Global Chief Security Officer - CISO BSISA & Branches
Country: Switzerland
BANCO SANTANDER INTERNATIONAL S.A
Our company is an international private banking firm part of Grupo Santander, located in Geneva with an office in Zurich and branches located in Nassau (Bahamas) and Dubai. With around 300 employees the company has its own IT department working very close with the business in the continuous required digital transformation to excel the services to our clients, target of our activity.
Position Summary:
The CISO will be responsible for implementing and running the enterprise cybersecurity program. That will involve identifying, evaluating, and reporting on some or all legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.
The ideal candidate is a thought leader, a builder of consensus and of bridges between business and technology. They are an integrator of people, process, and technology. While the CISO is the leader of the cybersecurity program, they must also be able to coordinate disparate drivers, constraints, and personalities, while maintaining objectivity and a strong understanding that cybersecurity is foundational for the organization to deliver on its business goals and objectives. Ultimately, the CISO is a business leader, and should have a track record of competency in the field of cybersecurity and/or risk management, with 7 to 10 years of relevant experience, including five years in a significant leadership role.
Essential Duties and Responsibilities
A) Serve as the primary point of contact between the cybersecurity function and global corporate function.
- Act as a subject matter expert (SME) between cybersecurity and the lines of business in the development of appropriate policies, standards, and frameworks.
- Allocate resources (e.g., security architects, engineers) to achieve outcomes.
- Continuously monitor trends to anticipate and plan for future impact of cyber risk on a specific business unit (BU) or function.
- Follow all risk remediation protocols to ensure issues are mitigated, risks are accounted for, and exceptions are tracked in accordance with frameworks, policies and standards set by the organization.
- Investigate security incidents and develop remediation plans in collaboration with stakeholders responsible for incident response.
B) Establish Governance and Build Knowledge
- Facilitates a cybersecurity governance structure through the implementation of a hierarchical governance program, including the formation of a cybersecurity steering committee or advisory board.
- Provides regular reporting on the status of the cybersecurity program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
- Works with the vendor management office to ensure that cybersecurity requirements are included in contracts by liaising with vendor management and procurement organizations.
C) Lead the Organization
- Leads the cybersecurity function across the company to ensure consistent and high-quality information security management in support of the business goals.
- Determines the cybersecurity approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas.
- Manages the budget for the cybersecurity function, monitoring and reporting discrepancies.
D) Set the Strategy
- Develops a cybersecurity vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate.
- Develops, implements, and monitors a strategic, comprehensive cybersecurity program to ensure appropriate levels of confidentiality, integrity, availability of information assets owned, controlled or/and processed by the organization as well as the meeting of safety, privacy, reliability, and resilience requirements as needed.
E) Develop the Frameworks
- Enhances the security posture by adopting Santander global cybersecurity framework that is applicable to the organization.
- Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards, and regulations.
- Develops and owns a document framework of continuously up-to-date cybersecurity policies, standards, and guidelines. Oversees the approval and publication of these cybersecurity policies and practices.
F) Operate the Function
- Collaborates and liaises with the privacy officer to ensure that privacy requirements are included where applicable.
- Defines and facilitates the processes for cybersecurity risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.
- Ensures that security is embedded in the project delivery process by providing the appropriate cybersecurity policies, practices, and guidelines.
- Manages and contains cybersecurity incidents and events to protect corporate IT assets, intellectual property, regulated data, and the company's reputation.
Requirements
A successful CISO candidate will have the expertise and skills described below.
A. Education, Training and Previous Experience
- Demonstrated experience and success in senior leadership roles in risk management, cybersecurity, and IT or OT security.
- Degree in business administration or a technology-related field, or equivalent work- or education-related experience
- Proficiency of English and Spanish. French will be highly desirable.
Desired, but not required:
- Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials.
- Experience successfully executing programs that meet the objectives of excellence in a dynamic business environment.
- Experience with contract and vendor negotiations.
B. Technical and Business Experience
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
- Sound knowledge of business management and a working knowledge of cybersecurity risk management and cybersecurity technologies
- Up-to-date knowledge of methodologies and trends in both business and IT
- Experience with risk assessment, incident response, and security audits.
- Experience with cloud security and DevOps.
C. Knowledge and Skills
- Excellent communication skills, interpersonal and collaborative skills, and the ability to communicate cybersecurity and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists.
- Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization.
- Ability to lead and motivate the cybersecurity team to achieve tactical and strategic goals, even when only "dotted" reporting lines exist.
- Excellent stakeholder management skills
- Financial/budget management, scheduling, and workforce management