The scope of work
The Chief Information Security Officer (CISO) will report to the Chief Executive Officer (CEO) and works closely with the society's management, Information Technology and Operations teams. He/she will provide leadership and take ownership of the Security requirements to keep the PCI-DSS certification and ensure the highest level of physical and information security is implemented and maintained.
The complexity of this position requires an engaging and collaborative leadership approach with an ability to work with other leaders to set the best balance between security strategies and other priorities. Furthermore, he/she must ensure the requirements from governance or PCI-DSS are strictly enforced and must be able to articulate complex technical issues and risks effectively and in a way that is clear, quick to the point, can be well understood, and does not cause any unnecessary panic. He/she will drive all security related initiatives and be responsible for their success
- Enforce and oversee the establishment and maintenance of a security framework
- Develop, maintain and oversee information security policies, procedures and control techniques to address all requirements for the society to operate with minimal and managed risk while maintaining the confidentiality, integrity and availability of company and customer data across information systems and technology.
- Risk assessment, mitigation and avoidance
- Legal and regulatory compliance
- Regularly train and oversee that personnel is aware of the company's Information Security policies and that line managers enforce compliance of such by their team members
- Ensure PCI-DSS certification is maintained.
- Enterprise and security architecture: Together with the Chief Technical Architect, the CISO has to ensure that, while formal discipline within IT architecture seeks to make sure that technology acquisition and use enables and reinforces an organization's ability to meet business goals and defined performance, the necessary levels of protection are included that risk assessments and compliance requirements dictate.
- Take ownership for implementing an Incident Response Plan. Responsible for the coordination of activities following a Security Incident and acts as communications point of contact with COO and CEO for internal and external communication as appropriate.
- Act as communications interface internally and to external parties for security related matters in coordination with the CEO and COO in relation to compliance requirements, security incidents, risk assessments, governance or other security related topics