Data Security Risk Officer – Financial Services - London
A Data Security Risk Officer is required to join the newly created CIB Data & Information Security Team.
The role will focus on identifying risks stemming from the loss of integrity, confidentiality, availability or traceability of sensitive data, based on the information security maturity model. More specifically, data security risk officer will deliver management information to relevant stakeholders to ensure appropriate ownership of remediation plans, sign-off of any risk acceptance and escalation to business, security or IT Steerings through the governance officer.
Data and Information have been put at the heart of the new Cyber Security Model. This is an exciting opportunity to work with interesting new security challenges in an environment with many different teams, platforms and applications.
The role encompasses a number of activities & responsibilities:
- To organise and manage data security risk governance, from identification to mitigation or acceptance.
- To drive, track, and assist risk assessments and cartographies related to data security across businesses and functions.
- To monitor overall risk exposure and report to IT, Security, Business and Function Steerings. Maintain a set of KRIs appropriate for each level of management (based for example on application security deviations, data security workflows status, risk acceptances by Business, vulnerabilities, etc...).
- To maintain risk heat maps and cartography, risk acceptances and feed remediation plans to Governance teams.
- To provide expertise on data security risks should requirements on confidentiality, integrity, availability, or traceability not be satisfied.
- To promote and support threat models to ensure transparency in risk assessment and remediation priorities (e.g. data leak threats, integrity loss threats, traceability loss threats, etc.…).
- To strengthen cybersecurity programs and cyber resilience / IT Continuity programs by ensuring data security risks are properly understood and addressed.
- To provide guidance on effectiveness of remediation measures, in particular for the residual risks (e.g. residual risk after data masking, encryption or signature of sensitive data).
- Excellent understanding of IT Risk management concepts and their implementation (not limited to IT Security)
- Strong technical skills required to understand vulnerabilities in detail and how to resolve/mitigate them, therefore being in capacity to assess effectiveness of measures and residual risk.
- Excellent knowledge of IT best practices, from development to production and security
- Familiarity with security risk standards, such as ISO 3100/27001/27005
- Well-developed written communication skills with the ability to summarise key issues, conclusions and recommendations. Target audiences will include regulatory authorities, internal/external auditors and senior business stakeholders
- Awareness of key FFIEC and NIST standards related to IT security or IT Risk (NIST Cyber is a must)
- Rigorous and reliable in his/her findings, the candidate must be able to provide high quality findings and risk analysis without relying excessively on second opinion.
- The candidate will be a forward thinking individual with the ability to look beyond immediate problems and issues, but with a solid practical delivery focus.
- Highly skilled and able to demonstrate value to the security and risk communities at a practical level, working alongside analysts, security, application and business staff on a collaborative basis
- The ability to manage independent responsibilities and projects while working closely with the security, IT and business communities; the candidate must be well organised, self-motivating and a good communicator
- A pragmatist with the strength of character to lead divergent interests to common ground and the best outcome
- Able to communicate effectively across a wide range of seniorities from entry level developer to senior management.
- Approachable and willing to share their expertise and experience in order to assist the development of teams and individuals
- Usage of COBIT 5 or ISO 38500 framework, or associated certifications (CISA…)
- Exposure or certification related to ITIL, CMMi
- Exposure to NIST SP 800-30, ISACA IT Risk framework or equivalent
- Experience of specific security products and technologies: RSA Archer, MS SharePoint Portals, Atlassian JIRA