Digital Security Manager (BISO) (Mashreq Global Network Egypt)

Job Purpose:

The BISO (Business Information Security Officer) shall act as a conduit between business, technology and information security groups, embedding security into the fabric of Mashreq, fostering a proactive and collaborative approach to managing information security risks across departments.

BISO plays a crucial role in

• promoting a culture of security awareness and compliance within their respective areas.
• ensuring the security of business operations, information assets, and technology infrastructure at strategic and operational levels.

BISO shall enable secure and resilient business digital transformation by partnering with information security group functions, position as a trusted advisor to business leaders, translating security policies and procedures into actionable activities that align with business objectives, and manage residual risks within the approved risk appetite.

Key Result Areas:

Advocate for Information Security:

• Serve as advocates for security within, promoting the importance of adhering to security policies, procedures, and best practices.
• Be a strategic leader developing information security strategies aligned with business goals.
• Advocate and gain support from key stakeholders across to integrate security as a business enabler.

Feedback and Communication:

• Serve as a liaison between the Information Security team globally and regionally, providing feedback, insights, and concerns from their colleagues to inform security decision-making and initiatives.
• Act as a trusted advisor to the leadership, providing guidance on information security risks and mitigation strategies.
• Communicate security risks and solutions effectively to non-technical audiences.

Training and Awareness:

• Partner with unit leaders to embed security awareness into the overall business culture.
• Help educate colleagues about security risks, threats, and best practices through training sessions, workshops, and regular communications.
• Collaborate with the Information Security team to develop and implement security awareness campaigns tailored to the specific needs and challenges of business.

Policy Compliance:

• Ensure that activities and processes comply with the organization's information security policies, standards, and guidelines, as well as regulatory requirements across all location where Mashreq is present and industry specific requirements such as PCI-DSS or SWIFT CSP.

Risk Identification and Reporting:

• Identify and report security risks, vulnerabilities, incidents, and concerns to the appropriate channels, such as the Information Security team or management.

Security Incident management:

• Coordinate with the Information Security team during security incidents impactingto provide relevant information, support, and assistance as needed.
• Assist in incident response efforts within, such as facilitating communication with the Information Security team, documenting incidents, and implementing remediation measures.

Security Controls Implementation:

• Assist in the implementation and maintenance of security controls and measures within, such as access controls, encryption, and monitoring tools.
• Oversee the application of security measures to ensure comprehensive protection of software and IT infrastructure

User Access Management:

• Actively support the development of a role-based access control model with the bank's IAM teams
• Help to manage user access and permissions, ensuring that access rights are granted appropriately and revoked when no longer needed.

Vendor and Third-Party Risk Management:

• Assist in evaluating the security posture of vendors and third-party service providers that interact and ensure that appropriate security measures are in place.

Continuous Improvement:

Actively participate in security improvement initiatives and providing feedback to enhance security processes, controls, and awareness efforts.

Operating Environment, Framework and Boundaries, Working Relationships:

• Operating environment: All the locations where itis operational
• Frameworks: Information security policy manual, regulations, industry best practices and contractual requirements.
• Working Relationship: All Business, Governance, Enabling and Control groups.

Problem Solving:

• Ability to enable framework, solution, and processes for proactive management of information security risks
• Ability to understand regulatory language, can take decision on applicability, compensating controls and residual risk.
• Ability to derive residual risk and control based on defense in depth strategy and systemic risk while taking risk and control decisions.

Decision Making Authority & Responsibility:

• Consult and validate recommendations to mitigate information security risks.
• Consult and provide recommendations to mitigate the risk to a level aligned with the risk appetite of the bank.
• Assure compliance to regulatory expectations and avoid regulatory penalty.
• Confirm adequacy of the controls against internal information security policy, standards and applicable regulatory requirements.

Knowledge, Skills, and Experience:

Essential knowledge

• Have around 8-10 years of experience in a Banking or highly regulated industry environment, including familiarity with, and over 5-10 years of experience in information security or technology risk management.
• Extensive knowledge of the Software Development Life Cycle (SDLC), with a focus on integrating security at each phase, from design, development, testing, and deployment.
• Strong understanding of Computer Science principles and practical expertise in application security
• Strong understanding of Computer Science principles and practical expertise in application security, secure coding practices (e.g., OWASP Top 10, DevSecOps. etc.)
• Strong understanding of securing software-defined networks (SDN), software-defined infrastructure (SDI), containerized environments, cloud computing and operating system security.
• Executive presence, and the ability to foster relationship management, negotiate and influence.
• Effective communications skills, including both written and verbal communication skills, and the ability to translate security principles into business terms. Familiarity with information security technologies, risk, threat and vulnerability assessments, and security measures.
• Knowledge of information security regulatory and compliance requirements.

Skills and Application

• Leads the development and implementation of comprehensive information security strategies that address identified risks and compliance requirements inside, in alignment with the Information Security Group.
• Overseesincident response plan, ensuring it is regularly updated and tested to respond effectively to incidents.

Strategic Insight

• Integrate information security considerations into strategies, recognizing the importance of information security in achieving objectives and competitive advantage.
• Communicates the strategic value of Data Privacy and Protection investments to executive leadership and key stakeholders, advocating for resources and support to strengthen the organization's capabilities.
• Cultivates an organizational culture inside that prioritizes and encourages proactive information security practices and continuous improvement across all departments.