Purpose & Overall Relevance for the Organization:
The role is responsible for all efforts to reach a state of continuous compliance by partnering and engaging with our technology, business, and brand teams to adhere to policies, reduce security risks and maintain compliance. Part of overall duties is to establish, maintain and advance the information security governance framework.
- Implementing an overall Information Security risk management process for the organization, which includes an analysis of the financial and or other impacts on the company when risks occur
- Performing Operational Information Security risk assessment and evaluation: Analyzing current risks and identifying potential risks that are affecting the company
- Executing the 3rd Party Information Security Risk Assessments as per the established process. Collecting/reviewing data from multiple sources to assess a third party’s security
- Risk reporting tailored to the relevant audience.
- Reviewing any new major contracts or internal business proposals from Information Security Risk perspective
- Acting as subject matter expert on risk-based security reviews and Building risk awareness amongst staff by providing support and training within the company
Enterprise Information Security governance
- Reviews current and proposed information systems for compliance with the organization’s obligations (including legislation, regulatory, contractual and agreed standards/policies) and adherence to overall strategy.
- Provides specialist advice to those accountable for governance to correct compliance issues.
- Assesses and manages risks around the use of information.
- Provides reports on the consolidated status of information controls to inform effective decision making.
- Recommends remediation actions as required.
- Ensures that information is presented effectively.
- Provides advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
- Obtains and acts on vulnerability information and conducts security risk assessments, business impact analysis and accreditation on complex information systems.
- Investigates major breaches of security and recommends appropriate control improvements.
- Contributes to development of information security policy, standards and guidelines.
- Interprets information assurance and security policies and applies these in order to manage risks.
- Provides advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines.
- Uses testing to support information assurance.
- Contributes to the development of policies, standards and guidelines.
Business risk management
- Carries out risk assessment within a defined functional or technical area of business.
- Uses consistent processes for identifying potential risk events, quantifying and documenting the probability of occurrence and the impact on the business.
- Refers to domain experts for guidance on specialized areas of risk, such as architecture and environment.
- Co-ordinates the development of countermeasures and contingency plans.
- Contributes to the collection of evidence and the conduct of formal audits or reviews of activities, processes, data, products or services.
- Examines records for evidence that appropriate testing and other quality control activities have taken place and determines compliance with organizational directives, standards and procedures.
- Identifies non-compliances, non-conformances and abnormal occurrences.
- Conducts formal reviews of activities, processes, products or services.
- Collects, collates and examines records as part of specified testing strategies for evidence of compliance with management directives, or the identification of abnormal occurrences.
- Analyses evidence collated and drafts part or all of formal reports commenting on the conformance found to exist in the reviewed part of an information systems environment.
- Implements stakeholder engagement/communications plan.
- Deals with problems and issues, managing resolutions, corrective actions, lessons learned and the collection and dissemination of relevant information.
- Collects and uses feedback from customers and stakeholders to help measure effectiveness of stakeholder management.
- Helps develop and enhance customer and stakeholder relationships.
- Global Tech and Product Areas
- Respective business function (GOPS, Finance, HR, Brand Marketing, Wholesale/Retail)
- HR Management
What we are looking for:
- Strong understanding of Information Security risk and governance
- Experience in key operational risk categories (vendor, data privacy, technology, cyber, fraud), internal audit, or other operational risk area
- Knowledge of Risk Management Framework both qualitative and quantitative
- Skills in information security consulting with technical oversight
- Ability to lead and influence across multiple levels
- Stakeholder management experience working with senior level stakeholders to deliver change
- Proven experience with co-ordination of many dependencies and multiple demanding stakeholders in a complex, large-scale deployment environment
- Ability to manage a diverse and challenging stakeholder community
- Strong organizational, verbal, and written communication skills
- Ability to adapt to dynamic environment
Requisite Education and Experience / Minimum Qualifications:
- Four-year college or university degree with focus on Business Administration or IT or related areas, or equivalent combination of education and experience
- Proficient spoken and written command of English
- At least 7-year experience in IT / Information Security
- 5 years of experience in relevant area
- 2 years of experience in team management
- Strong understanding & knowledge of regional and global market landscape and the respective customer
- Managed critical elements and cross functional and regional projects