VP, Head of Cybersecurity Governance, Compliance & Risk Management
Islamic Bank
مجموع سنوات الخبرة :21 years, 2 أشهر
Leading team of 16 cybersecurity professionals, I am reporting to the group chief information security officer (CISO) and responsible for two verticals: Cybersecurity Governance & Risk Management and IS Assurance & Services.
Major achievements: Established, with the group CISO, the group information security function and department from scratch - Main contributor in the three years strategic Information security transformation program (35 information security initiatives with budget of 40M+US$) - Designed and implemented RSA Archer GRC for cybersecurity modules: risk assessments & management - Vulnerability & threats management - Security compliance management - Main player in architecting and assuring cybersecurity controls for the group digital and cloud transformation journey.
My main responsibilities include:
Cybersecurity Strategy Management
- Developed and maintained group cybersecurity strategy (purpose, vision, mission, values, strategic goals & objectives). Driving cybersecurity strategy, influencing architectural and development decisions.
- Ensured cybersecurity investments, initiatives, projects and programs aligned with cybersecurity strategy, digital strategy and group business strategy and goals.
- Communicated cybersecurity strategy to relevant group stakeholders at all levels.
- Oversee strategy execution and delivery, prepared and presented strategy execution progress and metrics; i.e. dashboards including cyber risk reduction and cybersecurity maturity.
- Managing information security steering committee and responsible for all related sub-committees. Represent cybersecurity and CISO in the group executive committees (fraud, technology…etc.)
Budgeting & Resources Allocation
- Responsible for cybersecurity budget: annual budgeting exercises (OpEx & CapEx, cost allocation, budget monitoring and resources optimization.)
- Provide the information and analysis to assist in making strategic security purchases.
- Identify talent and develop a highly qualified staff of cyber security professionals to meet organizational needs.
Planning
- Maintained centrally the annual planning and mid-year re-baselining efforts for cybersecurity annual plans: awareness & training plan, performance management pan, data classification plan, risk assessments plan, assurance & compliance plan, incident response plan, threat intelligence plan, attack surface reduction plan and policies review plan
IS Governance
- Developed, maintained and managing group cybersecurity operating model and governance framework
- Responsible for cybersecurity frameworks development, update and implementation.
- Developed and implemented information security operating model.
- Managed information security steering committee and Supports CISO’s participation in external activities such as external boards or governing body committees.
Policy Management
- Developed information security policies, standards, operating procedures, minimum-security baselines, templates and checklists
Cybersecurity Risk Management
-Developed and implemented information security risk management framework aligned with enterprise and operational risk management framework, policy and standards.
-Managed the information security risk assessments process and delivery including annual planning & delivery, risk assessment life cycle management, risk reporting to stakeholders and management.
-Developed and maintained group cybersecurity risk appetite.
-Assessed the cybersecurity risks in third party engagements and for disruptive technologies: AI, IoT, Data Analytics, Block chain and cloud computing.
Performance Management
- Developed and reported cybersecurity Metrics including Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), Key Control Indicators (KCIs), dashboards and scorecards.
Cybersecurity Assurance
-Developed and maintained IS Assurance framework, policy and standard.
Ensured successful achievement of the Technology & Systems Audit plan through effective planning and monitoring of individual audit assignments to ensure that they are executed in an economic, effective, efficient and timely manner.
Carried out assigned audits and produce working papers that can be re-performed by an independent party to reach the same conclusion. Agree with auditee management the actions to be taken in response to audit recommendations, ensuring that they are both appropriate and realistic. Carried root cause analysis & managed corrective action programs.
Deployed Risk & Control Assessments and reviewed the standards of Controls design and effectiveness.
Documented findings underlying the business impact and root cause when known, and produce detailed recommendations for the Audit Manager’s review and subsequent presentation to Auditee Management and audit committee.
Provided support in determining and ensuring the adequate consideration of risk within developing computer systems and recommend the incorporation of controls, audit trails & security measures that are commensurate with the cost effective containment of potential threats and protection of the Bank’s assets.
Assessed risk and control environment in IT operations and system development projects.
Assisted the Manager in managing the Department’s various activities (i.e. budgeting, operating plan, staff performance etc.). Kept up to date with the IT industry trends and advancements by investing in self-learning and being an active member and contributor at organizations such as ISACA, IS forums, IT Audit groups, Seminars - IT Risks and Controls, IT Security - threats and controls, Emerging IT Risks.
Identified business risks / inefficiencies for influencing management to implement suitable change across the whole business. Focused on IT general control, application controls, transaction testing, database controls
Effectively implemented an automated audit management system, MKInsight, and designed lifecycle workflow to transform the manual audit life cycle from manual process to full automation.
Supported auditors on using Computer Assisted Audit Tools (CAATs) i.e. ACL, IDEA through training, support, guidance and supervision. Tested the compliance of applications to required internal financial and application controls; map application workflows and test interfacing to financial systems.
Interviewed potential employees, assisted auditors in defining objectives as well as managers in end of the year appraisals.
Audited the project management processes and the PMO controls and risks and provided recommendations for improvements which led to increase in the Enterprise Project Management maturity level.
Provided information systems and technology (IS/IT) consulting services for enterprise organisations in information security, IT management services quality and control, IS/IT auditing, IS/IT governance and vulnerability assessment. Managed and controlled IS solutions implementation (projects).
Led a team of technical and pre-sales engineers and managed pricing and responded to Request for Proposals (RFPs).
Successfully delivered all assigned projects within defined time, budget and expected quality. Served as team leader of the pre-technical sales presenting solution to clients
Responsible for selling and implementation of the following information systems: business intelligence, decision support systems, Human Resources Management System (HRMS), reporting portals, enterprise project management, customer relationship management, ERP, network management, data protection, document management and learning management systems.
Implemented business solutions such as information security systems, IDS/Intrusion Prevention System (IPS), firewalls, etc.
Managed strong partnerships with international IT solution providers such as Microsoft, Crystal Decisions and Symantec and delivered IT business solutions and consultancy services as well as training services on different technical products/solutions