Reporting to the Director, Information Security & Privacy Governance, this role will involve coordinating and executing governance, risk, and control activities within the client's Information Security & Privacy programs. The individual will be accountable for developing, maintaining, and disseminating enterprise-level policies, procedures, and standards in the realms of information security and privacy. The aim is to ensure the information security and privacy programs meet their objectives by employing a systematic approach to enhance their effectiveness. This will involve coordinating and possibly leading the preparation for corporate level incident responses through testing, reporting, and action-taking, as well as participating in the incident response itself. Additionally, the role entails proposing, creating, and maintaining training courses, presentations, and materials to continuously raise awareness about information security and privacy.
Training and Education
- Devise a roadmap for the client's awareness training related to information security and privacy, focusing on enhancing awareness, compliance, and educational materials.
- Establish and manage an effective and measurable awareness training program.
- Plan, conduct, monitor, and report on simulated security exercises (e.g., phishing campaigns, tailgating, vishing, mystery customer exercises) to heighten awareness about the significance of security and privacy protocols.
- Promote adherence to and awareness of best practices in information security and privacy.
Governance & Operations
- Formulate and implement sensible policies, procedures, and standards to safeguard the client's assets.
- Propose and maintain corporate-level privacy and security programs (e.g., DLP administration, access reviews, Privacy Impact Assessments).
- Lead or coordinate security assessments, audits, tabletop exercises, and penetration testing.
- Support all stakeholders regarding information security and privacy standards.
- Facilitate incident response readiness through testing, plan development for addressing gaps, and response plan updates.
- Contribute to the upkeep of an information security risk registry.
- Assist with security due diligence questionnaires and assessments.
- Stay informed about industry changes in information security, identifying challenges, changes, or opportunities that could improve the client's security and privacy posture.
- Annually review the enterprise's information security and privacy policies, procedures, and standards.
- Work with management and technical security teams to identify and rectify gaps in policies, procedures, or standards.
Program Measurement/Monitoring
- Track compliance with corporate policy and procedures (e.g., Access reviews, DLP, Privacy Impact Assessments).
- Maintain an information security and privacy scorecard/dashboard that reflects the current posture and areas for improvement.
- Report on the remediation of issues identified in external assessments or audits.
- Recommend improvements to management based on the internal evaluation of information security and privacy program controls.
What You Bring To The Team
- 6-9 years of experience in information security and privacy governance.
- Comprehensive experience in developing policies, procedures, and standards.
- Proficient knowledge of information security governance frameworks (e.g., CIS, NIST, ISO).
- In-depth understanding of security tools and technologies (e.g., firewalls, IDS/IPS, encryption, EDR, DLP, NAC, CASB, DKIM, DMARC, email protection).
- Exceptional interpersonal skills with the ability to interact with all business units within the organization.
- Efficient, effective work ethic with the ability to multitask in a fast-paced setting.
- Proven ability to develop and deliver awareness, education, and coaching sessions.
- Expertise in risk analysis, penetration testing, and vulnerability management.
- Strong writing, verbal communication, interpersonal, and presentation skills, with the ability to influence and effectively communicate at all organizational levels.
- A commitment to integrity, confidentiality, and responsible handling of sensitive information.
- Excellent problem-solving, conflict resolution, change management, and employee relations skills.
- Outstanding presentation and negotiation abilities.
- Relevant IT & security accreditations (e.g., ITIL, COBIT) and certifications (e.g., CISM, CISA, CISSP).
- A degree or diploma in a relevant field, preferably in information security or computer science/engineering.