Information Security Officer at AAR Insurance

Overall Purpose of the Job

Reporting to the Group Head of Technology, the Information Security Officer (ISO) is responsible for developing and implementing the enterprise-wide information security strategy for the AAR Insurance Group. They will oversee the security of both cloud and on-premise environments, ensuring robust cybersecurity measures, data privacy compliance, and risk management frameworks are in place and shall act as the focal point for all cyber security related engagements. This role requires deep expertise in regulatory compliance, cloud security, and enterprise risk management within the insurance/financial sector.

Key Responsibilities

• Develop, implement, and oversee the organization’s comprehensive information security strategy, ensuring alignment with business objectives and regulatory requirements.
• Develop/enhance and implement information security policies, procedures, and controls aligned with business objectives and regulatory requirements.
• Lead the cybersecurity function, ensuring security policies, procedures, and standards are adhered to across all business units.
• Collaborate with IT, legal, and compliance teams to maintain a strong security posture.
• Ensure compliance with relevant data privacy and protection regulations, including HIPAA, GDPR, and local insurance regulatory frameworks.
• Establish and maintain risk management programs to assess, mitigate, and monitor security risks in cloud and on-premise environments.
• Monitor and manage security risks, ensuring proper documentation and remediation plans are in place.
• Lead audits, security assessments, and reporting for internal stakeholders and regulatory bodies.
• Define and enforce security controls for hybrid IT infrastructure, including cloud platforms (AWS, Azure) and on-premise data center.
• Implement best practices for identity and access management (IAM), network security, encryption, and endpoint protection.
• Oversee security incident response plans and lead remediation efforts in case of cyber threats or breaches.
• Develop and maintain a proactive threat intelligence program to detect, respond to, and mitigate cyber threats.
• Lead incident response efforts, ensuring rapid detection, containment, and resolution of security breaches.
• Continuously improve the organization’s security posture through red team exercises, penetration testing, and vulnerability assessments.
• Develop and lead employee security awareness programs to promote compliance with best practices.
• Engage with third-party vendors, partners, and contractors to ensure security requirements are met.
• Stay up to date with emerging cybersecurity threats, trends, and best practices to proactively enhance security measures.
• Evaluate and implement advanced security technologies, including zero-trust architecture, AI-driven security analytics, and cloud-native security solutions.
• Lead security due diligence for IT projects, mergers, and acquisitions.

Education, Experience & Competencies

• Bachelor’s or Master’s degree in Cybersecurity, Information Technology, Computer Science, or a related field.
• Relevant certifications such as CISSP, CISM, CISA, CRISC, CCSP, CEH or equivalent are highly desirable.
• 5+ years of experience in information security roles, preferably in the financial, insurance or healthcare sector.
• Proven experience managing security in hybrid cloud and on-premises environments.
• Strong knowledge of regulatory compliance (HIPAA, GDPR, ISO 27001, PCI DSS, etc.).
• Experience handling security operations, incident response, and risk management in a complex IT landscape.
• Strong leadership, problem solving and communication skills, with the ability to influence executive leadership and business units.
• Understanding of cloud security architecture and DevSecOps principles.
• Hands-on knowledge of firewall management, endpoint security, SIEM, IAM, and SOC operations.
• Ability to assess and manage third-party security risks.
• High level of integrity, confidentiality, and a proactive approach to cybersecurity.