IT Security - Operations and Risk

Job Description

We are a global law firm with a powerful strategic focus and real momentum. Our industry-focused strategy is seeing us take on pioneering work in places that others have yet to reach. Our shared values define our culture and our workplace. You will find us to be unusually collegial, team-oriented, and ready to innovate. We work seamlessly across practices, offices and around the world. This elimination of boundaries has allowed us to evolve into a law firm that works as hard for its culture as it does for its clients.

The Team

The Information Security team report to the Global Chief Information Security Officer (CISO). The team work with unified principles and processes around the world while maintaining regional stakeholder relationships. High standards are achieved by the adherence to international best practice principles (ISO 27001) and continual improvement methodologies.

The scope of the Information Security function includes all strategic security planning and control oversight to ensure effective risk mitigation takes place within the firm. In many cases, the operational running of security controls is the responsibility of IT Service Delivery teams or departments such as HR, Facilities, Procurement, General Counsel etc., The Information Security team remains responsible for ensuring the effectiveness of the overall control framework and ensuring that any related risks are identified / incidents managed.

The Role

The Information Security Governance & Compliance Specialist takes responsibility for overseeing responses to support the client bids and client audit process, and the 3rd party supplier assessment process. The role is a key part of supplying assurance to our clients on the technical security measures NRF have in place for the protection of client data. Providing project support for other security functional areas may also be required on an ad hoc basis.

The success of this role is dependent upon building a lasting alignment between client requirements and NRF’s information security provisions and business requirements. It is also incumbent upon this role to take a continual development mind-set to ensure their product knowledge represents the latest in control requirements and evidence enabling timely responses to our clients. In particular, the role must take into consideration:

• Building relationships with key stakeholders to allow regular information sharing.
• The special requirements of the Firm with regard to client confidentiality, as well as regulatory requirements such as data protection.
• Achieving a balance between protecting the firm and ensuring that users can work effectively; being pragmatic but cognizant of risk.

Key responsibilities

• Responsible for all client bids and client audit responses. Ensure NRF response to client questions are consistent and appropriate.
• Lead support for client bids and client audits. This involves the coordination of completing complex questionnaires received from clients, often to tight deadlines.
• Assessor for NRF’s 3rd party supplier onboarding process, to ensure all new suppliers are thoroughly evaluated, and conform to NRF Information Security requirements.
• Provide Information Security & IT Product knowledge support, including;
  • Deep working knowledge of NRF global controls through liaising with regional IT teams.
  • Responsible for the upkeep of central response and evidence database.
  • Continual process improvements.
• Providing knowledge transfer to other Governance and Compliance Analysts when needed.
• Providing wider functional support when needed.
• Research and development of technology and processes to increase team efficiency and speed.
• Escalating appropriately, where policy compliance is not in place and tracking any remediation actions to completion.
• Performing 3rd party supplier risk assessments to ensure the protection of the firms & client data.
• Remain current with developments in the Cyber domain, including the evolving threat landscape and its relevance to the Firm’s risk profile.
• Assist other members of the Governance & Compliance team to deliver their functional responsibilities, where required.
• Undertake other reasonable duties as requested by the Information Security Manager.

Skills and Experience Required

• Education – an IT or Information Security qualification or 7+ years’ experience in a similar role.
• ISO 27001 qualification and / or experience.
• Excellent communication skills, both written and oral.  The ability to articulate complex Information Security controls to a business audience is essential.
• Stakeholder management skills. Ability to build relationships with team members and peers across the organization is vital to the success of this role.
• Experience working in large, matrix and geographically dispersed global organizations where IT and Information Security have played a key role to the business.
• Proven ability and understanding of the role of client bids and client audits in business development and the effective management of third-party risk.
• Experience in the use of Governance, Risk & Compliance (GRC) tools. OneTrust GRC and BitSight platform experience is an advantage.
• An ability to learn quickly, solve problems and pragmatically address risk.
• Experience with the creation of reports, dashboards and metrics for presentation.
• Passionate and driven to exceed expectations and to deliver with integrity.
• Effective third-party supplier management and assessment skills.
• A relevant industry certification, such as CISSP, CISM, CRISC, CISA or similar, is an advantage.

Personal Attributes:

• Keen sense of responsibility, ability to set a professional example and desire to adhere to defined security practices.
• Integrity and professionalism, with a consistent and uncompromising adherence to best practice.
• Strong stakeholder management skills, including the ability to communicate complex Information Security concepts in business language.
• Passionate and driven to exceed expectations and to deliver with integrity.
• Strong security understanding.
• Self-motivated and able to work calmly and methodically under pressure.
• Excellent interpersonal skills, exceptional levels of personal integrity and the ability to communicate clearly at all levels through reports, presentations and forming effective matrixed relationships.
• Flexible approach to incorporate changing priorities.
• Co-operative and established team worker.
• Good judgement when it comes to confidentiality and sensitivity of information of which they may become aware through the course of their duties.
• Adaptable and keen to learn new skills.

Norton Rose Fulbright US LLP is an Equal Opportunity/Affirmative Action Employer and complies with all applicable federal laws and their implementing regulations that require the collection and recording of certain data and information. The information we receive will not be used to make any decision regarding employment and will be kept separate from your application. Similarly, self-identification information is kept confidential and used only in accordance with applicable federal laws and regulations. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability or protected veteran status. Norton Rose Fulbright is committed to providing reasonable accommodation as an Equal Opportunity Employer to applicants with disabilities. If you require assistance or accommodation to complete your application, please contact [email protected]. Please provide your contact information and a description of your accessibility issue. We will make a determination on your request for reasonable accommodation on a case-by-case basis.

E-Verify is a registered trademark of the U.S. Department of Homeland Security. This business uses E-Verify in its hiring practices to achieve a lawful workforce.

Equal Employment Opportunity | EEO is the Law - Supplement | Pay Transparency