Head Information Security

Qualification and experience

• First Degree Business Commerce Required.
• Post Graduate Degree Information Technology Required.
• First Degree Business Commerce Preferred.
• Post Graduate Degree Information Technology Preferred.
• Good working knowledge and experience with the implementation and management of information security policies and frameworks within a corporate environment.
• Management experience working with individuals and teams from diverse cultures
• 5-7 years Strong IT understanding, gaining insight into digital and platform operating models and cyber security trends and solution
• 8-10 years Experience in an InfoSec or Audit role within the banking and /or financial services sector. Experience working in a multi-vendor and outsourced and multi-system IT environment. Sound knowledge of policies (including but not limited to Protection o
• Personal Information Act (POPI), financial market acts, International Financial Reporting Standards (IFRS) and Business Unit specific regulatory requirements/legislation. Knowledge of DAMA Framework for end-to-end Information.

Key Results Areas

• Adhere to all local regulations as it relates to reporting of security incidents or getting approval for any outsource arrangements /offshoring where applicable.
• Adopt the Group Information Security measurement and reporting frameworks and processes in Country, report on Information Security breaches, non-compliance and deviations, achievement of Group KPIs and recommend mitigating strategies based on Information Security trends.
• Adopt the Risk Viability Feasibility (RVF) framework to ensure sufficient protection of clients money, data and time (aiming to reduce / mitigate the three risks that security strategies).
• Analyse critical vulnerabilities, establish country applicability and formulate plans and actions to address security issues in the short and long run as needed.
• Anticipate local trends, identify probabilities and interpret impact in the country technology, use as input to adapt the country security strategy.
• Apply knowledge of domestic banking industry, including knowledge of regulatory requirements of local markets e.g., SARB, UK, Nigeria to make visible and influence data protection information security requirements enabling Country Business strategies, and ensuring that personal data is handled in accordance with an individual’s rights and privacy as determined by the Risk Reporting and Rest of Africa implementation of the Risk Data Aggregation and Risk reporting (RDARR) programme.
• Assess information security risks and trends in attacks and tactics in Country, and develop the overall Information Security strategy in Country, in collaboration with Group Information Security.
• Collaborate with suppliers and or contractors to explain and enforce Group Information security policies to ensure the protection of intellectual property and data in Country.
• Conduct information security assessments against all critical third parties / material outsource arrangements in country against Group standards and ensure that risks are appropriately managed.
• Develop fit for purpose risk remediation plans, supported by the country security RVF strategy, based on identified information security risks, vulnerabilities, audit findings, policies and regulatory requirements and follow up on all audit findings and provide
  guidance, supervision and assistance in the implementation of remedial action to prevent significant reputational, financial or other losses in country.
• Develop internal Information Security expertise and awareness through regular updates, awareness sessions and coaching of Technology and Operations staff to improve the security posture in Country.
• Develop situational awareness by attending industry forums (e.g. financial institutions, professional bodies) to build networks, share knowledge, keep abreast of trends, and obtain knowledge that will contribute to the Groups situational awareness, and enable the achievement of Information Security strategies and objectives in Country.
• Drive and champion a positive risk culture and attitude establishing appropriate Information Security risk oversight and governance processes and structures in Country, taking responsibility for ensuring compliance to all information and cyber
  security country regulations.
• Drive strategic engagement with the wider Group entities, enhancing collaboration and understanding of the security capabilities across the organisation, to harness synergies.
• Establish a comprehensive security awareness program for country covering all stakeholder groups leveraging the tools and practices established by Group.
• Establish and periodically review the information security organisational structure, and roles and responsibilities for organisational Security in line with the Group security strategy and toolbox. Develop and maintain the security resourcing strategy with consideration for appropriate balance between FTEs, contractors, consultants and third-party provided services (such as managed services).
• Examine and oversee adherence to Group Information security practices, protocols, standards, guidelines as well as industry practices best practices in the Country.
• Identify and address areas where Country needs to review Data protection security strategy, policy, or procedure, and increase employee awareness and training accordingly.
• Identify root causes, have a clear plan of action and work collaboratively with the relevant stakeholders on the remedial actions to prevent recurrence, ensuring adequate coverage of all security capabilities within appetite and confirming that all gaps are appropriately escalated to the Head of T&O or Head of Engineering and country technology risk committees.
• Implement and oversee the required local information security capabilities when local partners are selected and onboarded onto platforms in support of engineering partnerships strategies, and information security services that provide adequate protection during the delivery of solutions to Clients.
• Implement guidelines, as developed by the Head Data Governance, for maintaining the security of the systems and platforms to protect client information and to build an ecosystem’of trust and integrity with users, partners, suppliers and clients to create new and more value-driven opportunities for clients through data in country.
• Implement information security standards as directed by Group Information Security to allow for legitimate, reputable information security solutions in Country.
• Implement InfoSec solutions such as, but not limited to, Data protection Security solutions and engineering partnership solutions by working with projects and business areas from initial design through build and test, as required ensuring the compliance to Group Information security policies and protection of intellectual property and data.
• Implement other local security initiatives based on unique country requirements driven by risk or regulation.
• Implement the Engineering & Technology partnership strategy to support Client Segments, Client Solutions, Innovation function
  in delivering to the group platform aspirations by enabling interoperable information security partnerships that will secure 3rd party
  involvement in ecosystems in country.
• Implement the Group Cyber Resilience Technology Standard in country and adapt based on country context.
• Interpret local and international legislation, and lobby industry thought leaders in country to implement appropriate safeguards to secure engineering partnerships, satisfying the relevant regulator and aligned to a risk-based Group information security strategy applicable in country.
• Lead local execution of the information security strategy, to ensure a consistent customer experience, aligning and innovating on toolbox to increase the efficacy in the local market.
• Lead the selection of local partners and vendors to implement the required local information security capabilities and services in Country.
• Monitor processes that maintain the platform health of country technologies in accordance with Group standards.
• Participate in incident simulations and post-mortems and ensure that all lessons learnt are tracked and implemented Partner with security vendors and or providers through a preferred suppliers list, and coordinate across Group Information
  Security to manage the RfI/RfP processes and procurement activities required.
• Partner with the Head of T&O or Head of Engineering and provide the security support to lobby regulators for a more progressive position on technology transformation e.g. through cloud adoption, SaaS, fintech and open banking.
• Notify and consult with Group on any imminent information and cyber security regulations.
• Partner with the Risk and Audit functions to ensure sufficient challenge and support of the country security priorities as represented in the RVF.
• Plan and execute regular awareness initiatives (road shows) focusing on relevant emerging Information Security technologies, industry trends, specific strategies, tools and technologies to relevant stakeholders.
• Plan relevant penetration testing throughout the year in accordance with the penetration testing standard using Group approved partners (if outsourced).
• Prepare annual financial forecasts and budgets to facilitate the management and operations of Country Information Security formulating and gaining acceptance for annual budgets.
• Provide information security expertise during implementation of InfoSec strategies relating to data protection such as authorised access to data, protection of data in transit across networks, sensitive data with appropriate measures for compliance and privacy constraints in country.
• Provide security consulting on all new systems, applications and/or infrastructure, define security requirements, manage expectations on the end-to-end security engagement and advise the Head of T&O or Head of Engineering and/or business owner on the security readiness as part of the go/no-go decision process.
• Provide thought leadership and share knowledge on InfoSec trends and data protection security to influence the information security community and increase expertise and knowledge in country.
• Work closely with all relevant stakeholders to ensure a safe and secure technical integration of partners, including API management, into the Group ecosystem, providing InfoSec expertise and guidance in country.
• Work closely with Group Information Security in translating Information Security strategies and capabilities for mandatory execution in country, review and update Information Security policies aligned to the Country Technology and Operations and
  Group Information Security strategy, including delivering information security data protection capabilities and support of sustainable platform partner community relationship.