Technology & Cyber Security Risk Senior Manager

SUMMARY:

The Technology & Cyber Security Risk Senior Manager is responsible for identifying, assessing, and mitigating enterprise-level IT and cybersecurity risks to strengthen MedGulf’s technology risk posture and resilience. This role plays a critical part in safeguarding MedGulf's digital assets, IT infrastructure, and business-critical applications while aligning with regulatory requirements (e.g., SAMA, Insurance Authority, NCA) and industry best practices (ISO 27001, ISO 31000). Key responsibilities include developing and implementing risk management frameworks, assessing emerging technology risks, fostering a risk-aware culture, and driving cross-functional collaboration to enhance MedGulf’s overall technology resilience.

ACCOUNTABILITIES & ACTIVITIES:

- Risk Management:

• Develop and implement an IT & Cybersecurity risk management framework aligned with MedGulf’s enterprise risk management approach and risk appetite, IT Governance Framework (ITGF), Cybersecurity Framework (CSF), and ISO 27001.

• Identify, assess, and mitigate technology, cybersecurity, data privacy, and cloud security risks that could impact MedGulf’s operations, business continuity, data, and regulatory compliance.

• Conduct regular technology risk assessments to proactively identify and address emerging risks.

• Recommend and oversee the implementation of risk mitigation controls, continuously monitoring risk exposure.

• Develop and track Key Risk Indicators (KRIs) to monitor and prioritize critical IT and cybersecurity risks.

• Provide input to the Enterprise Risk Management (ERM) team on risk appetite, governance frameworks, and policies.

• Collaborate with IT and cybersecurity teams to design, test, and enhance IT risk controls.

• Provide independent oversight of IT & cybersecurity risk controls implemented by IT and Security teams.

• Engage with third party responsible for performing penetration testing, and to update the IT & Cybersecurity risk profile.

• Perform independent assessment of SOC to ensure that vulnerabilities are assessed, and addressed timely.

- Technology Resilience and Incident Management :

• Assess and manage risks related to new technologies, third-party vendors, cloud services, and digital transformation initiatives.

• Conduct risk-based testing on IT systems, applications, and infrastructure to ensure operational resilience.

• Lead and participate in root cause analysis, investigations, and remediation efforts for technology-related incidents reported to the Risk Management division.

• Coordinate response efforts for major IT incidents or system failures that could disrupt MedGulf’s operations.

• Ensure IT risk assessment is integrated into Business Continuity (BCM) and Disaster Recovery (DR)

strategies, ensuring IT & cybersecurity risks are addressed in crisis management planning.

• Review the accuracy and rationality of periodic self-assessment against maturity level of Cybersecurity Framework before submission with regulator.

• Analyze emerging cyber threats, conduct forensic analysis, and provide risk-based reporting to senior management and cybersecurity leadership.

- Risk Awareness & Reporting :

• Develop and deliver IT & Cybersecurity risk awareness programs to promote a risk-conscious culture among MedGulf employees.

• Provide regular risk reports and insights to executive management, highlighting key technology risk trends and mitigation strategies.

• Present risk assessment findings, remediation plans, and compliance updates to executive stakeholders and governance committees.

• Support internal audit and external regulatory audits, ensuring IT and cybersecurity risk areas are assessed and mitigated proactively.

- IT Strategy, Governance & Compliance :

• Establish and oversee the IT Governance Framework in alignment with SAMA ITGF, ISO 27001, and NIST standards.

• Ensure IT risk management is integrated into overall IT governance and strategic decision-making processes.

• Review the cybersecurity strategy to ensure its alignment with the business objectives, and to create cyber resilience across all the processes.

• Collaborate with IT, Compliance, and Risk Committees to ensure IT governance aligns with corporate governance objectives.

• Develop and enforce IT risk policies, standards, and procedures, ensuring alignment with enterprise risk management (ERM) frameworks.

• Participate in IT Steering Committee (ITSC) and Risk Committee discussions, providing IT risk insights to governance bodies.

• Manage third-party IT risk governance, ensuring vendor risk assessments, contract security clauses, and compliance reviews are in place.

• Evaluate and provide risk advisory on major IT investments, ensuring alignment with business objectives and compliance with SAMA regulations.

• Monitor effectiveness of strategic initiatives and recommend improvements.

• Monitor the effectiveness of IT strategic initiatives from a risk perspective and recommend necessary improvements.

• Ensure that IT risk management is integrated into IT strategic planning, budgeting, and decision-making.

MAIN CONTACTS / OPERATING STAKEHOLDERS :

- INTERNAL CONTACT :

• Risk Management Executive Director – engage with executive leadership to communicate and address critical technology risks.

• Operational and Resilience Risk Director / ERM Senior Manager – contribute to risk appetite discussions, governance framework development, KRI tracking, and updates to risk registers.

• IT Governance and Infrastructure Teams and Cyber Security Teams – collaborate on risk mitigation strategies and security controls.

• Resilience and Business Continuity Manager – ensure IT risk considerations are integrated into business continuity and operational resilience planning.

• IT Steering Committee – should provide independent risk oversight within the IT Steering Committee (ITSC) by assessing IT and cybersecurity risks in strategic IT initiatives, digital transformation projects, and major system changes.

- EXTERNAL CONTACT :

• External Auditors and Consultants – provide support for IT risk audits, regulatory assessments, and compliance reviews.

• Third-Party Vendors and Service Providers – evaluate and monitor IT risk exposure from outsourced services, cloud providers, and key technology partners.

• Regulators – should ensure compliance with regulatory requirements (e.g., SAMA IT Governance Framework, NCA Cybersecurity Controls) by overseeing IT risk assessments, responding to regulatory inquiries, and coordinating audits.

- WORKING ENVIRONMENT:

• Cross-functional collaboration with Enterprise Risk, Operational Risk, IT, Cybersecurity, Governance, and Business Continuity teams to ensure an integrated approach to technology risk management.

• Regular engagement with executive leadership and key stakeholders to provide risk insights, support decision-making, and enhance IT risk governance.

• Interaction with external auditors, regulators, and third-party service providers to facilitate compliance reviews, audits, and vendor risk assessments.

• Office-based work, with occasional travel for risk assessments and stakeholder engagements as needed.

• Fast-paced and dynamic environment, requiring adaptability to evolving regulatory requirements, emerging technology threats, and risks.

- QUALIFICATIONS/REQUIREMENTS:

• Bachelor’s or Master’s degree in Computer Science, Information Systems, Cybersecurity, Risk Management, or a related field.

• 7+ years of experience in IT risk management, preferably within the insurance or financial services sector.

• Strong background in IT governance, risk, and compliance (GRC), with expertise in regulatory requirements (e.g., SAMA, NCA, Insurance Authority) and industry best practices (e.g., ISO 27001, ISO 31000).

• Experience in risk assessments, control design, third-party/vendor risk management, and IT audits.

• Prior experience in business continuity and incident management is an advantage.

- CERTIFICATIONS :

• CISA, CISSP, CISM, CRISC, or equivalent risk/security certifications.

• ITIL, ISO 22301, or BCM-related certification is a plus.