Head of Information Security (Mashreq Digital Bank Pakistan)

Job Purpose:

To lead, develop, manage, and execute the group wide Information Security Management program across Mashreq Pakistan to ensure highest standards of information security and data privacy are maintained and it’s in adherence with head office standards and local regulatory requirements. The Head of Information Security will report directly to the Chief Risk Officer, Mashreq Pakistan and dotted line reporting to the Group Head of Information Security, UAE.

Key Result Areas:

• Provide strategic oversite for Mashreq Pakistan regarding compliance related to Information Security, Cyber Security, Data Privacy and other Industry and regulatory requirements.

• Oversight of Mashreq Pakistan technical and non-technical projects, systems, and contracts with respect to matter of Information and Cyber Security.

• Development and maintenance of documentation and implementation of security policies, procedures, and standards for the organization.

• Align security practices/procedures to the well-known information security standards/guidelines such as ISO27001, PCI/DSS, NIST etc.

• Partner with the Business units, legal, human resources, security personnel, internal audit, and executive management in the development of these policies to ensure information technology resources are secure.

• Monitor compliance with the organization’s security policies and procedures among employees, consultants and other third parties.

• Work with various business and technology units, within the Pakistan and global team to implement and operate information security and data privacy controls and compliance reviews.

• Review and provide approvals for technology requests and changes such as architecture vetting and RFC or access control etc.

• Establish security KPIs, KRIs Metrics and periodic reporting process to measure and communicate the effectiveness of security program to local management committees.

• Liaison and at as POC for Information and Cyber security matter with local regulatory bodies.

• Reviewing the security architecture and recommending cost effective changes to the existing structure.

• Managing incident response and reporting of breach of IT/IS Security in the organization and drive for appropriate changes.

• Responsible for setting up the right practices inline with regulatory expectations for Security monitoring function.

• Initiate facilitate and foster activities to create information security awareness within the organization.

• Steering the design & implementation of security solutions addressing perimeter, end points, network and services.

• Keep abreast of security incidents at group data centers and Cloud infrastructure, act as primary control point during significant information security incidents impacting Pakistan systems. Convene a Security Incident Response Team (SIRT) as needed, or requested, in addressing and investigating such security incidents.

• Review all system–related security plans throughout the organization’s network, acting as a liaison to Information Systems.

• Assist the management on Information Security Strategy, security budgeting, projects etc.

• Assist/enable business to comply with the regulatory requirements on Information Security and data privacy globally as applicable such as RBI, UAE Central Bank, UBF, SBP etc.

• Engage team members through coaching, training, and awareness programs to ensure risk methodologies communicated across the enterprise.

• Implement access authorization process for infrastructure related controls and conduct periodic reviews.

• Perform security vendor reviews and SLAs.

• Advising executive management committee on risk management matters and exposure to cyber threats, cloud risks and concerns.

Operating Environment, Framework and Boundaries, Working Relationships:

• Assist vendor relationship owners and vendor management team on matters of information Security, data privacy and cyber security requirements.

• Attending central bank and other supervisory meetings to understand the regulator’s expectations and drive for implementation.

• Liaison and function as local POC or lead on global information security projects

Problem Solving:

• Ability to enable framework, technology solution and processes for proactive management of the Information Security and Data Privacy risks.

• Ability to understand regulatory language, can take decision on applicability and convert the requirements into actionable with ownership.

• Ability to consult and provide solutions to mitigate the risk to an acceptable level.

• Ability to assess compliance implications for the banking environment.

Decision Making Authority & Responsibility:

• Regulation applicability and compensating control decision.

• Consult and validate solutions to mitigate risks to the business and technology.

• Assessing the adequacy of the controls against internal information security policy, standards, data privacy and local regulatory requirements.

Knowledge, Skills, and Experience:

• A sufficiently senior level official who will have management experience to coordinate direct and in-direct reports on project and issue-based tasks.

• Strong decision making and prioritization skills.

• Strong experience and knowledge in all the Information and Cyber Security domains, areas including governance, policy procedures, security incident response, security management, etc.,

• Sound knowledge of IT environment including infrastructure, systems, database, process etc.

• Knowledge of Banking environment and international compliance including PCI DSS, SWIFT CSP, GDPR etc.

• Professional security certifications such as CISSP, CISA, CISM, CEH, SANS, PCI-QSA, CIPP/E, CIPM etc. are desirable.

• Strong interpersonal, analytical, and technical skills.