THE HIRING DEPARTMENT/DIVISION:
The Head of Cyber Risk will create a new Unit within the Bank to provide expertise and assistance to ensure the Bank’s infrastructure and information assets are appropriately protected. The Cyber Risk Unit will be responsible for the safeguarding of all bank’s Information Communication Technology (ICT) assets across all platforms, locations, and stakeholders. The Cyber Risk Unit will be part of Bank’s ICT lifecycle management to provide secure ICT solutions to the Bank. The Cyber Risk Unit will lead and provide cyber security technology solutions at the Bank, such activities include but are not limited to Security Operation Center (SOC), Cyber Incident Response, Threat Intelligence, Zero-day attack and defence, cloud security, mobile security, data security and application security. The Cyber Risk Unit will focus on developing and driving information risk strategies, policies/standards, ensuring the effectiveness solutions, ensuring appropriate risk policies and procedures such as user log-on and authentication rules, security breach, escalation procedures, and security assessment procedures. The Cyber Risk Unit will enforce information security policies and procedures, monitor data security profiles on all platforms and investigate risk scenarios.
The objective of this position are to:
- Be responsible for the safeguarding of all Bank’s Information Communication Technology (ICT) assets across all platforms, locations and stakeholders. Additionally, the incumbent will play a central role in refining the broader information technology risk program across the bank, and will be responsible for ensuring compliance of all third-party providers with the information security standards.
- Establish a complete vision for cybersecurity practices for the Bank and management of security policies, procedures, guidelines, and standards. This includes roadmaps for evolving the ICT security architecture, associated toolsets, security processes, etc.
- Lead Cyber Security innovation at the Bank and provide innovative ICT security solutions to address business and technology challenges
- Provide solutions to Bank’s ICT and business project team ensuring information and technology security requirements, including confidentiality, integrity, and availability are managed and the project objectives are achieved.
- Plan, execute, and manage multi-faceted projects related to cyber risk management, mitigation and response, compliance, control assurance, and user awareness.
- Update, maintain and document information controls and provide direct support to the Bank internal IT structures.
- Be responsible for leading and coordinating, articulating, and tracking actions related to developing and driving the implementation of a new Cyber Risk Unit ensuring effective cyber security risk management practices, risk based planning and engaging with business Departments on a wide range of cyber risk matters to achieve the overall business objectives of the Bank.
- Oversee activities as assigned, primarily within risk management, and lead technical projects across all technical areas to mitigate cyber risks.
The areas of responsibility for the head of the unit are the following categories:
- Governance & strategy: Making sure all of the above initiatives run smoothly and get the funding they need — and that corporate leadership understands their importance
- Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
- Cyber risk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
- Data loss and fraud prevention: Making sure internal staff doesn't misuse or steal data
- Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
- Identity and access management: Ensuring that only authorized people have access to restricted data and systems
- Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks
- Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they're internal, and planning to avoid repeats of the same crisis
The incumbent’s duties will include the following:
Ownership of the information security compliance vision, strategy and assurance including:
- Strategic planning for Cyber Security Risk Management at the Bank, including situation assessment, vision and mission, objectives, road maps for short, medium, and long terms.
- Evaluation and interpretation for AFDB of industry best practices (NIST, ISO, SANS, COBIT, CERT) and compliance requirements (Legislative, Regulatory).
- As appropriate - ownership, sponsorship, management, support and supervision of information security assessments, audits and ongoing monitoring.
- Information security threat and vulnerability management, incident reporting, event management, event investigation and analysis.
- Ownership of the information security project portfolio, including developing new or improved capabilities and addressing areas for needed remediation.
- Overall stewardship and sponsorship for AfDB Enterprise IT Risk management strategy.
Strategic planning, Risk management plan and actions
- Develop enterprise cyber security risk management strategy to address short term, medium term, and long term needs.
- Design, develop and maintain Enterprise Information Security Architecture (EISA) by aligning business processes, IT software and hardware, local and wide area networks, people, operations, and projects with the organization’s overall security strategy
- Perform external analysis of the organization (e.g., analysis of customers, competitors, markets and industry environment) and internal analysis (risk management, organizational capabilities, performance measurement etc.) and utilize them to align information security program with organization’s objectives
- Identify and consult with key stakeholders to ensure understanding of organization’s objectives
- Define a forward-looking, visionary and innovative strategic plan for the role of the information security program with clear goals, objectives and targets that support the operational needs of the organization
- Engage with business leaders on risk matters ranging from policy and governance to security risk operations.
- Provide active expert level support to bank’s ICT and business project team to ensure on target, on time and on budget delivery of the projects to meet business needs.
- AFDB has adopted a “Cloud first” strategy. Cloud-based platforms and software-as-a-service (“SaaS”) are widely used by IT and business units at the Bank. The incumbent will lead the unit to develop a cloud security strategy and be accountable for the implementation of the strategy.
- Provide administrative and tracking actions to the Vice President CHVP, while interfacing with the Business Continuity Unit, the Physical Security Unit, the Information Technology Department, the Operational Risk Team and the Group Chief Risk Officer.
- Lead and ensure coordination and consensus with other Bank teams to align processes and procedures to ensure a common approach to cyber risk management activities.
- Lead Cyber Security Technology innovation at the Bank and provider highest level expertise advisory services to the senior management
- Ensure all processes and access are in line with Bank policies.
- Support internal and external audits.
- Manage multiple projects with broad scope, ambiguity, and high degree of difficulty.
- Maintain an advanced knowledge of all cyber risk principles, technologies and elements.
- Understand the Bank global program structure, operations and support the High 5 strategy.
- A Master’s degree in electrical engineering, systems engineering, computer science, computer engineering, information technology, management information systems, security and risk management or equivalent.
- 8+ years' work experience in relevant Information Security Risk position and 2+ years’ experience in a management role or a similar position or having equivalent skills and experience is highly desired. Practical experience with ISO 27000 is required. 3+ years’ experience in conducting or leading risk based information security assessments would be an added advantage.
- Expert level experience in two or more CISO domains
- Mandatory Certifications in ICT security (unless demonstrate the same level of knowledge):
- CISM and/or CIS
- Desired Security Certifications and experience (one or more):
- Certified Ethical Hacker
- CCIE security
- SANS cyber defence
- Threat Intelligence
- Kali penetration testing
- Structured project management experience in deploying cyber risk related initiatives.
- Broad experience in computer and network systems focused on IT and cyber risks.
- Experience leading teams.
- Knowledge of regulatory compliance, standards, and frameworks such as ISO, NIST, COBIT and PCI DSS.
- Proven understanding of information security risk assessment and risk management procedures and methodologies.
- Ability to correlate enterprise risk with appropriate administrative and technical security risk controls.
- Knowledge and experience with diverse architectures, large-scale transaction processing environments, external hosted services, and cloud computing environments.
- Functional understanding and knowledge of information technology risk principles, standards, and processes, such as authentication and access control, infrastructure hardening, network traffic analysis, endpoint security, platform architecture, application security, encryption and key management, cloud security, etc.).
- Working knowledge of all operating systems
- Dynamic and self-motivated to provide excellent services to the users
- Have excellent interpersonal skills coupled with a collaborative style
- Strong communication skills to enable effective engagement of team members and external providers.
- Conflict resolution skills
- Ability to advise senior management on complex systems development and related matters of significant importance to the institution; conceptual and strategic analytical capacity to understand information system and business operational issues so as to thoroughly analyze and evaluate critical systems matters.
- Demonstrable experience in improving processes and approaches; demonstrable adaptability to changing priorities.
- Keeps abreast of new developments in own occupation/ profession; good understanding of the new technology and industry trend.
- Excellent team spirit, communication skill, both verbal and writing
- Fluency in English and/or French with good working knowledge of other language.
To apply for this position, you need to be national of one of AfDB member countries.
Applicants who fully meet the Bank's requirements and are considered for interview will be contacted. Only online applications submitted with a comprehensive Curriculum Vitae (CV) and copies of the required degrees will be considered. The President, AfDB, reserves the right to appoint a candidate at a lower level. The African Development Bank is an equal opportunities employer. Female candidates are strongly encouraged to apply.
The African Development Bank Group (AfDB) does not ask for payments of any kind from applicants throughout the recruitment process (job application, CV review, interview meeting, and final processing of applications). In addition, the Bank does not request information on applicants’ bank accounts. The African Development Bank Group declines all responsibility for the fraudulent publications of job offers in its name or, in general, for the fraudulent use of its name in any way whatsoever.
Interested and qualified? Go to African Development Bank on ldn.tbe.taleo.net