Equity Bank Limited
Senior Manager, Security Governance & Technical Assurance at Equity Bank Kenya
Job Description
Mission/ Core purpose of the Job:
This role is responsible for embedding and maintaining technical security control requirement across the Equity network, infrastructure and systems.
Responsibilities include ensuring that appropriate security controls are implemented in the organisation by continuously reviewing and updating the policies, operational technology and security processes and standards in alignment to latest global threats, ensuring optimal performance of the services and identify control efficiencies in how security is operated across all domains. The incumbent will also perform continuous technical security assurance on all Technology service areas to ensure audit compliance and minimized risk exposure.
Context:
- The individual needs to be able to work in a highly pressured planning and operational banking and technology environment
- ISO 27001, OWASP, NIST, SANS and POPI
- Fast changing, regulated business environment.
- Security is managed cross business and IT functions, in at least 7 markets
The Group Information Security area has to deal with the rapid advancement of systems and technology within the following areas:
- Various Technology platforms enabling many business and banking functions
- Deal with and environment that is highly regulated and legislated
- 3rd Parties and the driving of these through supplying vendors fully fledged and detailed specifications and driving them in the fulfilment of these Requirement for single version of the truth across Equity Group
- High data volumes
Key Performance Areas: Core, essential responsibilities / outputs of the position (KPA’s)
Technical Excellence:
- Provide assurance that Equity Group’s assets are effectively managed and monitored to meet Equity security requirements – first-line management assurance.
- Analize known and emerging threats to determine risks against Equity assets.
- Review and document Information Security Policies, Processes and Procedures and meet governance in terms of legislative and audit requirements and provide consultation to business with regard to this.
- Identification and management of information security risks within Equity by identifying, defining and maintaining the information security policy and functional standards for the organisation.
- Create and continuously review security governing principles to guide information, technology, and solution decision making for Equity
- Develop Group’s Critical Controls and Compliance universe, and drive the implementation of control mechanisms, which enable Information Security function to effectively manage the true status of information security within Equity.
- Report on mitigating actions required to correct or remedy actions where necessary and inform IT Teams and relevant Business units of any significant changes and risk situations.
- Consult to projects in terms of identifying risks, vulnerabilities and controls.
- Perform first-line Security Assessments on internal environments and 3rd party environments, with the purpose of identifying shortcomings which risk to Equity and drive remedial actions.
- Coordinate reporting and action plans in the event that a security incident does occur
- Conduct monthly security service/ posture reviews across the environment and present reports to the relevant subsidiaries, business units and governance committees.
- Represent Information Security in the relevant business areas in Equity as well as various IT/ risk or Security committees and forums within Equity.
- Provide on-going subject matter expert level consultation to Equity project and operational teams, application owners, and other technology and network teams on relevant security controls requirements.
- Ensure optimal performance of the security services and identify control efficiencies in how security is operated across all security domains.
- Track and drive implementation of Technical Security Standards across the technology platforms.
- Review and track all risk accepted and exception items and assist to build and manage the security compliance universe. Consult to projects (Business and Technology) in terms of identifying risks and specific vulnerabilities and controls for new implementations.
Operational Delivery:
- Perform first-line management assurance on technical controls to minimise audit impact and risk exposure
- Model threats and risks as well as the controls necessary to mitigate them, on both an organisational and technical level – thinking like a malicious
hacker, understanding and anticipating the moves and tactics that a hacker might use to attack Equity systems. - Work closely with the Technology teams to identify and select the right security controls to protect Equity’s network & IT infrastructure, cloud and IoT
solutions: define functional and non-functional security requirements and criteria to conduct technology evaluation and selection. - Manage and run governance for Group Information Security function and drive the implementation of security governance and ensure adherence to it.
- Foster a security-conscious culture within Equity IT, Operational and Business teams.
- Collaborate with Technology teams to ensure that technical plans are practical, controls are sustainable, and implementation is managed to minimize risk and adverse impact to network, servers, workstations and user productivity.
- Document and operationalize the processes and procedures necessary to sustain the security posture of the environment as well as processes to monitor security related control break-downs in the environment
- Support Enterprise Risk Management in security related issues and investigations
- Conduct Research and develop/ maintain policies to ensure they cater for new threats and technologies.
- Develop, monitor and measure the deployment of security standards
- Ensure procurement practices adhere to security protocols and security is embedded into the procurement process consistently.
- Work with internal stakeholders to define action plans to close or mitigate security findings of auditors
- Proactively test for security related issues and propose remedial plans.
- Manage security deliverables for programmes related to Privacy legislation across the markets within which Equity operates.
- Drive implementation and tracking of Critical Controls.
- Report on any residual risk, and other security exposures against the proposed security standards and policies including misuse of information assets and non-compliance.
- Measure and report on the effectiveness of Information Security management and control activities to appropriate governance committees.
- Report at risk and audit committees and manage the actionable outcomes related to security.
Tactical planning:
- Manage and develop the capability of the team to deliver security services needs of Equity Group.
- Partner with business leaders and peer-level managers to assess the technological cost and impact of recommended changes, help clarify priorities, and coordinate cross-organizational/ subsidiary consortia where common needs have been identified.
- Assess risks and the effects of specific requirements on other subsidiaries business processes and system priorities to ensure security services are aligned with business strategic objectives.
- Identify high risk/priority security areas for improvement
- Work closely with Finance teams in Group and Subs to ensure budgets and cost recovery procedures are in place and working effectively
- Build a strong relationship with Subsidiary leadership to ensure delivery
Managerial / Supervisory Responsibilities
Supervisory / Leadership / Managerial Complexity:
- Recruit, develop and retain people with outstanding skills, qualifications and potential.
- Performance management and identification of training needs.
- Accountable for a customer-centric culture and shift to legendary service provision.
- Employee relations and collaborative teamwork.
- Coaching and guidance of subordinates.
- Build professionalism, loyalty and commitment to the organization.
- Communicate actively and effectively resolving any potential conflicts that may arise.
- Living the Equity Brand – changing and influence employees’ behaviour.
- Clarify roles within the team to enhance collaboration and results
- Reward practices conducive to building individuals and team confidence
- Optimal human resource allocation / redeployment in line with strategic objectives
- Manage conflict proactively and monitor disciplinary and grievance actions and trends
- Train, motivate & develop resources
- The role requires management and supervision of the activities of a number of Team members across the Group and subsidiary functions IT & Operations who need to implement and remediate required controls.
Creativities (improvement/innovation inherent):
- Measures to be implemented to improve security across Technology environments
- Measures to be implemented to improve operational efficiency and effectiveness in the Operating environment
- Influence management decision making in security related aspects
- Pro-active
- Champion of quality and doing things right the first time
- Sharing of knowledge and security skills
Role Complexity:
- Matrix management for security planning
- Management of security control environment across at least 13 domains in all the Technology functions and in atleast 7 markets OF Equity Group
- Management commitment
Budgets/ Financial Input:
- Assist with management of Security budgets in line with business objectives and facilitate forecasting. Includes yearly CAPEX Plans and tracking spend through the year
- Manage project initiative budgets in line with business objectives
- Drive initiatives that will ensure that the “cost of operations” are reduced, in line with a least cost operating strategy stemming from the business drivers
- Assist with contract negotiations and driving to conclusion
Qualifications
Minimum Requirements:
Education:
- Minimum of 3 years tertiary qualification (degree/ national diploma) pr equivalent in Information Technology
- Security certification e.g. CISSP & CISM essential
- Other qualifications (ITIL, TMF, COBIT) advantage
- Fluent in English
Experience:
- Min of 6 years in IT, 2 of which as an Information Security Senior Specialist or Manager in a large enterprise environment essential
- Experience in Banking or Telco industry advantageous
- Experience should ideally span multiple security domains ranging from security risk and governance, Data Loss Prevention, Authentication, Malware, Network Security, Applications and Operations Systems and Security across platform / database /network
- Must have a wide breadth of knowledge and experience across security products, tools, and industry trends
- Knowledge of current security risks and protocols as well as good working knowledge of technical risk management and assessments
- Ability to interact with a broad cross-section of personnel to explain and enforce security measures
- Ability to maintain a high level of discretion and personal integrity in the exercise of duties, including the ability to professionally address confidential matters
- Expert knowledge of regulatory compliance requirements (PCI-DSS, ISO 27001, GDPR, etc.)
- Excellent written and verbal communication skills as well as business acumen and a commercial outlook
- Good analytic and problem-solving skills
- Ability to work under pressure, as well as the ability to take independent initiative when needed.
Training:
- Security certification courses
- Microsoft certifications
- Systems/Database/Network administration training
- Some training on Oracle, SUN Solaris and Linux is also required
- Training on any scripting language
- IP network related training
- Cloud security training
- Architect and design certifications
Competencies:
Head – Big Picture Focus (20)
- Strategy Implementers – Ensures execution of strategies through creating and implementing tactical plans for others to follow
- Decisive Problem Solver – Has the mental agility to identify business challenges and explore effective solutions through effective influencing
- Best Practice Value Creator – Encourages commercial innovation and continuous improvement for systems, processes, products and service offerings
Heart – Emotionally Intelligent (30)
- Culture and Change Champion – Role models ethical practices by living the EQUITY values and vital behaviours for others to follow
- Guiding People Manager – Is self-aware and guides team capability development through opportunity creation for realising potential
- Relationship Builder – Builds relationships across the business in order to influence decision-makers and build team credibility
Hands – Results Focused (40)
- Results Achiever – Produces sustainable divisional results through ethical practices
- Operationally Astute – Sets priorities, plans, organizes and co-ordinates the work of others
General working conditions:
- Target driven and cyclic in nature
- Long, irregular hours and tight deadlines during peak periods
- Must be willing to travel and operate in different markets when required
- Required to work from home from time to time
- Overtime and standby as required
KPA Quality Standards:
- Security settings deployed – alignment to Equity security standards and best practices
- Number of server and client systems to which the security standards are deployed
- Degree of impact to systems and users while deploying standards
- Security settings deployed counter Equity risks, e.g. theft of intellectual property, information leakage
- Speed with which security settings are deployed
- Completeness and accuracy of documentation
- Sustainability of processes implemented
- Expenditure within budget
- Quality of source data in terms of completeness, accuracy and timeliness
- Objectives of area met
- Collaboration with all key stakeholders
- Drives short term actions consistent with long term goals.
- User/customer satisfaction/feedback
- Capex and Opex vs budget
- Project Metrics (In time, cost + quality)
- Systems availability
- Timely delivery of information to internal customers (reporting, dashboards etc)
- High levels of automation of data processing and reporting
- Incorporation of new technology
- Alignment to Equity Strategy