The Tech & Cyber Risk Control Assurance Lead will play a pivotal role in ensuring the effectiveness of technology and cybersecurity risk management practices within the organization. This position sits within the first line of defence, working closely with technology and security teams to implement and maintain robust control assurance processes. Reporting directly to the Group CISO, the Tech & Cyber Risk Control Assurance Lead will collaborate extensively with the Tech and Cyber Governance, Risk, and Compliance (GRC) leader, Director of Technology Operations and Security Architecture and Engineering Leader to ensure a cohesive and comprehensive approach to risk management.
Key Responsibilities:
Control Assurance Framework:
Develop, implement, and maintain a comprehensive control assurance framework for technology and cybersecurity functions.
Establish and enforce control testing methodologies to assess the effectiveness of existing controls.
Risk Identification and Assessment:
Collaborate with technology and security teams to identify and assess risks associated with Cloud, systems, applications, and infrastructure.
Conduct risk assessments to evaluate the impact and likelihood of identified risks.
IT & Security Policies and Standards Management:
Oversee the maintenance of IT & Security policies and standards.
Ensure compliance with established policies and standards across technology and security functions.
Issues, Incident/Exception Tracking, and Reporting:
Implement and manage processes for tracking and reporting technology and security issues, incidents, and exceptions.
Provide timely and comprehensive reports to relevant stakeholders, including the CISO.
Tech and Security Control Testing and Assessments:
Lead and coordinate regular testing and assessments of technology and security controls.
Manage the remediation of control deficiencies identified through testing and assessments.
IAM Governance:
Oversee Identity and Access Management (IAM) governance processes.
Ensure that access controls align with organizational policies and industry best practices.
Monthly Phishing Test Management:
Plan, execute, and manage monthly phishing tests to assess the organization's susceptibility to social engineering attacks.
Report phishing test results and develop awareness training and culture initiatives based on findings.
Special Security Projects:
Lead and contribute to special security projects as directed by the CISO.
Ensure that project outcomes align with strategic security objectives.
DLP Rollout and Monitoring:
Oversee the rollout and ongoing monitoring of Data Loss Prevention (DLP) solutions.
Collaborate with relevant teams to enhance DLP effectiveness.
Support Governance Committees:
Provide support to technology and security governance committees.
Participate in committee meetings, offering insights and recommendations.
Audit Artifacts and Compliance Management:
Take ownership of Tech and Cyber internal and external audit artifacts.
Maintain audit readiness, compliance readiness, and a risk-managed Tech and Cyber division.
Regulatory Assessments and Reporting:
Conduct regulatory assessments to ensure compliance with applicable laws and regulations.
Provide detailed reports to the CISO and GRC leader outlining assessment results and recommended actions.
Maintain OSPAR Compliance:
Ensure that the Tech and Cyber division remains OSPAR compliant.
Manage the certification process and ongoing compliance efforts.
Ad-Hoc Tasks Directed by CISO:
Undertake ad-hoc tasks and special assignments as directed by the CISO.
Qualifications and Skills:
- Bachelor’s degree in computer science, Information Security, or a related field.
- Master's degree /relevant certifications (e.g., CISSP, CISA, CISM, CRISC) preferred.
- MUST Have prior experience in Microsoft 365 Security (rollout/implementation)
- 10-15 years experience in technology risk management, control assurance, or related fields.
- Strong understanding of cybersecurity principles, frameworks, and best practices.
- Excellent communication and interpersonal skills with the ability to collaborate effectively across technical and non-technical teams.
- Experience working with technology and security professionals in a first line-of-defence capacity.
- Demonstrated ability to lead and drive change in a complex and dynamic environment.
- Strong analytical and problem-solving skills.