Head, Information Security at NCBA Group

Job Purpose Statement

The role of Head, Information Security will provide continuous assurance of NCBA Group’s information systems around confidentiality, integrity and availability of information, and ensure protection of these information assets by ensuring appropriate security controls are in place to protect the Group’s technology and information assets from information & cyber security related risks. This role will define and execute the information security strategy and roadmap for the Group, ensuring that governance and assurance in information security is enshrined and practiced within the Group, appropriate technology systems and controls are implemented, as well as ensuring that key technology projects and initiatives are compliant with security best practices and guidelines.

Key Results Areas

Strategy and Roadmap 20% 

• Develop and align the information security strategy to the Group and Information Technology strategy, to ensure information security supports business objectives.
• Execute an information security roadmap, aligned to information technology roadmap and in support of business growth.
• Define Information Security architecture in line with the technology architecture blueprint and best practice.

Cyber Security Defence 25% 

• Setup and implement Information Security practices around patching, vulnerability, malware management program etc. within the Group, ensuring that vulnerability assessments & penetration testing is conducted and patching and remediation of vulnerabilities is done as per policy and procedure.
• Drive the implementation, administration and support of technology control systems as per the IS roadmap.
• Implement continuous monitoring of technology assets for cyber incidents that impact on confidentiality, integrity and availability of systems, by putting in place the appropriate people, processes and technology.
• Implement security incident response for effective response, containment and recovery from security incidents or breaches.

Cyber Security Assurance 25% 

• Provide information security assurance to technology systems to ensure that new products, services, channels and other IT changes introduced meet the security compliance thresholds.
• Participant as a key stakeholder in the Bank’s Change Management governance process (Change Advisory Board) with responsibility to approve or reject changes that do not meet the compliance threshold.
• Participate and contribute towards developing and supporting IT practices (e.g. agile, DevSecOps)

Information Security Governance 20% 

• Develop and implement Group Information Security framework, strategy, policy and procedures.
• Ensure that best practice and regulatory guidelines on Cyber Security are enshrined within the Group’s policies and procedures.
• Develop and implement an effective information security awareness program covering all staff and key stakeholders of the Bank.
• Develop and implement a robust IT Business Continuity Management program, ensuring that effective BCP & DR processes are setup and executed.
• IT department risk champion, interfacing with the compliance teams to manage technology risk and audit engagements.

People Leadership 10% 

• Provide effective leadership to the Information Security team, and work with peer IT heads and other IT staff to ensure a conducive work environment.
• Provide leadership, performance management, talent management, training and development programs, coaching and mentoring for the Information Security team
• Liaise with internal and external stakeholders (vendors, regulator and consultants) in ensuring that the information security objectives are met.

Ideal Person Specifications

• Bachelor’s Degree in Information Systems, Computer Science, Information Security or related field required
• 7-10 years in information security or information security governance experience, with 5 years in a managerial role within a highly digitized organization, with a proven ability to engage with Senior Management and regulators.
• 4+ years’ experience conducting IT compliance assessments or administering IT security controls in an organization.
• Knowledge of technical infrastructure, networks, databases and systems in relation to IT Security and IT Risk.
• Experience with security technologies & controls including IPS/IDS, SIEM, DLP and other security technologies.
• Relevant certifications in information security knowledge areas, such as Information
• Systems Audit, Information Security Management and Ethical Hacking.
• Knowledge of: Strong Authentication, End Point Security, Internet Policy
• Enforcement, Firewalls, Web Content Filtering, Database Activity Monitoring (DAM),
• Public Key Infrastructure (PKI), Data Loss Prevention (DLP), Identity and Access Management (IAM)
• Knowledge of banking or financial services fundamentals and processes (prior experience working within a financial service organization is an added advantage)
• Excellent communication, analytical and reporting skills
• Knowledge in project management skills