Information Technology : systems development, business analysis, architecture, project management, data warehousing, infrastructure, maintenance and production
Work with both the CIO and IT Security teams in the different countries to drive the alignment and execution of the Standard Bank Group IT Security Strategy.
The role requires one to understand different country Cyber Regulation and provide insight / expertise to any IT Security decisions or trade-offs without compromising the security of the Bank.
Lead engagements with key stakeholders (Operational Risk, Audit) in-country.
Key Responsibilities / Accountabilities
Work with IT partners to provide IT Security Advisory services and guidance
Develop and maintain relationships with key stakeholders to further embed the partnership that exists between IT Security, IT and the business.
Research and maintain knowledge of the IT threat landscape, security trends, regulatory requirements, new technologies and best practices in order to provide sensible and pragmatic security advice to stakeholders.
Provide ad-hoc consulting and engagement with various business units on secure, cost effective and practical control implementations across various platforms and / or systems.
Facilitate the adoption of IT Security solutions e.g. privilege user management or access management processes and services e.
g. IT Security risk assessments and penetration tests.
Provide adequate IT Security input into all technology solutions; this includes the requirements for the evaluation, selection, installation, configuration and maintenance of hardware, applications and software.
Develop an effective line of business IT Security strategy that supports and enables business strategy.
Advise IT business partners on regulatory and / or legal requirements as it relates to securing of data as well as assist with the implementation of the controls to support these requirements.
Establish relevant metrics and management information to facilitate reporting and decision making.
Facilitate the reduction in the number and impact of IT Security incidents.
Act as a single point of contact for IT security risks, incidents and controls within the business units.
Identify, Assess and remediate Technology and IT Security risks
Develop an IT risk assessment schedule across the respective lines of business / business units.
Conduct reviews of applications, systems, underlying infrastructure and related processes as per the schedule.
Establish and maintain risk profiles for business units by facilitating the implementation and ongoing management of general control reviews.
Develop a cost-conscious risk treatment plan based on identified risks, vulnerabilities, audit findings, policies and regulatory requirements.
Collaborate with project management, architecture, IT, business, vendors and other stakeholders to investigate risk remediation controls.
Assist in documenting and tracking security findings into a formal risk register. Provide the necessary information to support any deviation to IT Security policies and standards.
Facilitate technical system reviews by working with the Penetration Test Team and assist business with interpretation and implementation of required controls.
Recommend the implementation of effective controls to support defined security policies and standards. Co-ordinate and track the implementation of remediation plans.
Establish relevant metrics and produce risk reports for stakeholders highlighting key risks, incidents progress and status to assist in decision making.
Participate in incident response planning and investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
Drive appropriate Logical Access Management practices in IT
Establish, maintain and improve logical access management practices by the application of appropriate manual and / or automated processes in order to provide assurance that the right people have the right level of access to the bank’s information.
Implement and validate all aspects of the access management lifecycle, as prescribed by the appropriate policies and standards.
Implement additional processes, such as Segregation of Duties, Password Safes and Audit trails, to address the risk posed by privileged IT users.
The success of these activities must translate into the reduction of logical access audit findings and security breaches of a logical access nature, by embedded logical access practices into Business processes, and by a positive trend of various metrics being used to track maturity and control failures.
Create awareness of IT Security good practices to the IT community
Develop an awareness plan for the line of business that is fit for purpose, aligned with strategy and considers a range of risk data points e.
g. audit findings, risk and control self-assessments, IT Security risk assessments, emerging threats and risks, and incidents.
Create awareness to the IT Executives and broader IT community on the back of new threat and risk intelligence. Proactively create awareness on recurring risk themes.
Implement the awareness plan through various delivery mediums.
Measure the effectiveness of the awareness plan through sampling, surveys, tests, attendance registers or equivalent.
Assist with implementation of IT Security Policies, Standards and Guidelines
Participate in the development of new and the annual review of existing IT Security Policies, Standards and Guidelines by providing input to enhance the quality and completeness of these documents.
Communicate the requirements for compliance to the IT Security Policies, Standards and Guidelines to the relevant parties within IT.
Identify areas of non-compliance to IT Security Policies and Standards within IT.
Alert the responsible parties in IT where there is non-compliance to IT Security Policies and Standards and work with them to identify and recommend practical and feasible remediation plans and technical solutions.
Report on the level of compliance and progress towards achieving compliance to IT Security Policies, Standards and Guidelines to the IT business partners.
Managing of resources / people
Ensure you remain within your allocated numbers for the year in collaboration with your Finance and Human Capital Business Partner.
Ensure individual and team’s goals are achieved as per Group timelines.
Promotes a culture where the values of the Bank are seen to be alive’.
Ensure all your training plans are executed.
Provide leadership of the development, provisioning and successful execution of an IT Security programme for the IT business unit.
Develop a robust and fit for purpose approach to adopting IT Security best practices.
Develop a strategy for the improvement IT Security capability maturity in line with the business IT strategy.
Contribute to the development of the IT Security Strategy by ensuring alignment to operational risk and information risk strategies and business objectives.
Translate the strategy into a specific course of action, set of goals and outcomes.
Effectively communicate with the line of business IT Executives to ensure support and for commitment for the IT Security programme and prioritize security investments in line with risk appetite.
Collaborate with team members and the Security Community in the application of IT security expertise towards the diagnosis of security problems, evaluation of solutions and delivery of solutions.
Identify opportunities for the development of new IT Security services and controls.
Develop high-level business cases in support of new IT Security services to
Create an environment that embraces change and innovation. Drive continuous improvement and help others to accept new ideas.
Contribute towards shareholder value through courageous decision-making that supports the organisation’s vision.
Qualifications and Knowledge
University graduation with a degree in, IT or a related subject
Information Security and / or Information Technology industry certification (CISM, CISSP, or GIAC equivalent) strongly preferred.
Appropriate professional accreditation in IT Security
Experience managing and leading operations teams is preferred
5+ years of hands on experience in design, architecture, engineering or implementation of relevant Information Security Technology solutions
Excellent written and verbal communication skills
Self-starter with a strong aptitude and desire to learn, and expand skill set to new technologies, and areas of information security.
Aptitude to learn through research and hands-on experience.
An understanding of information security concepts, regulations, standards, and compliance.
A demonstrated commitment to the information security profession through advanced education, training, certification, or industry participation.
Ability to demonstrate aptitude, interest, and passion in keeping up with information security technical trends, research, and current development.
The ideal candidate will have multi-domain experience in the following :
Deep understanding of endpoint technologies, protocols and troubleshooting techniques
Deep understanding of networking technologies, protocols and troubleshooting techniques
Experience with security design and engineering in the context of end-user environments :
Endpoint security (encryption, antivirus, DLP, etc.)
Mobile Device Management
Preferred Qualification and Experience
Degree in Information Security related Certification (CISSP, CISM, CRISC, CISA)
7-10 years experience in Information Technology
Knowledge / Technical Skills / Expertise
Information Security Management
The ability to assess and mitigate the risks associated with the storage and retrieval of electronic information.
The examination of the essential elements of risk such as; assets, threats, vulnerabilities, safeguards, consequences and the likelihood of the threats materialising
The ability to define and analyse risk identification information in a quantitative and / or qualitative way.
The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems.
The independent, third-party assessment of the conformity of any activity, process, deliverable, product or service with the criteria of specified standards, such as BS EN ISO 9000 / 14000, local standards, best practice or other documented requirements.
May relate to, for example, asset management, network security tools, firewalls and Internet security, real-time systems and application design.
Vendor Evaluation and Management
Knowledge of the process for evaluating, selecting and managing products, tools, services, infrastructure components and applications in line with the organisations business needs and architectural principles.
Coping with Pressure