Information Security & Cyber Security Manager

ROLE PURPOSE & STRATEGIC IMPORTANCE

The CISO is the single most important defensive position in Integrated's organizational structure. As a digital-first lending company, every customer interaction, every transaction, and every piece of sensitive data flows through technology—making the CISO the ultimate guardian of the company's most critical assets.

This role carries direct accountability for compliance with SAMA's Cyber Security Framework (CSF—249 controls), Cyber Resilience Fundamental Requirements (CRFR—26 controls), and Minimum Verification Controls (MVC), representing collectively the most extensive and demanding regulatory burden on any

single position in the company. The CISO must build an information security program from the ground up, establishing governance structures, writing the complete policy library, deploying security infrastructure,

configuring monitoring and incident response capabilities, and creating a security-aware culture across the entire organization. This person will have a seat at the table for every technology decision, every product

launch, and every vendor engagement—because in a digital lender, security is not an afterthought; it is the

foundation.

KEY RESPONSIBILITIES & EXPECTATIONS

The role holder is expected to deliver measurable outcomes across the following areas:

• Cyber Security Governance (CRFR 3.1.1): Establish the cyber security governance structure including

roles, responsibilities, reporting lines, and committee oversight. Define the CISO's mandate within the organizational structure with appropriate independence and Board-level visibility. Ensure cyber security is a standing agenda item at Board and executive meetings.

• Policy & Standards Library (CRFR 3.1.2–3.1.3): Author the complete cyber security policy framework including: Information Security Policy, Acceptable Use Policy, Data Classification & Handling, Access Control Policy, Network Security Policy, Incident Response Policy, Vulnerability Management Policy, Secure Development Policy, Third-Party Security Policy, and Backup & Recovery Policy. All policies must align with SAMA CSF, CRFR, and ISO 27001 standards.

• Risk Assessment & Treatment (CRFR 3.1.6): Conduct comprehensive IT and cyber risk assessments covering infrastructure, applications, data, people, and third parties. Maintain a cyber risk register with risk owners, ratings, treatment plans, and residual risk acceptance. Perform event-driven assessments for new products, services, vendors, and material changes.

• Identity & Access Management (CRFR 3.2.1): Implement robust IAM controls including role-based access control (RBAC), principle of least privilege, multi-factor authentication for all critical systems, privileged access management (PAM), access review cycles, and automated provisioning/deprovisioning

tied to HR lifecycle events.

• Network Security (CRFR 3.2.3): Design and enforce network segmentation, firewall rule management,

intrusion detection/prevention (IDS/IPS), web application firewalls (WAF), secure DNS, DDoS protection, and encrypted communications. Ensure all customer-facing and internal networks are properly isolated and monitored.

• Vulnerability Management & Penetration Testing (CRFR 3.2.5–3.2.6): Establish a continuous

vulnerability scanning program covering all infrastructure, applications, and endpoints. Conduct annual penetration testing by qualified independent testers. Track remediation SLAs (critical: 48 hours, high: 7

days, medium: 30 days) and report compliance to management.

• SIEM, Monitoring & Incident Management (CRFR 3.2.11–3.2.14): Deploy and operate a Security Information and Event Management (SIEM) platform with 24/7 monitoring capability. Define use cases, correlation rules, and alert thresholds. Establish an incident response team, playbooks for common scenarios (ransomware, data breach, DDoS, insider threat), and conduct tabletop exercises at least semi- annually.

• SAMA Incident Reporting (CRFR 3.2.16): Implement a formal cyber incident classification and reporting

framework. Medium and above incidents must be reported to SAMA immediately per CRFR requirements.

Maintain an incident log with root cause analysis, lessons learned, and remediation tracking.

• Business Continuity & Disaster Recovery (CRFR 3.3.1–3.3.2): Lead the cyber resilience dimension of BCP/DRP planning, including: Recovery Time Objectives (RTO), Recovery Point Objectives (RPO),

backup verification, failover testing, and annual DR exercises. Ensure backup data is encrypted, stored offsite, and tested for restorability at least quarterly.

• MVC Technical Controls: Ensure all Minimum Verification Controls are implemented in the lending

application including: OTP verification, session timeout (5 minutes idle), jailbreak/root detection, device binding, biometric authentication, transaction signing, and secure data storage on mobile devices.

• CRC Service Request Review: Review and formally sign off on every CRC Service Request from a

cyber security perspective, confirming that security requirements have been defined, threat modeling has been performed, and appropriate controls are in place before SAMA submission.

• Security Awareness & Training: Design and deliver a mandatory security awareness program for all employees, including phishing simulations, secure coding training for developers, and specialized training for privileged users. Track completion rates and test effectiveness.

KEY DELIVERABLES & SUCCESS METRICS

The following concrete deliverables are expected within the first 6–12 months:

• CRFR Self-Assessment: Complete CRFR self-assessment (26 controls) submitted to SAMA within 3

months with evidence packages and gap remediation plans.

• Policy Library: Full cyber security policy framework (12+ policies) approved by CEO/Board and

operational within 4 months.

• SIEM Deployment: SIEM platform deployed, configured, and operational with initial use cases within 5 months.

• Penetration Test: First independent penetration test completed with all critical/high findings remediated before product launch.

• Incident Response: Incident response playbooks documented, team trained, and first tabletop exercise completed within 4 months.

• CSF Compliance Roadmap: Detailed CSF compliance roadmap (249 controls) with timelines, owners, and budget requirements presented to Board within 3 months.

QUALIFICATIONS & CERTIFICATIONS

• Bachelor's degree in Computer Science, Cyber Security, Information Technology, or a related technical

field. Master's degree preferred.

• CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security

Manager) certification is mandatory.

• Additional certifications such as CEH, OSCP, CCSP, CRISC, or ISO 27001 Lead Auditor are highly

valued.

• Deep expertise in SAMA CSF framework, CRFR controls, and MVC technical requirements.

• Fluency in Arabic and English (both written and spoken) is mandatory.

EXPERIENCE REQUIREMENTS

• Minimum 5 years in information/cyber security, with at least 3 years in financial services (banking, finance

companies, or regulated fintech).

• Hands-on experience implementing SAMA CSF or comparable regulatory security frameworks (ISO

27001, NIST CSF, PCI-DSS).

• Proven track record building security programs from inception, including policy development, team

building, and technology deployment.

• Experience with SIEM platforms (Splunk, QRadar, Sentinel), EDR solutions, cloud security (AWS/Azure),

and network security architecture.

• Previous experience managing SAMA cyber security inspections or regulatory audits is strongly preferred.

CORE COMPETENCIES & SKILLS

• Technical Depth: Ability to go deep on technical security topics while maintaining the strategic

perspective needed to communicate with the Board and SAMA.

• Regulatory Translation: Skill in translating SAMA framework requirements (CSF, CRFR, MVC) into

actionable technical projects with clear deliverables and timelines.

• Crisis Leadership: Calm, decisive leadership during security incidents, with the ability to coordinate

response, manage communications, and lead post-incident analysis.

• Vendor Management: Ability to evaluate, select, and manage security technology vendors and managed

security service providers (MSSPs) effectively.

• Team Builder: Capability to recruit, mentor, and retain scarce cyber security talent in the competitive

Saudi market.

SAMA REGULATORY COMPLIANCE OBLIGATIONS

This position carries direct accountability for the following SAMA regulatory requirements:

• Fit & Proper Assessment: SAMA approval required before appointment. The CISO must pass Fit &

Proper evaluation and SAMA must be notified of any changes.

• CSF Framework Owner (249 Controls): Primary accountability for the full SAMA Cyber Security

Framework. Must track compliance status across all 249 controls and report progress to SAMA.

• CRFR Framework Owner (26 Controls): Primary owner of all 26 CRFR controls, from governance

(3.1.x) through operations (3.2.x) to resilience (3.3.x). Must submit self-assessments as required.

• CRC Sign-Off Authority: Mandatory sign-off on all CRC Service Requests confirming cyber security

readiness.

• Incident Reporting to SAMA: Direct obligation to report medium-severity and above cyber incidents to

SAMA immediately, per CRFR 3.2.16, with detailed incident reports and remediation timelines.

• MVC Compliance: Technical accountability for ensuring all Minimum Verification Controls are

implemented, tested, and maintained in the lending platform.