Manager: Information Security Governance, Risk and Compliance at MultiChoice

Purpose of the Position:

Develop and implement IS and Tech GRC strategy and, manage the end-to-end governance, risk and compliance function in relation to info sec and provide reports to the CISO and the relevant steering committees.

Key Performance Objectives

Organisational Information Security and Tech governance service risk management

• Assist the CISO to establish an information security (IS) and tech gov strategy and proactively identify cyber-security threats.
• Implement the information security and tech governance strategy for the group under the guidance of the CISO.
• Develop all information security governance models with supporting documents e.g. policies, processes, standards and guidelines with guidance from the CISO.
• Consult with relevant stakeholders across the group on development, implementation and enforcement on all aspects of IS governance (policies, standards etc).
• Manage the end to end governance, risk and compliance in relation to info sec and provide reports to the CISO and the relevant steering committees.
• Ensure that information security is aligned with COBIT framework and implemented according to agreed maturity levels.
• Establish an information security risk management strategy and process to report on info sec risks e.g risk acceptance. Regular reporting to the CISO in this regard.
• Develop threat models for all critical technologies (application and supporting infrastructure).
• Support the CISO with info security input into the info Security plans.
• Develop business cases to secure the budget for improvements in the cyber-security maturity.
• Manage internal ISMS programme and COBIT implementation project and ensure delivery on time and within budget.
• Keep abreast of emerging technology trends and the implications on information security.

Stake holder management Technology governance

Information security

Conformance review/ Quality management

• Conduct research to get a clear view of new and emerging threats facing technology and ensure that these are reflected in the threat models and strategy.
• Ensure that the learnings from other security incidents are adopted by all companies/brands in the Group, in so far as the information security control environment is concerned.
• Guide the business with the selection of appropriate controls in order to combat information security threats.
• Coordinate efforts with the Info sec function under the CISO to ensure a unified approach to cyber security across VE Group.
• Provide insight and intelligence into effective information security threat management.
• Work with the relevant teams within the CISO function.
• Stay close to the business strategy and ensure that Info Security capabilities enable and support.
• Assist the CISO to establish an information security (IS) strategy and proactively identify cyber-security threats.
• Implement the information security strategy for the group under the guidance of the CISO.
• Develop all information security governance models with supporting documents e.g. policies, processes, standards and guidelines with guidance from the CISO.
• Consult with relevant stakeholders across the group on development, implementation, and enforcement on all aspects of IS governance (policies, standards etc).
• Manage the end-to-end governance, risk and compliance in relation to info sec and provide reports to the CISO and the relevant steering committees.
• Ensure that information security is aligned with COBIT framework and implemented according to agreed maturity levels.
• Establish an information security risk management strategy and process to report on info sec risks e.g. risk acceptance. Regular reporting to the CISO in this regard.
• Develop threat models for all critical technologies (application and supporting infrastructure).
• Support the CISO with info security input into the info Security plans. Develop business cases to secure the budget for improvements in the cyber-security maturity.
• Manage internal ISMS programme and COBIT implementation project and ensure delivery on time and within budget.
• Conduct research to get a clear view of new and emerging threats facing technology and ensure that these are reflected in the threat models and strategy.
• Ensure that the learnings from other security incidents are adopted by all companies/brands in the Group, in so far as the information security control environment is concerned.
• Guide the business with the selection of appropriate controls in order to combat information security threats.
• Coordinate efforts with the Info sec function under the CISO to ensure a unified approach to cyber[1]security across VE Group.
• Keep abreast of emerging technology trends and the implications on information security e.g. mobile, cloud and social.
• Provide insight and intelligence into effective information security threat management. Work with the relevant teams within the CISO function.
• Stay close to the business strategy and ensure that Info Security capabilities enable and support.
• Assist the function that deals with security incident management, response and recovery for Info sec to coordinate activities. Also ensure that learning are taken and fed into policy and process enhancement.
• Develop incident response plans (aligned with the Incident Monitoring and Management Function) and recovery processes for specific cyber-security events, linked to a reliable industry source.
• Secure the requisite IT resources and ensure that efforts receive appropriate focus and priority in relation to implementation of IS governance.
• Ensure that all security incident and audit findings remediation work is undertaken in line with findings and is coordinated and tracked.
• Assist the to ensure that simulation exercises are performed to test the effectiveness of information security controls.
• Provide the rules for the effective management of information security controls in the IT Operations organization.
• Inform the rules and or configuration and policy settings that should apply on Security controls based on incidents and threat intelligence.
• Responsible for internal information security consulting to business units within the group.
• Coordination of external vulnerability remediation - this includes determining the scan lists with the line of business and IT teams, reviewing results of the foot-printing exercise and coordination of remediation efforts with the respective IT support teams.
• Generate management information to clearly articulate our cyber-security exposure.
• Provide cyber-security expertise to the line of business and IT teams in the course of risk assessment and advisory work.
• Provide information security consulting to business with regards to technology decisions and new business enablement.
• Create awareness within the group on new and emerging information Security threats. Conduct awareness campaigns to improve the information security culture within the group.
• Manage a team to ensure effectiveness.
• Support the line manager for the area to develop a high performing team by conducting daily and weekly operational performance discussions and assisting employees to prepare the portfolio of evidence for formal performance development discussions.
• Coach, mentor and motivate the on how to improve their own productivity and use of MultiChoice’s processes and systems.
• Based on training plans agreed with the line manager of the area, monitor and support team members to ensure that planned training is undertaken.
• Establish and maintain a succession plan for the team.
• Together with the line manager for the area, interview candidates to join the team and provide input into the recruitment decision. The line manager for the area is the final decision-maker on who joins the team.
• Obtain the workforce and recruitment plans created by the line manager and plan execution within given timelines. Make recommendations to the line manager on how to improve the plans and suggest how resources could be reallocated in case of excessive workload.
• Review and update the team’s role descriptions on at least an annual basis to ensure that they are fit for purpose and contain all the accountabilities of each team member. Explain any updates to team members.
• Review leave plans in place and make recommendations to the line manager to adjust the plans if required. Review leave captured on the employee system to ensure that all leave was captured.

Qualifications

• University degree in information technology, engineering.
• Professional certifications such as Certified Public Accountant (CPA), Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) and / or Certified Fraud Examiner (CFE) are highly encouraged to apply.

Experience

• At least 5 years of relevant consulting or industry experience, preferably in a professional services environment.
• At least 2+ years in managerial role.

Technical Competencies

• Application Risk & Controls practice.
• Information Management and Analysis Services practice.
• IT Regulatory Services.
• At least5 years of relevant consulting or industry experience, preferably in a professional IT services environment.