Senior Manager, Security Governance & Technical Assurance at Equity Bank Kenya

Job Description

Mission/ Core purpose of the Job:

This role is responsible for embedding and maintaining technical security control requirement across the Equity network, infrastructure and systems.

Responsibilities include ensuring that appropriate security controls are implemented in the organisation by continuously reviewing and updating the policies, operational technology and security processes and standards in alignment to latest global threats, ensuring optimal performance of the services and identify control efficiencies in how security is operated across all domains. The incumbent will also perform continuous technical security assurance on all Technology service areas to ensure audit compliance and minimized risk exposure.

Context:

The individual needs to be able to work in a highly pressured planning and operational banking and technology environment
ISO 27001, OWASP, NIST, SANS and POPI
Fast changing, regulated business environment.
Security is managed cross business and IT functions, in at least 7 markets
The Group Information Security area has to deal with the rapid advancement of systems and technology within the following areas:

Various Technology platforms enabling many business and banking functions
Deal with and environment that is highly regulated and legislated
3rd Parties and the driving of these through supplying vendors fully fledged and detailed specifications and driving them in the fulfilment of these Requirement for single version of the truth across Equity Group
High data volumes
Key Performance Areas: Core, essential responsibilities / outputs of the position (KPA’s)

Technical Excellence:

Provide assurance that Equity Group’s assets are effectively managed and monitored to meet Equity security requirements – first-line management assurance.
Analize known and emerging threats to determine risks against Equity assets.
Review and document Information Security Policies, Processes and Procedures and meet governance in terms of legislative and audit requirements and provide consultation to business with regard to this.
Identification and management of information security risks within Equity by identifying, defining and maintaining the information security policy and functional standards for the organisation.
Create and continuously review security governing principles to guide information, technology, and solution decision making for Equity
Develop Group’s Critical Controls and Compliance universe, and drive the implementation of control mechanisms, which enable Information Security function to effectively manage the true status of information security within Equity.
Report on mitigating actions required to correct or remedy actions where necessary and inform IT Teams and relevant Business units of any significant changes and risk situations.
Consult to projects in terms of identifying risks, vulnerabilities and controls.
Perform first-line Security Assessments on internal environments and 3rd party environments, with the purpose of identifying shortcomings which risk to Equity and drive remedial actions.
Coordinate reporting and action plans in the event that a security incident does occur
Conduct monthly security service/ posture reviews across the environment and present reports to the relevant subsidiaries, business units and governance committees.
Represent Information Security in the relevant business areas in Equity as well as various IT/ risk or Security committees and forums within Equity.
Provide on-going subject matter expert level consultation to Equity project and operational teams, application owners, and other technology and network teams on relevant security controls requirements.
Ensure optimal performance of the security services and identify control efficiencies in how security is operated across all security domains.
Track and drive implementation of Technical Security Standards across the technology platforms.
Review and track all risk accepted and exception items and assist to build and manage the security compliance universe. Consult to projects (Business and Technology) in terms of identifying risks and specific vulnerabilities and controls for new implementations.
Operational Delivery:

Perform first-line management assurance on technical controls to minimise audit impact and risk exposure
Model threats and risks as well as the controls necessary to mitigate them, on both an organisational and technical level – thinking like a malicious
hacker, understanding and anticipating the moves and tactics that a hacker might use to attack Equity systems.
Work closely with the Technology teams to identify and select the right security controls to protect Equity’s network & IT infrastructure, cloud and IoT
solutions: define functional and non-functional security requirements and criteria to conduct technology evaluation and selection.
Manage and run governance for Group Information Security function and drive the implementation of security governance and ensure adherence to it.
Foster a security-conscious culture within Equity IT, Operational and Business teams.
Collaborate with Technology teams to ensure that technical plans are practical, controls are sustainable, and implementation is managed to minimize risk and adverse impact to network, servers, workstations and user productivity.
Document and operationalize the processes and procedures necessary to sustain the security posture of the environment as well as processes to monitor security related control break-downs in the environment
Support Enterprise Risk Management in security related issues and investigations
Conduct Research and develop/ maintain policies to ensure they cater for new threats and technologies.
Develop, monitor and measure the deployment of security standards
Ensure procurement practices adhere to security protocols and security is embedded into the procurement process consistently.
Work with internal stakeholders to define action plans to close or mitigate security findings of auditors
Proactively test for security related issues and propose remedial plans.
Manage security deliverables for programmes related to Privacy legislation across the markets within which Equity operates.
Drive implementation and tracking of Critical Controls.
Report on any residual risk, and other security exposures against the proposed security standards and policies including misuse of information assets and non-compliance.
Measure and report on the effectiveness of Information Security management and control activities to appropriate governance committees.
Report at risk and audit committees and manage the actionable outcomes related to security.
Tactical planning:

Manage and develop the capability of the team to deliver security services needs of Equity Group.
Partner with business leaders and peer-level managers to assess the technological cost and impact of recommended changes, help clarify priorities, and coordinate cross-organizational/ subsidiary consortia where common needs have been identified.
Assess risks and the effects of specific requirements on other subsidiaries business processes and system priorities to ensure security services are aligned with business strategic objectives.
Identify high risk/priority security areas for improvement
Work closely with Finance teams in Group and Subs to ensure budgets and cost recovery procedures are in place and working effectively
Build a strong relationship with Subsidiary leadership to ensure delivery
Managerial / Supervisory Responsibilities

Supervisory / Leadership / Managerial Complexity:

Recruit, develop and retain people with outstanding skills, qualifications and potential.
Performance management and identification of training needs.
Accountable for a customer-centric culture and shift to legendary service provision.
Employee relations and collaborative teamwork.
Coaching and guidance of subordinates.
Build professionalism, loyalty and commitment to the organization.
Communicate actively and effectively resolving any potential conflicts that may arise.
Living the Equity Brand – changing and influence employees’ behaviour.
Clarify roles within the team to enhance collaboration and results
Reward practices conducive to building individuals and team confidence
Optimal human resource allocation / redeployment in line with strategic objectives
Manage conflict proactively and monitor disciplinary and grievance actions and trends
Train, motivate & develop resources
The role requires management and supervision of the activities of a number of Team members across the Group and subsidiary functions IT & Operations who need to implement and remediate required controls.

Creativities (improvement/innovation inherent):

Measures to be implemented to improve security across Technology environments
Measures to be implemented to improve operational efficiency and effectiveness in the Operating environment
Influence management decision making in security related aspects
Pro-active
Champion of quality and doing things right the first time
Sharing of knowledge and security skills

Role Complexity:

Matrix management for security planning
Management of security control environment across at least 13 domains in all the Technology functions and in atleast 7 markets OF Equity Group
Management commitment

Budgets/ Financial Input:

Assist with management of Security budgets in line with business objectives and facilitate forecasting. Includes yearly CAPEX Plans and tracking spend through the year
Manage project initiative budgets in line with business objectives
Drive initiatives that will ensure that the “cost of operations” are reduced, in line with a least cost operating strategy stemming from the business drivers
Assist with contract negotiations and driving to conclusion

Qualifications

Minimum Requirements:

Education:

Minimum of 3 years tertiary qualification (degree/ national diploma) pr equivalent in Information Technology
Security certification e.g. CISSP & CISM essential
Other qualifications (ITIL, TMF, COBIT) advantage
Fluent in English

Experience:

Min of 6 years in IT, 2 of which as an Information Security Senior Specialist or Manager in a large enterprise environment essential
Experience in Banking or Telco industry advantageous
Experience should ideally span multiple security domains ranging from security risk and governance, Data Loss Prevention, Authentication, Malware, Network Security, Applications and Operations Systems and Security across platform / database /network
Must have a wide breadth of knowledge and experience across security products, tools, and industry trends
Knowledge of current security risks and protocols as well as good working knowledge of technical risk management and assessments
Ability to interact with a broad cross-section of personnel to explain and enforce security measures
Ability to maintain a high level of discretion and personal integrity in the exercise of duties, including the ability to professionally address confidential matters
Expert knowledge of regulatory compliance requirements (PCI-DSS, ISO 27001, GDPR, etc.)
Excellent written and verbal communication skills as well as business acumen and a commercial outlook
Good analytic and problem-solving skills
Ability to work under pressure, as well as the ability to take independent initiative when needed.

Training:

Security certification courses
Microsoft certifications
Systems/Database/Network administration training
Some training on Oracle, SUN Solaris and Linux is also required
Training on any scripting language
IP network related training
Cloud security training
Architect and design certifications

Competencies:

Head – Big Picture Focus (20)

Strategy Implementers – Ensures execution of strategies through creating and implementing tactical plans for others to follow
Decisive Problem Solver – Has the mental agility to identify business challenges and explore effective solutions through effective influencing
Best Practice Value Creator – Encourages commercial innovation and continuous improvement for systems, processes, products and service offerings

Heart – Emotionally Intelligent (30)

Culture and Change Champion – Role models ethical practices by living the EQUITY values and vital behaviours for others to follow
Guiding People Manager – Is self-aware and guides team capability development through opportunity creation for realising potential
Relationship Builder – Builds relationships across the business in order to influence decision-makers and build team credibility

Hands – Results Focused (40)

Results Achiever – Produces sustainable divisional results through ethical practices
Operationally Astute – Sets priorities, plans, organizes and co-ordinates the work of others

General working conditions:

Target driven and cyclic in nature
Long, irregular hours and tight deadlines during peak periods
Must be willing to travel and operate in different markets when required
Required to work from home from time to time
Overtime and standby as required

KPA Quality Standards:

Security settings deployed – alignment to Equity security standards and best practices
Number of server and client systems to which the security standards are deployed
Degree of impact to systems and users while deploying standards
Security settings deployed counter Equity risks, e.g. theft of intellectual property, information leakage
Speed with which security settings are deployed
Completeness and accuracy of documentation
Sustainability of processes implemented
Expenditure within budget
Quality of source data in terms of completeness, accuracy and timeliness
Objectives of area met
Collaboration with all key stakeholders
Drives short term actions consistent with long term goals.
User/customer satisfaction/feedback
Capex and Opex vs budget
Project Metrics (In time, cost + quality)
Systems availability
Timely delivery of information to internal customers (reporting, dashboards etc)
High levels of automation of data processing and reporting
Incorporation of new technology
Alignment to Equity Strategy