security in translating Information Security strategies and capabilities for mandatory execution in country, review and update Information Security policies aligned to the Country Technology and Group Information Security strategy, including delivering information security data protection capabilities and support of sustainable platform partner community relationships
Qualifications
Type of Qualification:
Post Graduate Degree in Information Technology
CISSP
Experience Required
5-7 years
Good working knowledge and experience with the implementation and management of information security policies and frameworks within a corporate environment.
Management experience working with individuals and teams from diverse cultures
5-7 years
Strong IT understanding, gaining insight into digital and platform operating models and cyber security trends and solutions
8-10 years
Experience in an InfoSec or Audit role within the banking and /or financial services sector. Experience working in a multi-vendor and outsourced and multi-system IT environment. Sound knowledge of policies (including but not limited to Protection of Personal Information Act (POPI), financial market acts, International Financial Reporting Standards (IFRS) and Business Unit specific regulatory requirements/legislation. Knowledge of DAMA Framework for end-to-end Information Lifecycle
By clicking the link above or any third-party link within this posting, you are leaving this site and going to a third-party website where the third-party website's terms and privacy policy apply