Chief Information Security Officer

POSITION SUMMARY:

The CISO is responsible for management and mitigation of information/cyber security risks across the enterprise and devising strategies to monitor and address current and emerging risks. The CISO is independent of IT and provides assurance reporting on Information/Cyber Security Posture (risk profile) and control health status to management and the Board as part of Risk Management Division. The role serves as the key personnel to liaise with Bank’s Management, Board and other stakeholders on Information Security matters and support in achieving the bank’s objectives. The CISO (Chief Information Security Officer) must possess deep expertise spanning the Banking Business , Digital Financial Services , and the Technology domains . This comprehensive understanding is essential for designing and delivering security solutions and strategic advisory that are aligned with and tailored to the Bank's Vision, Mission, and core Strategy.

DUTIES & RESPONSIBILITIES:

1. Develop, implement, and maintain a comprehensive information security vision and strategy aligned with the bank's business objectives and digital transformation efforts
2. Develop and execute the Bank’s Information/Cyber Security Risk Management Program and activities to identify, prioritize and protect Bank’s Information and IT Assets against Cyber and physical Security threats.
3. Establish and oversee the information security governance framework, policies, standards, and procedures. Design, recommend & Implement IS Policies & Procedures aligned to SBP guidelines and best practices.
4. Ensure compliance with relevant Banking financial industry laws, regulations and best practices / standards e.g., ISO 27001, PCI DSS, Data Privacy, NIST, local central bank guidelines like those from the SBP.
5. Oversee and manage periodic IT security risk assessments and vulnerability analyses, communicating potential impacts to senior management and the board. Coordinate with IT and other functions to fix the issues.
6. Oversee the design, implementation, and maintenance of security controls and technologies (e.g., firewalls, intrusion detection/prevention systems, SIEM solutions, encryption etc) across cloud-native environments and IT infrastructure.
7. Manage security incident detection, response, and recovery, including leading investigations into breaches to minimize damage and ensure rapid restoration of services.
8. Serve as a primary liaison with internal/external stakeholders, auditors, inspectors, regulators, and effectively translate complex technical risks into business language for executive leadership and the board.
9. Improve Banks Administrative, technical and process Controls Maturity around Information & IT Assets including Applications, Databases, Endpoints, Network & Infrastructure, Access, Policies and Procedures and stakeholders and employee Awareness & Training etc.
10. Maintain information security risk management register and coordinate with FLOD/SLOD functions and advise them on the management of Key Information Security & Cyber Security Risks and implementation of corresponding controls.
11. Develop the Information Security/Cyber Security action Plan and roadmap and periodically inform the Senior Management & BITC on the progress of the Plan and its implementation status.
12. Drive/oversee and Coordinate Risk based internal and external Vulnerability Assessment Program for EasyPaisa Digital Bank (EDB) Information Assets and supporting infrastructure aligned with Bank’s strategy and growth plans. Perform Risk Assessment & Management actions to secure against the identified threats & vulnerabilities to support in meeting business objectives.
13. Ensure that information assets are protected from unauthorized use, systems are available, and the continued integrity of information and processes is assured. Ensure Threat Intel Monitoring is carried out to mitigate risk arising from adversaries
14. Ensure incident identification & response mechanism to ensure prevention, detection, containment and correction of security breaches.
15. Support in managing business continuity and disaster recovery plans to ensure critical operations can withstand and quickly recover from cyber incidents.
16. Suggest, review and verify Information/Cyber security requirement for any new/update needs of software/hardware/network or related processes thereby providing assistance to EDB on technology procurement/outsourcing from information/cyber security perspective.
17. Develop, implement, and maintain a comprehensive information security vision and strategy aligned with the bank's business objectives and digital transformation efforts
18. Develop and execute the Bank’s Information/Cyber Security Risk Management Program and activities to identify, prioritize and protect Bank’s Information and IT Assets against Cyber and physical Security threats.
19. Establish and oversee the information security governance framework, policies, standards, and procedures. Design, recommend & Implement IS Policies & Procedures aligned to SBP guidelines and best practices.
20. Ensure compliance with relevant Banking financial industry laws, regulations and best practices / standards e.g., ISO 27001, PCI DSS, Data Privacy, NIST, local central bank guidelines like those from the SBP.
21. Oversee and manage periodic IT security risk assessments and vulnerability analyses, communicating potential impacts to senior management and the board. Coordinate with IT and other functions to fix the issues.
22. Oversee the design, implementation, and maintenance of security controls and technologies (e.g., firewalls, intrusion detection/prevention systems, SIEM solutions, encryption etc) across cloud-native environments and IT infrastructure.
23. Manage security incident detection, response, and recovery, including leading investigations into breaches to minimize damage and ensure rapid restoration of services.
24. Serve as a primary liaison with internal/external stakeholders, auditors, inspectors, regulators, and effectively translate complex technical risks into business language for executive leadership and the board.
25. Improve Banks Administrative, technical and process Controls Maturity around Information & IT Assets including Applications, Databases, Endpoints, Network & Infrastructure, Access, Policies and Procedures and stakeholders and employee Awareness & Training etc.
26. Maintain information security risk management register and coordinate with FLOD/SLOD functions and advise them on the management of Key Information Security & Cyber Security Risks and implementation of corresponding controls.
27. Develop the Information Security/Cyber Security action Plan and roadmap and periodically inform the Senior Management & BITC on the progress of the Plan and its implementation status.
28. Drive/oversee and Coordinate Risk based internal and external Vulnerability Assessment Program for EasyPaisa Digital Bank (EDB) Information Assets and supporting infrastructure aligned with Bank’s strategy and growth plans. Perform Risk Assessment & Management actions to secure against the identified threats & vulnerabilities to support in meeting business objectives.
29. Ensure that information assets are protected from unauthorized use, systems are available, and the continued integrity of information and processes is assured. Ensure Threat Intel Monitoring is carried out to mitigate risk arising from adversaries
30. Ensure incident identification & response mechanism to ensure prevention, detection, containment and correction of security breaches.
31. Support in managing business continuity and disaster recovery plans to ensure critical operations can withstand and quickly recover from cyber incidents.
32. Suggest, review and verify Information/Cyber security requirement for any new/update needs of software/hardware/network or related processes thereby providing assistance to EDB on technology procurement/outsourcing from information/cyber security perspective.
33. Periodic review of configurations, identities, logical and physical access to IT assets, put up reports, work for corrective measures and improved controls.
34. Support stakeholders in Regulatory Compliance and Gap Assessments to ensure SBP guidelines are adhered.
35. Plan, devise, implement and manage IS controls as per the Bank’s IS/IT policies in coordination with stakeholders, best Information Security practice standards and in compliance with SBP regulatory requirements.
36. Coordinate and assist both internal and external audits relating to information security as well as performing independent reviews to validate completeness and accuracy of the information security.
37. Develop and implement a robust information/cyber security awareness program as per SBP guidelines. Lead security awareness training programs for employees to promote a "security-first" culture across the organization.
38. Report the EDB Information/Cyber security posture and high severity incidents to the senior management and the BITC.
39. Gather and interpret cyber threats arising out from the bank’s participants, services and utility providers and other Banks. Ensure cyber threat intelligence is shared with relevant staff for mitigation of cyber risks at the strategic, tactical and operational levels.
40. Represent the Bank at Security and other forums like Pakistan Banker’s Association (PBA), Cyber Security, CERT and other relevant IS Forums
41. Develop, supervise and manage Information security team and their day-to-day activities at the Bank.
42. Incumbent shall be responsible to adhere by Bank Behaviours & Values in all aspects of his/her work conduct.

QUALIFICATION & EXPERIENCE (Essential for the job holder):

• Minimum Bachelor’s in computer science (CS/IS or Engineering) from a reputable institute.
• Relevant certifications in the field of Information Security are an added advantage e.g. CISSP, ISO27001, CRISC, CISA, CISM, CEH, COBIT etc.
• 10 -15 years of experience with minimum 8-10 years of relevant experience in the same role.