CISO and Manager Security, Risk, Compliance - GL E

Reporting to the CIO, the role is primarily to provide the vision and leadership for developing and supporting cyber security strategy, initiatives, and roadmap. The Chief Information Security Officer (CISO) directs the planning and implementation of enterprise IT systems, business operations, and facility defences against security breaches and vulnerability issues. This individual is also responsible for auditing existing systems, while directing the administration of security policies, activities, and standards. Oversees cybersecurity risk management within the Global Fund, and is responsible for governance, auditing, risk management and compliance of the IT systems.

This role will play a pivotal role in safeguarding our information systems and ensuring the integrity and confidentiality of sensitive data. This role will be responsible for developing and implementing robust cybersecurity strategies, policies, and procedures to protect our organization from evolving cyber threats, in alignment against best practice standards ISO 27001, 22301 and GDPR.

This role will advise senior management and governance bodies on cyber security to protect the Global Fund and the ecosystem (e.g., PR’s) from emerging cyber threats (phishing, data loss, reputational risk linked to any misuse of system / data) and plan defences against security breaches and drive a continuous improvement mindset.

Key Responsibilities

As Manager, Security, Risk, Compliance & CISO this person will:

Information Security & Risk

• Lead the definition, implementation, and management of Global Fund Information Security Strategy and roadmap.
• Ensure effective governance of Information Security, liaising with all relevant stakeholders.
• Develop and implement comprehensive cybersecurity risk management strategies, policies, and procedures in line with industry best practices (e.g., ISO 27001/2, NIST) and organizational objectives.
• Collaborate with Legal Department to define and implement strong security, privacy and data protection framework through grants and across the organisation. 
• Lead, implement, maintain, and oversee enforcement of business continuity policies, procedures and plans for end-to-end resilience, following industry-standard best practices, e.g., ISO 22301. 
• Identify, assess, and prioritize cybersecurity risks and vulnerabilities across our information systems and networks, ensuring proactive mitigation measures are in place.
• Collaborate with cross-functional teams to establish effective incident response plans and ensure prompt and appropriate action is taken in the event of a cyber incident or breach.
• Contribute to IT projects identifying their risk profile and security requirements and assist the implementation of adequate security controls as an integral part of the final product.
• Monitor and evaluate the performance of cybersecurity technologies, tools, and solutions, making recommendations for enhancements or replacements as necessary.
• Lead and manage a team of cybersecurity professionals, providing guidance, mentoring, and performance feedback to enhance their skills and capabilities.
• Conduct regular audits and assessments to evaluate the effectiveness of cybersecurity controls, ensuring compliance with relevant legal, regulatory, and contractual obligations.
• Stay abreast of the latest cyber threats, trends, and emerging technologies to continuously enhance our cybersecurity posture and proactively address potential risks.
• Foster a culture of cybersecurity awareness and education within the organization by developing and delivering training programs across the organisation and country ecosystem (e.g., PR’s).
• Build increased collaboration on cyber threat intelligence for prevention and protection of Global Fund and PR’s/countries.
• Collaborate with external stakeholders, including government agencies, industry partners, and cybersecurity organizations, to exchange information, share best practices, and enhance collective defence against cyber threats.
• Provide regular reports and updates to the CIO and senior management on cybersecurity risks, incidents, and the overall effectiveness of the cybersecurity program.
• Responsible for the IT risk reporting in collaboration with the Chief Risk Officer (CRO) team for an integrated enterprise risk reporting via Global Fund operational risk register (ORR) to Senior Management (MEC), the Audit and Finance Committee (AFC) and Board.
• Manage all matters relating to e-discovery investigations in collaboration with HR, Legal, Communications, Risk, Ethics and Office of Inspector General (OIG) Departments.
• Promote and oversee strategic cyber security relationships between internal resources and external entities, including government, vendors, and partner organizations.

Compliance

• Develop and implement a comprehensive IT compliance program, including policies, procedures, and controls aligned with legal and regulatory requirements.
• Monitor and assess the effectiveness of IT controls, identify potential compliance risks, and recommend appropriate remediation measures.
• Stay up to date with relevant laws, regulations, and industry standards pertaining to IT compliance and ensure ongoing compliance with such requirements.
• Collaborate with internal stakeholders to develop and deliver compliance training programs for IT staff and raise awareness of compliance obligations across the organization.
• Conduct regular audits and assessments to evaluate compliance with internal policies, procedures, and industry best practices.
• Manage external audits and regulatory inspections, ensuring all required documentation and evidence are prepared and readily available.
• Serve as the strategic subject matter expert on IT compliance matters and provide guidance to senior management and staff regarding compliance issues and risk management.
• Lead incident response efforts related to IT compliance breaches or incidents, including investigation, root cause analysis, and implementation of corrective actions.
• Build and maintain strong relationships with regulatory bodies, external auditors, and other relevant stakeholders.
• Prepare and present reports on compliance activities, findings, and recommendations to senior management and the CIO.

As a member of the IT Leadership Team, this role will:

• Ensure an alignment of designed solutions with IT strategy & IT principles.
• Establish with other IT Leadership Team’s members the governance processes and be jointly responsible to achieve IT objectives.
• Work with external fund partners including donors, recipients and suppliers to ensure that opportunities for further efficiency, effectiveness or transparency are realised.

As a People Manager, this role will:

• Lead a specialized team, aligning resources to meet corporate priorities linked to deliverables.
• Lead their direct reports, set individual and team objectives in line with the overall IT team objectives, ensures that they have appropriate understanding of the requirements of their role and the capacity and skills needed to meet them, provide coaching and mentoring to them, to ensure achievement of these objectives and works together with staff to achieve work- life balance.
• Engage, motivate and develop their team in order to drive their performance and increase their impact measurably.
• Act as a role model for the values and behaviours of the Organization, focusing on collaborative relationships within the Organization.
• Manage workforce planning, recruitment, learning and development, performance management and career development of team under responsibility.

Subject to change by the Executive Director at any time at their sole discretion.

Qualifications

Essential:

• Advanced University Degree in information systems management, computer science, information security or a related field or an equivalent and relevant work experience.
• Extensive knowledge and understanding of cybersecurity principles, frameworks, and standards, such as ISO 27001, NIST Cybersecurity Framework, and CIS Controls.

Desirable:

• Relevant professional certifications (e.g., CISSP, CISM, CRISC, ISO 27001, BCI or ISO 22301) are highly desirable.
• Certification as Certified Information Systems Auditor (CISA) is highly desirable.
• Accreditation in a recognized project management methodology such as PMI is an advantage.

Experience

Essential:

• Extensive experience in directing and/or managing Information Security and Compliance.
• Experience with international/non-profit organizations.
• Experience in developing and implementing cybersecurity strategies, policies, and procedures in a complex organizational environment.
• In-depth technical knowledge of various cybersecurity domains, including network security, application security, cloud security, identity and access management, incident response, and vulnerability management.
• Familiarity with international data protection laws, regulations, and industry compliance requirements, such as GDPR, CCPA, and HIPAA.
• Excellent problem-solving and analytical skills, with the ability to assess complex cybersecurity risks and develop appropriate mitigation strategies.
• Proven experience in managing and responding to cybersecurity incidents, including coordinating investigations, implementing remediation measures, and communicating with relevant stakeholders.
• Ability to stay abreast of the rapidly evolving cybersecurity landscape, including emerging threats, vulnerabilities, and best practices.
• Experience in conducting cybersecurity audits, assessments, and risk assessments, including familiarity with relevant tools and methodologies.
• Strong knowledge of IT compliance frameworks and regulations, such as GDPR, HIPAA, ISO 27001, PCI-DSS, and SOC 2.
• Proven experience in developing and implementing IT compliance programs, policies, and controls.
• Familiarity with risk assessment methodologies and the ability to identify, evaluate, and mitigate compliance risks.
• Solid experience working in dynamic and fast-changing environment with senior stakeholders, diverse cultures and multiple agendas.
• Experience of business continuity management.
• Strong communication and interpersonal skills, with the ability to effectively collaborate and communicate with stakeholders at all levels of the organization.

Desirable:

• Minimum of 10 years of experience in cybersecurity, with at least 5 years in a leadership or managerial role.
• Experience with ITIL framework.
• Extensive experience in leading and motivating teams in an international, multi-cultural and multi-disciplinary environment.
• Proven experience in the nonprofit or international development sector.

Competencies

Languages:

An excellent knowledge of English and preferably a good working knowledge of French. Knowledge of other languages would be an asset.

Technical and other Competencies:

• Excellent knowledge of information security and information security risk management.
• Fully versed in Information Security industry standards and best practices, e.g., ISO 27001.
• Understanding of network architecture; general database concepts; document management; hardware and software troubleshooting; electronic mail systems.
• Knowledge of business continuity management and disaster recovery operation plans.
• Operate successfully in matrix environment.
• Ability to work in team environments and to negotiate with multiple stakeholders.
• Innovative thinker who is self-directed and resourceful.
• Ability to plan, prioritize tasks and meet tight deadlines with quality deliverables.
• Ability to multi-task and problem-solve.
• Consultative approach coupled with a ‘can-do’ attitude.
• Team builder and player, able to work effectively across domains and hierarchies.
• Ability to adapt quickly.
• Strong coordination and facilitation skills.
• Strong analytical and problem-solving skills, capable of managing projects that drive business objectives.
• Excellent written, oral, and interpersonal communication skills.

Functional Competencies:

• IT (Level 3)
• Analytical (Level 3)
• Business (Level 2)
• Due Diligence (Level 2)
• Project Management (Level 3)
• Risk Management (Level3)
• Negotiations (Level 2)

The Global Fund recruits top-tier talent for our open positions, in support of our mission to end AIDS, tuberculosis and malaria as epidemics.

 

Explore our vacancies and apply on the Global Fund Careers recruitment system.

 

More information on working at the Global Fund is available on the Careers section of our main website.

Job Posting End Date

18 June 2024