CISO Ghana & ICS Risk Manager - Standard Chartered Bank

We’re an international bank, nimble enough to act, big enough for impact. For more than 160 years, we’ve worked to make a positive difference for our clients, communities, and each other. We question the status quo, love a challenge and enjoy finding new opportunities to grow and do better than before. If you’re looking for a career with purpose and you want to work for a bank making a difference, we want to hear from you. You can count on us to celebrate your unique talents. And we can’t wait to see the talents you can bring us.

Our purpose, to drive commerce and prosperity through our unique diversity,  together with our brand promise, to be here for good are achieved by how we each live our valued behaviours.

When you work with us, you’ll see how we value difference and advocate inclusion. Together we:

• Do the right thing and are assertive, challenge one another, and live with integrity, while putting the client at the heart of what we do
• Never settle, continuously striving to improve and innovate, keeping things simple and learning from doing well, and not so well
• Be better together, we can be ourselves, be inclusive, see more good in others, and work collectively to build for the long term

In line with our Fair Pay Charter, we offer a competitive salary and benefits to support your mental, physical, financial and social wellbeing.

• Core bank funding for retirement savings, medical and life insurance, with flexible and voluntary benefits available in some locations
• Time-off including annual, parental/maternity (20 weeks), sabbatical (12 weeks maximum) and volunteering leave (3 days), along with with minimum global standards for an annual and public holidays, which is combined to 30 days minimum
• Flexible working options based around home and office locations, with flexible working patterns
• Proactive wellbeing support through Unmind, a market-leading digital wellbeing platform, development courses for resilience and other human skills, global Employee Assistance Programme, sick leave, mental health first-aiders and all sorts of self-help toolkits
• A continuous learning culture to support your growth, with opportunities to reskill and upskill and access to physical, virtual and digital learning
• Being part of an inclusive and values-driven organisation, one that embraces and celebrates our unique diversity, across our teams, business functions and geographies – everyone feels respected and can realise their full potential.

Recruitment assessments – some of our roles use assessments to help us understand how suitable you are for the role you’ve applied to. If you are invited to take an assessment, this is great news. It means your application has progressed to an important stage of our recruitment process.

The Role Responsibilities

We are establishing a capability to successfully implement and embed the new Information and Cyber Security (ICS) Risk Type Framework (RTF) into Africa and Middle East (AME) countries to bring consistency in the identification and mitigation of ICS Risks.  The Chief Information Security Officer & ICS Risk Manager will drive the adoption and implementation of the framework across the delegated countries.

This role will require hands on approach to understand, embed, and guide the Africa countries on the ICS RTF to maximize risk reduction and capability improvement, while meeting compliance and legal obligations, and minimising client impact. The role will require to have end-to-end view of all ICS activities with regular risk assessment, tracking, follow up and reporting at the relevant forums.

The ICS Chief Information Security Officer & ICS Risk Manager will provide exceptional leadership, maintain highly constructive relationships with key stakeholder, and possess strong security risk framework knowledge to mobilize effort and commitment.

• The CISO will execute a robust and efficient plan to rollout ICS RTF by working with key stakeholders including COOs/CIOs direct teams, ICS RTF Implementation Programme teams, Office of the CISO and Security technology teams. The plan will incorporate digital footprint discovery, risk assessment, definition and implementation of controls as guided by the ICS RTF and tailored to the relevant areas.

• Assume the Chief Information Security Officer roles and responsibilities as directed by the Bank of Ghana Cyber and Information Security Directive.
• Lead the implementation of BOG Cyber and Information Security Directive and always ensure compliance. Develop clear mitigation plans where gaps have been identified with timely status updates to stakeholders.
• Supporting Africa and Middle East in the implementation of the ICS Risk framework including working with stakeholders to identify, assess and rate the information assets, build out the risk profile per the framework, initiate risk assessments and put together treatment plans.
• Use qualitative and quantitative data sources to validate Key Control Domains (KCD) and associated controls, accelerate risk assessment process, validate business risk profile, and develop action plans to remediate to bring ICS risk back into appetite.
• Follow up on identified thematic cyber issues, develop processes to address issues from re-occurrence and ensure cyber hygiene across the whole portfolio.
• Provide regular status updates including progress, top risks and issues to the respective country and regional forums for the relevant domains. Track RAG status, key milestones, risks, dependencies, and issues.
• Interface with the Business and Country ICS Leads to assist with sharing of risk profiles, advising on cyber risk issues and addressing areas of concern.
• Interface into Technology forums to ensure security technologies are operating with input from countries and be actively involved in the roadmap of these technologies by providing regional/country input.
• Development of risk treatment plans for the assigned areas in conjunction with the business and technology teams. Interface with other areas to ensure dependencies are known and prioritised. Negotiate timelines to ensure proper remediation by maintaining support and organizational alignment.
• Adapt to emerging and horizon risks and address issues to maximize outcomes. Urgent and timely action for risks and issues which adversely impact cyber risk profiles.
• Re-planning and prioritising as required to maximise risk reduction.
• Coordinate and plan for cyber crisis management exercises, build response and recovery capabilities, workarounds, ensure up to date playbooks etc. Assist with other cyber activities underway

Strategy

• Ensure effective prioritisation and application of industry best practice into the ICS RTF and ICS country risk.
• Identify changes to plan required in terms of additional components, reprioritisation to anticipate and respond to changes.
• Learn from the recent regional and global cyber events and build into strategy to address current and emerging risks

Region/ Country

• Maintain strong stakeholder engagement with other COO ICS teams, Director of Cyber and Information Security/Chief Risk Officer, Chief Information Security Office teams, ICS RTF Implementation Programme teams and Security Technology teams.
• Establish and maintain working groups across domains to progress the framework roll out.
• Escalate appropriately to ensure necessary decisions are made in a timely manner.

Governance

• Support the HICS on running periodic working groups and ensuring proper rollout of the ICS RTF.
• Assist with pulling together Risk papers going to various Risk committees within the region.
• Manage actions coming out of various risk and compliance forums.

Risk Management

• Manage the rollout of the ICS RTF professionally and efficiently, closely tracking timeline commitments for provision of information and action plans, and for validation of actions taken.
• Ensure adoption of security tooling and capability to address ICS risk tactically and strategically.
• Address and adopt response and recover capabilities and assist with cyber crisis management exercises, playbooks etc.

Regulatory and Business Conduct

• Display exemplary conduct and live by the Group’s Values, Valued Behaviours, and Code of Conduct.
• Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across the Bank.
• Effectively and collaboratively identify, escalate, mitigate, and resolve risk, conduct and compliance matters.

Other Responsibilities (ISMS Manager)

• Communicate the information security policy to all relevant personnel and customers where appropriate
• Report to the ICS Working Group (WG) on all security related matters on a regular basis
• Ensure that ISMS conform to the requirements of the ISO27001:2013 standard
• Report on the performance of the information security system to Management.
• Manages ISMS as a programme by ensuring that security principles are part of the bank’s life cycle
• Performs risk assessment based on new asset identification
• Informs stakeholders about new areas of risk including suggestions from multiple sources
• Monitors the ISMS controls
• Manage risks associated with access to the service or systems
• Define improvement plans and targets for the financial year
• Establish and maintain a continual improvement action list
• Report on improvement activities
• Ensure that procedures are in place to define the recording, prioritization, business impact, classification, updating, escalation, resolution, and formal closure of all security incidents
• Coordinate cyber and information security activities, including joint exercises with business partners and service providers.
• Promote cyber and information security awareness and train employees, suppliers, business partners and customers.
• Continuously learn and monitor cyber and information security issues by identifying trends, methods and advanced developments in the field while gathering information about emerging attack techniques and ways of dealing with them.
• Form a cyber-incident response team.
• Analyse cyber and information security incidents that have occurred in Ghana and worldwide and assess their potential impact on the bank, as well as implement the relevant measures proposed.
• Keep abreast of any new developments in the ICS risk frameworks globally, participate in industry and external discussions.

Our Ideal Candidate

• Minimum of 8 – 10 years’ experience with at least 5 years in Information and Cybersecurity capacity in financial industry
• Minimum of 5 years in banking industry
• Degree in Engineering, Computer Science/Information Technology, or its formally recognised equivalent.
• One or more of the following certifications will be preferred:
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified Chief Information Security Officer (CCISO)
  • SANS Global Information Assurance Certifications (GIAC)
  • Certified in Risk & Information Systems Control (CRISC)
  • Payment Card Industry – Quality Security Assessor (PCI-QSA), etc.
  • ISO 27001/22301 Lead Implementor or Lead Auditor
• Strong integrity, independence, and resilience
• Willing and capable of travel across the countries in the portfolio if required
• A Master’s degree is desirable