A global banking organisation is seeking a vice president level information risk management specialist.
The Information Risk Management (IRM) division is comprised of six teams:
- Risk and controls
- Technology (applications, infrastructure, services, strategy)
- Information Security
- Identity and Access Management
- Corporate Secretariat
This role is part of the Infrastructure team, which falls under the global Technology team, covering:
- Network Security Assessments
- Application security assessments
- Service provider management
- Mergers and acquisition (due diligence and subsequent integration risk assessment)
- Information risk
The UK team have primary responsibility for infrastructure security assessments and network security assessments in the EMEA region. Support is also provided to teams in other regions.
This is a ‘hands off’ role – the successful candidate will have no responsibility for operational delivery. IT and others carry out changes such as adding users, installing or configuring applications, etc. under the supervision and instruction of the technology risk management team where relevant.
To ensure the integrity and reliability of company data and systems, through appropriate technology risk assessment. This includes involvement in business and IT projects to ensure that appropriate controls are built in from the earliest stages. The responsibilities of the team include:
- Assessments of tech infrastructure and network security
- Consultancy requests
- Firewall/URL change request approval
- Firewall policy, rule usage compliance and reviews
- Providing security consultation to the EMEA/Asia Pac businesses
- Technology infrastructure assessments for new, changed and existing systems
- Working with operational, support and technical teams to identify security issues and agree corresponding actions
- Works with the business to request a policy exception were mitigation is unsuitable
- Tracks issues and agreed actions to completion, escalating issues where necessary.
- Consultancy on business projects
- Assess URL access requests with a view to approval
- Ad-hoc requests for support/guidance
Whilst ‘hands-off’, a level of technical knowledge is required to assess what is required, possible and achievable in technical areas.
The successful candidate must have:
Strong experience in a Technology Risk, Information Security or an IT Audit role;
- A relevant professional qualification such as MSc, CISSP or CISM;
- A thorough understanding of Risk assessment approaches and methodologies;
- A good understanding of STANDARD network infrastructure INCLUDING VPNs, firewalls, switches, routers AND LANs
- Experience of formal document creation;
- Experience of carrying out risk reviews, technology audits or other similar work;
- Thorough understanding of the ISO 27000 series of standards and guidelines;
- Knowledge or practical experience of one or more of the following products:
- Archer Technologies SmartSuite Framework.
- Algosec Firewall Analysis Tool
- Tufin Operations Management
- Juniper/Checkpoint/CISCO firewall management
- URL Filtering products
- Other professional qualifications/memberships, relevant to Information Security (Institute of Information Security professionals, CISA or QICA).
Key Skills and Attributes:
- A keen eye for an opportunity to improve existing process and take the initiative to promote such an enhancement.
- Must take accountability for their actions and be open and honest when things have gone wrong, and celebrate successes when things have gone well.
- Able to co-operate and work well with others adopting an approachable style – Important as we work closely with a large and diverse set of suppliers and customers.
- Must be rigorous and thorough – especially when logging and tracking issues through to conclusion
- Candidate must be able to manage their own workload and run several tasks concurrently so as to meet the realistic targets and priorities set in conjunction with management. This is important because we work in an environment where priorities can change quickly and with little prior warning. Demonstrate a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business.
- Demonstrates a calm professional approach, with a good understanding of time constraints and the need to escalate/inform departmental management as appropriate.
- Understands their own shortfalls and knowledge gaps. Not afraid to acknowledge a gap and work on strategies to address them.
- Adapts personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done.
- Ability to adapt quickly to changes in the organisation and job responsibilities with a positive attitude.
- Must be able to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits.
- Able to express clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
- Documentation must be professional, well-structured and presented and require the minimum management review and revision. This is especially important.
- Good at listening and analysing a situation or the information provided.
- Works well with others or individually. Supports the development of the team as a whole, places team before personal interests.
- Shows respect for others and recognises their concerns and interests.