Managing Executive: Information and Technology Security at Cell C

Purpose of the Job: 

• To establish, lead, and govern Cell C’s enterprise-wide Information, Cyber, and Technology Security strategy, ensuring the protection of company, customer, and partner information assets. The role provides independent assurance and strategic oversight of information and technology risk, regulatory compliance, and cyber resilience, and advises the Board and executive leadership on emerging threats, regulatory exposure, and material risk decisions.
• Further, the incumbent will direct staff in identifying, developing, implementing and maintaining processes across the organisation to reduce Information and Technology risk through the implementation and interpretation of relevant legislation and industry standards and will advise and guide the company’s leadership on all Information and Technology Security, Information Management and Information-related compliance.

Main Responsibilities

Strategic Accountability

• Enterprise & Board Accountability
• Serves as the executive owner of information and cyber risk within the enterprise risk management framework
• Provides formal reporting and assurance to the Audit & Risk Committee and Board on security posture, incidents, and regulatory compliance
• Recommends risk acceptance, mitigation, or avoidance decisions where security risk has material business impact
• Represents Cell C in engagements with regulators, law enforcement, industry forums, and external auditors

Strategic Development

• Own the enterprise cyber resilience and security operating model, including prevention, detection, response, and recovery
• Lead material cyber and data incidents, including executive crisis management, regulatory notifications, and Board briefings
• Integrate security risk into strategic initiatives, including cloud migration, digital products, AI, data monetisation, and partner ecosystems
• Ensure security considerations are embedded into enterprise architecture, investment decisions, and vendor onboarding.
• Oversee group-wide security assurance, including independent testing, penetration testing, and third-party assurance
• Define, develop and integrate the strategic plan for Information Security and Information Assurance, including Security Architecture
• Develop and maintain a cybersecurity strategy aligned with business objectives and digital transformation initiatives. Considering emerging technologies (i.e., cloud, IoT, AI, etc.) and their security implication
• Establish a threat intelligence program, monitoring the evolving threat landscape, and proactively defending against advanced threats (e.g., ransomware, supply chain attacks, etc.)
• Consult with chiefs and executives on the implication of any strategic and tactical Information Security risks in order to ensure effective Information Security and to minimize risk
• Establish and update the information security policy which includes information assurance and information compliance as well as the code of ethics incorporating all new legislation and industry standards
• Design information security monitoring documentation, response plans, as well as the documentation content.
• Define critical key business risk indicators in respect of overall company improvements in the field of information security, assurance and compliance
• Develop and implement the Information Compliance control framework
• Design and maintain the Information Compliance policy and procedures
• Formulate audit strategy to measure the company’s Information Compliance status
• Identify protection goals, objectives and metrics consistent with the corporate strategic plan

Operational Leadership

• Remain up to date and ensure compliance with all legislative requirements in respect of information security and compliance, ensuring company alignment:
• Identify all relevant laws and regulations pertaining to the activities of Information Compliance requirements.
• Maintain and implement structures.
• Plan and assist with the governance of RICA and POPI Information Compliance (both local and international compliance)
• Maintain systems and processes to ensure compliance with PASA and PCI DSS (electronic payments) within the organisation
• Liaise with Legislative authorities and governing bodies
• Keep abreast of any legislative changes at all times, and update, amend/implement policies and procedures accordingly
• Leading cyber incident responses, crisis management, and post-incident reviews, including supporting the company Information Officer in communication with stakeholders and regulators
• Drives an organisational culture of security awareness through ongoing training, communication, and engagement initiatives.
• Manages third-party and supply chain security risks, ensuring robust due diligence and ongoing monitoring
• Defines and reports on key security metrics to the EXCO team and Board, driving accountability and continuous improvement
• Ensures compliance with global data privacy regulations and best practices for data protection
• Provide expert guidance to the business on all Information Compliance legislative requirements
• Develop Information Security Risk Management Plans and liaise with Business Continuity Management to maintain an effective BCM information security plans
• Detect and mitigate risk timeously
• Communicate the risk of non-Information Compliance and conduct high level presentations to create awareness and to inform the business of legislative requirements
• Schedule audit projects with the scope of overall company risk mitigation to ensure information security compliance and liaise and coordinate with Internal Audit in this regard
• Monitor all controls in order to provide regulatory risk assurance
• Facilitate the translation of the Information Security and Compliance strategy into functional business plans on an annual basis to the company’s business units
• Oversee, organize and conduct all investigations into company Information Compliance activities to mitigate risk
• Investigate and track the company’s Information Compliance status
• Review all non-Information Compliance issues and provide resolution
• Report on all non-Information Compliance and risk issues.
• Investigate and identify Information Compliance risks and control management initiatives
• Liaise with external legal authorities, vendors, auditors and other relevant Information Compliance entities
• Respond to incidents and establish appropriate standards and controls, manage security technologies and direct the establishment and implementation of policies and procedures. Liaise with business to develop and implement cyber incident response plans
• Manage identity and access management within the organisation’s electronic information systems
• Manage and advise on electronic data loss prevention and data protection within the organisation
• Drive information and technology security innovation to support business growth, customer trust, and competitive advantage
• Integrate security requirements into enterprise architecture and all phases of the technology lifecycle.
• Champion Zero Trust and modern security frameworks to protect against evolving threats
• Oversee the procurement, evaluation, and lifecycle management of security technologies and services
• Ensure security programs address the needs of a distributed, remote, and global workforce

Reporting

• Collate and prepare Information Compliance reports.
• Compile risk impact analysis and reports
• Prepare and/or present Information Compliance reports for the Internal Risk and Compliance Committee as well as the Audit and Risk Committee and/or board members, nationally and internationally

Cost and Budget Management

• Full accountability for material OPEX and CAPEX budgets relating to enterprise security, resilience, and compliance
• Review and approve overall cost expenditure as per delegation of authority
• Make investment trade-off recommendations to EXCO balancing risk, cost, and strategic outcomes
• Accountable for cost of risk, including potential regulatory penalties, remediation costs, and business interruption exposure

Staff Management

• Promotes diversity, equity, and inclusion within the security function, fostering a high-performing and innovative team
• Develops and implements succession planning and professional development programs for information security staff
• Recruit; assign and direct work, oversee staff development, identify training needs and maintain staff competence
• Oversee evaluate and guide the department’s Employee Performance Management programme
• Provide an advisory, support and mentorship function.
• Initiate the appropriate Labour Relation action required within section
• Uphold HR policies and procedures

Qualifications

• Minimum requirements - Post graduate degree
• Hons Degree in IT, Computer Science, Information Systems, Engineering or equivalent.
• Master’s degree in an information systems related discipline, MBA, MBL, IT Management or MCom Law/LLB – advantageous

Required Certification

• CISSP or other security certification/accreditation (in good standing)

Advantageous Certifications

• ISACA (formerly Information Systems Audit and Control Association) membership is preferred
• ISSA (Information Systems Security Association) membership is preferred
• CISA or CISM certifications through internationally accredited organisations are beneficial

Required Skills

• Expertise in security frameworks such as Zero Trust, SASE, and ISO 27001
• Deep understanding of Identity & Access Management (IAM), SIEM/SOAR platforms, and cloud security deployment
• Strong crisis management and "adaptive leadership" skills to handle high-stakes security breaches

Experience

• 12 -15 years driving the Information Security and/or Compliance function in a dynamic, high growth corporate, ideally in the telecommunications industry
• In addition, 6-8ears’ experience on a senior leadership level as information security officer within a large corporate environment
• Progressive leadership experience in computing and information security, including experience with internet technology and security issues
• Proven track record for developing and implementing successful risk and assurance capabilities within a telecoms industry environment
• Sound knowledge of regulatory Information Compliance (e.g. South Africa POPI Act)
• Experience in auditing, risk management and legal contracts
• Experience at executive level within a large company
• Demonstrated experience engaging at Board and Board Committee level
• Proven accountability for enterprise-scale cyber or regulatory incidents
• Experience operating in a listed, highly regulated, or quasi-listed environment