Sr. Mgr., Information Security & Tech. Risk Management

Purpose of the Role:
The Senior Manager, Information Security & Technology Risk Management works collaboratively with Technology teams and third parties to ensure efficient and effective delivery of information / cyber security risk management to FirstCaribbean. The Senior Manager directs and leads a team who proactively identify, assess, mitigate and communicate the Bank’s information security / cybersecurity risks as a key component of the Bank’s overall operational risk management programme. In addition, the Senior Manager is responsible for:

  • Development and implementation of the information / cyber security and technology risk management programme;
  • Delivery of high-quality security and technology risk management assessments (TRA / ISA / SSA / pen tests / deviations etc.) across a diverse set of technologies, business functions, and complexity;
  • Review of contracts and agreements with third parties as they relate to information / cybersecurity and Technology risk management;
  • Review of laws and regulations related to information security and Technology risk management to ensure compliance;
  • Management and monitoring of associated standards and guidance;
  • Interactions with regulators and auditors (internal and external);
  • Management of third party providers of security services;
  • Review of cybersecurity threat intelligence alerts and the formulation of any necessary mitigating actions;
  • Development and implementation of an appropriate security awareness programme;
  • Management of the SWIFT security attestation;
  • Generation of the information security scorecard;
  • Effective implementation of the risk management processes, including the periodic risk assessment of information assets;
  • Proactive provision of consulting services to business partners on information / cybersecurity risks inherent to the business units;
  • Collaboration with the Senior Manager, T&O Governance, Risk Management & Policy to identify and periodically evaluate information / cyber security controls and countermeasures to mitigate risks to acceptable levels;
  • Maintaining the currency of the information / cybersecurity policies, related standards and their effective monitoring; and communication, understanding of and adherence to the policies, standards and procedures bank wide as needed;
  • Identifying, analysing, and influencing the management of information risks across the organisation and for reporting significant changes in information risk to management for acceptance on both a periodic and an event-driven basis.

 

Key Accountabilities:

  • Under the direction of the Director assists with the development and implementation of the information / cybersecurity strategy.   Researches industry trends related to advances in information / cybersecurity technologies and methodologies, researches the information / cybersecurity threat landscape, understands the Bank’s strategic objectives and recommends changes to the strategy / roadmap to ensure that alignment and continued protection of the Bank’s information assets and compliance with laws and regulations.
  • Responsible for the research and identification of emerging trends in data threats, data protection, and cloud and application security and the successful implementation of programmes that will ensure and / or improve the effectiveness of risk management and protection strategies.
  • Collaborates with internal auditors, privacy officer in the legal team and wider legal team, project teams and business subject matter experts (s) (SMEs) to scope, plan, and schedule security risk assessment sessions to meet enterprise goals.
  • Responsible for the quality and timeliness of all risk assessments, cloud and application security tasks and consulting deliverables and acts as the initial escalation point to overcome barriers to success and roadblocks impeding the work.
  • Builds professional relationships across Technology & Operations and works closely with and influences senior decision makers in other departments to identify, recommend, develop, implement, and support a risk informed decision and action framework. Ensures information / cybersecurity risk inherent in systems, products, channels, processes etc. are identified and evaluated, thereby allowing informed decisions to be made.
  • Acts as a change catalyst for a risk based approach to delivery of services and systems. Proactively informs management of information / cyber risks and encourages management to consider these risks when making decisions for the delivery of systems and services. Seeks methods to inform management of the associated risk. Partners with cross-functional teams to set and manage expectations; continually seek opportunities to be a thought partner and increase internal business partner satisfaction and deepen relationships.
  • Responsible for the development and improvement of metrics, key performance indicators (KPIs), key risk indicators (KRIs),), and the identification of trends for the risk management, cloud and application security activities and drives visibility and transparency of business value for completed work.
  • Oversees and is responsible for the development and successful embedding, within the Bank, of an application security programme; robust testing of applications and API before implementation; respective teams are made aware of the application security standards; and that the tools and associated processes for the implementation of the application security standards are procured, implemented and kept current.
  • Oversees and is responsible for the development and successful embedding, within the Bank, of a cloud security programme;  the implementation and monitoring of best practices for managing security within the cloud and that the respective teams are made aware of the cloud security standards. 
  • Owns and delivers, in collaboration with internal and external partners, the Bank’s security awareness training and education (general and role specific). This will involve modifying training content to make it relevant or specific to FirstCaribbean; delivering training and reviewing training content presented by third parties to make sure it was relevant to FirstCaribbean.
  • Responsible for the effective and efficient independent project and operational reviews designed to identify information / cyber security risks and suggests compensating controls / remediation activities for management. Provides senior management with a regular view of the information / cyber security risk profile recommending areas of focus based on current and emerging threats.
  • Sets priorities, monitors performance and develops reporting for senior management, regulators and other stakeholders.
  • Leads the implementation, monitoring and compliance of the information security, cyber, and digital security policies and standards across FirstCaribbean and reports on policy and standards compliance to the executive management. Works collaboratively with partners (security vendors, etc.) to ensure that policies and standards are current and reflect best practices balanced with the peculiarities of FirstCaribbean’s environment.
  • Responsible for the completion of annual (at least) penetration tests for all customer-facing systems and ensures that all issues raised / identified are followed up to resolution.
  • Ensures that all changes, new products, new services and baseline risk assessments are completed periodically and oversees any necessary mitigating actions.
  • Delivers effective people management by providing direction, motivation, coaching and developmental opportunities to the resources within the team.
  • Oversees and is responsible for the generation of the information security scorecard. Works with external third parties to agree the scope, frequency and timing of the scorecard based on international industry standards. Works with business units to schedule the required tasks and ensures that they are completed. Reviews the output and agrees the final security scorecard report produced by the external party, including recommendations.
  • Establishes processes for following up of recommendations raised.
  • Reviews contracts and agreements with third parties to ensure sufficient legal coverage for information / cyber security risks. Works with the sourcing team to agree the terms of the contracts as required for the third parties.
  • Responsible for the management and maintenance of supporting security tools to ensure that they are functioning as intended.



Critical Knowledge & Skills Required:

  • Direct knowledge in and experience of assessing risk in agile software development environments would be an asset Information security technologies – excellent and current knowledge of technologies and technology-based solutions dealing with information / cyber security issues.
  • Good understanding of current and emerging technologies and their security implications, e.g. Cloud, Agile and Dev Ops.
  • Technical expertise in anti-virus solutions, virus outbreak management - the ability to differentiate virus activity from directed attack patterns.
  • Information security management – excellent knowledge of processes, tools, techniques and practices for assuring adherence to standards associated with accessing, altering and protecting organizational data.
  • Decision-making and critical thinking – good knowledge of tools and techniques for effective use of a broad range of factors, assumptions, frameworks and perspectives when solving problems.
  • Direct experience conducting information / cyber security risk assessments.
  • Strong understanding of IT security best practices.
  • Demonstrated ability to stay abreast securing evolving technology such as cloud and mobile computing.
  • Demonstrated ability to participate in and lead cross-functional teams, including offsite, remote and offshore resources.
  • Knowledge of PCI DSS, ISO, NIST, CIS and IT controls.
  • Strong analytical skills.
  • Able to understand and analyze technology, service, and risk management principles.
  • Excellent written and verbal communication skills:
  1. able to conduct presentations and facilitate group meetings
  2. effectively communicate with technical and non-technical resources
  3. communicate complex and technical issues to diverse audiences
  4. ability to tailor communication style to audience at hand
  • Strong organizational skills and good time management.
  • Good people management skills.
  • Enjoys imparting knowledge to others, without feeling threatened.
  • Ability to work well under pressure while maintaining a professional image and approach.
  • Ability to perform independent analysis of complex problems and distil relevant findings and root causes.
  • Team-focused mentality with the proven ability to work effectively with diverse stakeholders.
  • Understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business.
  • Decision-making capabilities, ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one.
  • Ability to compile and analyze data for management reporting and metrics.
  • Understanding of organizational mission, values, and goals and consistent application of this knowledge.
  • Ability to react to high pressure dynamic changing environments.


Experience Required:

  • Undergraduate or post graduate degree in Computer Science, Information Security, or a related field and one or more of the following or related professional certifications:
  1. Certified in Risk and Information Systems Control (CRISC)
  2. Certification in Risk Management Assurance (CRMA)
  3. Certified Information Systems Auditor (CISA)
  4. Certified Information Systems Security Professional (CISSP)
  5. Certified Information Security Manager (CISM)
  • At least five years’ experience in information / cyber security, with at least three years in Information Security & Technology Risk Management. 
  • At least five years’ experience in another IT function, especially IT Audit.
  • At least three years’ experience with regulatory compliance and information / cyber security management frameworks, e.g., IS027000, COBIT, NIST etc.
  • Practical experience with cloud and application security.

Or

  • At least seven years’ experience in Information Security or IT Audit and one or more of the following or related professional certifications:
  1. Certified in Risk and Information Systems Control (CRISC)
  2. Certification in Risk Management Assurance (CRMA)
  3. Certified Information Systems Security Professional (CISSP)
  4. Certified Information Security Manager (CISM)
  5. Certified Information Systems Auditor (CISA)
  • Knowledge of / or experience with regulatory compliance and information / cyber security management frameworks, e.g., IS027000, COBIT, NIST etc., are desirable.
  • Practical experience with cloud and application security.



Position reports to: Director, Enterprise Security, Fraud and Supplier Risk Management

 

Expiry Date: 1-12-2021

Reference
VAC-3900
Employer
CIBC FirstCaribbean International Bank
Hours
Employment Type
Salary and benefits
Salary and benefits info not provided.
Salary
Salary negotiable
Your Career Level
Senior Career
Years Experience
Five (5) or more years'
Your Education Level
Undergraduate Degree|in Computer Studies
View Employer
Apply
Log In and Apply
Upload your CV/Resume
Additional Personal Details
Other details about you

Terms of Use/Notifications

Do you agree to our Terms of Use & Privacy Statement?

Receive updates & notifications from Caribbean Opus

Apply

Currency

The 10 islands have different currencies. We will be using USD as the general currency on the website.