Security Risk & Compliance Manager

A. REPORT TO: Group Security Manager (CISO)

B. JOB PURPOSE:

- The Security Risk & Compliance Manager will play a critical role in ensuring the organization's adherence to security standards and regulatory requirements. This position demands a deep understanding of risk management principles, governance frameworks, and compliance best practices across IT and business environments. The role requires significant cooperation with local business units (BUs). It can be located in any “Global hub” location, such as Asia or Africa. Additionally, the role participates in security-related projects as a Subject Matter Expert (SME), specifically for helping in the design of controls and/or requirements for SOC use cases and assisting in Business Impact Analyses (BIA) and risk assessments

C. ACCOUNTABILITY:

1. Security Governance

- Establish and maintain a comprehensive security governance framework.

- Develop and enforce security policies, procedures, and controls.

- Ensure compliance with industry standards and regulations.

- Collaborate with stakeholders to promote security awareness and best practices.

2. Policies & Controls

- Create, update, and manage security policies and controls.

- Ensure consistent application of security policies across the organization.

- Conduct regular reviews and updates to policies to reflect evolving threats and compliance requirements.

- Ensure policies contain key controls and verify these controls with Group IT and local BUs.

- Cooperate with finance for executing the controls using their tooling.

- Cooperate with QA for storing policies using their tooling.

3. Risk Management

- Identify, assess, and manage security risks across IT and business environments.

- Develop risk mitigation strategies and action plans.

- Perform regular risk assessments and audits to ensure compliance with risk management policies.

- Align with the business on risks and important topics such as IT continuity and disaster recovery.

4. 3rd Party Risk Management

- Assess and manage risks associated with third-party vendors and partners.

- Ensure third-party security practices align with organizational policies and standards.

- Establish and maintain third-party risk management procedures and controls

5. Exception Management

- Manage and document security exceptions and deviations from established policies.

- Ensure proper approval and tracking of exceptions.

- Develop strategies to minimize exceptions and improve compliance.

6. Dashboarding & Metrics

- Develop and maintain a comprehensive reporting dashboard that includes operational security, compliance, and risk management sections.

- Provide regular reporting on security posture and compliance status to senior management.

- Develop and periodically deliver a security dashboard with outcome-driven compliance and risk metrics. Aim to achieve near real-time reporting capabilities over time.

- Utilize metrics to drive continuous improvement in security practices.

- Perform hands-on tasks to determine what should be included in the operational security section of the dashboard.

- Act as the owner of the reporting dashboard, ensuring its accuracy and relevance.

7. Audit

- Conduct internal audits to verify compliance with security policies and standards.

- Collaborate with external auditors and regulatory bodies during compliance audits.

- Develop and implement corrective actions based on audit findings

8. Project Participation

- Participate in security-related projects as a Subject Matter Expert (SME).

- Help in the design of controls and/or requirements for SOC use cases.

- Assist in Business Impact Analyses (BIA) and risk assessments

D. EXPECTED RESULTS:

- A comprehensive and compliant security governance framework is established and maintained

- Security policies and controls are consistently applied, up-to-date, and verified across the organization

- Security risks across IT and business environments are identified, assessed, managed, and effectively mitigated

- Third-party vendor risks are assessed and managed, with their security practices aligned to organizational policies

- Security exceptions are properly managed, documented, approved, tracked, and minimized

- A comprehensive, accurate, and outcome-driven security dashboard provides regular, near real-time compliance and risk metrics to senior management and stakeholders like IT Managers Countries and the Core Security Community.

- Compliance with security policies and standards is verified through internal and external audits, with corrective actions effectively implemented

- Security-related projects successfully integrate security controls, requirements for SOC use cases, and robust risk assessments.

Qualifications

- Bachelor's degree in Computer Science, Information Technology, or a related field. Master's degree preferred.

- Relevant certifications such as CISSP, CISM, or CRISC are highly desirable.

Experience

- Minimum of 8 years of experience in security risk management and compliance

- Extensive knowledge of governance frameworks, including NIST, ISO27001, and other relevant standards.

- Proficiency in developing and managing security policies, controls, and risk management processes.

Competencies

- Strong analytical and problem-solving skills, with the ability to assess complex security scenarios and develop effective solutions.

- Excellent communication skills, both written and verbal, with the ability to convey technical concepts to non-technical stakeholders.

Language(s)

- Fluency in English, both speaking and writing, as communication with teams across our global organization is required.

Other Requirements

- Full-time position based at any Global hub location, such as Asia or Africa.

- Occasional travel may be required for collaboration with global IT teams and participation in security conferences and workshops.