Senior Manager – Information Security & Risk at Development Bank of Rwanda (BRD) | Kigali :Deadline: 15-12-2023

Background Information

Job Title: Senior Manager – Information Security & Risk

Job Grade: JG 4

Department: CEO’s Office

Department/ Section/Unit: Information Security & Risk

Reports to: Chief Executive Officer

Direct Reports:

• Information Security Specialist
• Information Security Officer
• Information Security Analyst

Indirect Reports: N/A

Contract Terms: Open-ended

Purpose of the Job

The purpose of the job is to be responsible for establishing and maintaining a corporate-wide information security management program to ensure that information assets are adequately protected. The position is also responsible of advising and establishing the information security strategy and overseeing information security operations in the bank.

This position is responsible for identifying, evaluating, and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the bank. The position is also responsible for reporting and investigating information security incidents and advising on remediation actions to avoid their recurrence.

The position is also responsible for advising and recommending needed tools to improve the security posture of the bank and maintain high compliance levels.

The Senior Manager – Information Security & Risk role will also be responsible for developing an information security awareness program for all functions to educate employees, and customers about the risks associated with the misuse of information resources and how to avoid them.

The Senior Manager – Information Security & Risk will also be responsible for engaging and managing internal and external information security stakeholders’ relationships to ensure the bank remains compliant and aware of external requirements.

Main Responsibilities of the Job

• Develop, implement, and monitor a strategic, comprehensive information security and IT risk management program to ensure that the integrity, confidentiality, and availability of information is owned, controlled or processed by the bank.
• Manage the enterprise’s information security organization, consisting of direct reports and indirect reports (such as individuals in Risk, Audit and IT). This includes hiring, training, staff development, performance management and annual performance reviews.
• To manage creation, maintenance and implementation of the bank information security awareness training program.
• Creating, leading, and managing cybersecurity strategies
• Oversee information security audits, whether performed by internal audit or third-party personnel.
• Manage security team members and all other information security personnel.
• Evaluate department budget and costs associated with technological development in cybersecurity.
• Define and communicate to the management, the key threats to the information assets.
• Assist in the investigation of security threats or other attacks on the information assets at the bank.
• Forecast potential threats to the business.
• Assess current technology architecture for vulnerabilities, weaknesses and for possible upgrades or improvement.
• Manage the acquisition of additional information security solutions or enhancements to existing information security solutions to improve the overall information security posture.
• Lead, develop and implement the FinSOC program to ensure compliance with the regulator.
• Serve as a focal point of contact for the information security team, the customer and across the organization.
• Manage external stakeholders through regular engagements (BNR, NCSA..etc).
• Manage, configure, and test physical security, disaster recovery and data backup systems.
• Communicate information security goals and new programs effectively with other department managers within the organization.
  
  
  

Performance indicators

• Conduct a continuous gap analysis and vulnerability assessment of the bank in terms of information security to ensure the bank is always aware of its cybersecurity risks.
• Ensure the preparedness level of the bank is efficient by evaluating how well-prepared we are for any potential cybersecurity threat or attack.
• Review continuously the number of devices on the organization’s network and whether they are fully patched up, up-to-date, and safe.
• Timely and effective management of information security incidents by ensuring the mean time to detect, to resolve, to contain, etc. are low.
• Prevent any intrusion attempts in the bank’s network by continuous monitoring of network devices logs and activities performed within the bank.
• Ensure our information security rating improve and remains excellent.
• Ensure system are properly patched on a timely manner.
• Provide comprehensive cybersecurity awareness training.
• Safeguard the bank from cybersecurity threats and attacks such as bots’ attacks, viruses, phishing attacks, ransomware and more.
• Measure and evaluate our cost per incident to minimize loss for the bank.
• Document and ensure compliance of all information technology policies, procedures, and processes.
• Develop a logical access matrix for each system used within the bank.
• Closely monitoring of the user system access of staff or external partners according to the logical access matrix of each node.
• Monitor data privacy and protection of the bank, its staff, and customers according to the Rwandan’s law especially on the protection of personal data and privacy.

Working relationships

• Executives and Heads of departments
• IT & Digital Information
• System and Database administrators
• Senior and Middle Managers
• External stakeholders
  
  
  

Professional, academic qualifications and experience

• Bachelor’s degree in computer science, Information Technology, or related field. Master’s degree in the related field is preferred.
• Professional certification in Cybersecurity such as CCNA/CCNP Security, ISO/IEC, or related field
• A minimum of seven years of IT experience, with five years in an information security role.
• Strong leadership skills and the ability to work effectively with business managers, IT engineering and IT operations staff.
• Remarkable experience in information security risk assessment and management.
• Knowledge and understanding of relevant legal and regulatory requirements.
• Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
• Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.
• A strong understanding of the business impact of cybersecurity tools, technologies, policies, procedures, and processes.
• Experience developing and maintaining policies, procedures, standards, and guidelines.
• A drive to learn and master new technologies and techniques.
  
  
  

Core competencies

• Visionary leader with sound knowledge of business management and a working knowledge of information security technologies Industry experience is preferred.
• Understanding of operating system internals and network protocols.
• Familiarity with Cybersecurity tools and technologies (e.g., SIEM, ESG, EDR, PAM, DAM and other related tools)
• Knowledge of the principles of cryptography and cryptanalysis.
• Experience in system technology security testing (vulnerability scanning and penetration testing).
• Familiarity in application technology security testing (white box, black box and code review).
• Highly familiar with related information security laws and regulations, including knowledge of Rwandan Data Privacy law.
• Proven abilities to take initiative and be innovative.
• Analytical mind with a problem-solving aptitude
• BSc/BA in Computer Science, Engineering, or relevant field.