Job reports to: Head of IT Security

Job purpose description:

To build an Information Technology cyber-security and penetration testing capability in order to improve the Information Technology Security capability maturity. This includes developing a strategy, creating awareness in Information Technology, delivery of various control improvements, incident response planning and leadership of the cyber-security and penetration testing team.Key Responsibilities

Establish an IT cyber-security strategy and proactively identify cyber-security threats

- Develop a cyber-security strategy for Group IT.
- Develop threat models for all critical technologies (application and supporting infrastructure).
- Support the Head of IT Security with cyber-security input into the IT Security investment plans.
- Develop cyber-security business cases to secure the budget for improvements in the cyber-security maturity.
- Sponsor the approved Cyber-Security IT projects and ensure delivery on time and within budget
- Conduct research to get a clear view of new and emerging threats facing technology and ensure that these are reflected in the threat models and strategy.
- Ensure that the learnings from other cyber-security incidents are adopted by Standard Bank Group, in so far as the IT Security control environment is concerned.
- Create the awareness of cyber-security threats within the IT community.
- Guide the business with the selection of appropriate IT controls in order to combat cyber-security threats leading to fraud.
- Coordinate efforts with the Cyber Security Operations Centre to ensure a unified approach to cyber-security across Standard Bank Group.
- Keep abreast of technology trends and the implications on Cyber-Security e.g. mobile, cloud and social.
- Provide insight and intelligence into effective cyber-security threat management.
- Stay close to the business strategy and ensure that IT Security capabilities enable and support this strategy.

Coordinate cyber-security incident management, response and recovery for IT

- Develop incident response plans (aligned with the CSOC) and recovery processes for specific cyber-security events, linked to a reliable industry source (SANS Top 10, Symantec, etc.).
- Coordinate the IT recovery process post a cyber-security incident.
- Secure the requisite IT resources and ensure that recovery efforts receive appropriate focus and priority.
- Write the IT Security incident report and share with the IT community, with emphasis on root cause and lessons learnt.
- Ensure that remediation work is undertaken in line with findings and is coordinated and tracked.
- Perform simulation exercises to test the effectiveness of IT Security controls.
- Provide the rules for the effective management of IT Security controls in the IT Operations / Run organization
- Inform the rules and or configuration and policy settings that should apply on IT Security controls based on incidents and threat intelligence.

Responsible for cyber-security consulting to IT

- Coordination of external vulnerability remediation – this includes determining the scan lists with the line of business IT Security teams, reviewing results of the foot-printing exercise and coordination of remediation efforts with the respective IT support teams.
- Generate management information to clearly articulate our cyber-security exposure.
- Provide cyber-security expertise to the line of business IT Security teams in the course of risk assessment and advisory work.
- Provide cyber-security consulting to business with regards to technology decisions and new business enablement.
- Create awareness with the IT executives on new and emerging IT / Cyber-Security threats

Provision of a penetration testing service to all lines of business

- Deliver a prioritization framework to be able to scientifically prioritize demand across projects and production systems servicing all lines of business
- Identify, procure, maintain and manage all penetration testing tools (software)
- Manage and co-ordinate penetration testing third party co-source vendors
- Develop and maintain strategy for the management of penetration testing services
- Ensure continuous improvements in test planning and execution processes
- Build a knowledge base to improve testing quality
- Build a capability to automate recurring testing methods to be able to improve quality and reduce test days
- Become more embedded in the development community to provide the support during development stage
- Design and plan testing conditions, test schedules as per business requirements to ensure appropriate and adequate coverage and control
- Establish secure coding standards and create awareness within the development community; including but not limited to a hands-on secure coding training
- Ensure that threat and vulnerability evaluations are performed on a regular basis and that assessments focus on the top threats and risks
- Provide mitigation options to the line of business IT Security teams to reduce risk to an acceptable level
- Plan and coordinate mitigation actions for penetration testing findings
- Assist and support IT, Financial Crime Control and the Cyber-Security Operations Centre with consultation on IT Security incidents, fraud matters and/or investigations
- Contribute to the identification and management of risk across Group IT
- Generate meaningful management information and reports focussing on key trends

Effective stakeholder management

- Build effective working relationships with the line of business IT Security functions
- Create sufficient resourcing and capacity to be able to fulfil demand from across the Standard Bank Group
- Have effective working relationships with Enterprise Technology Architecture to ensure that security roadmaps are aligned
- Become the service provider of choice and reduce the use of external consultants to absolute necessity, not preference
- Have effective relationships with the CSOC and FCC teams to be able to assist with technical expertise in the course of an investigation or IT Security incident
- Have effective relationships with the vendor community to be able to co-source the best skills on short notice to complement the team
- Have a strong relationship with the web development teams and ensure that secure development practices are adopted

Management of People

- Manage the Headcount and Budget for your business area/ department and ensure you remain within your allocated numbers for the year in collaboration with your Head, Finance and Human Capital Business Partner.
- Participate in attracting resources through following and adhering to the recruitment practices. Through collaboration with the Resourcing Manager/Consultant and or Human Capital Business Partner build a pipeline for critical roles in your business area.
- Ensures the effective selection of staff by matching the skills and competencies to the requirements of the job, by following the recruitment policies and procedures.
- Ensures skills assessments and competency-based training takes place as and when required.
- Collaborate with Resourcing Manager/ Consultant and plan the on-boarding process for new entrants. Arrange, allocate and provide IT equipment, desk, telephone, parking and systems access to all required systems for new entrants and transfers into your department.
- Develop and cascade Performance Management goals/contracts and Development plans with all subordinates in line with Group standards and timelines.
- Ensure team’s goals are captured and updates on system are completed as per Group timelines.
- Host one on one discussion at least monthly and two formal performance discussions per year. Communicate to all subordinates performance ratings, areas of improvement and provide recognition for areas that employee performed well in.
- Follow the poor performance process when required in accordance with Group policies and timelines. Consult with Human Capital Business Partner for support with the Poor Performance or Wellness situations.
- Host team meetings on a monthly or as frequently as required and communicate strategy and business communications to team.
- Follow the Disciplinary & Grievance procedures and adhere to specified requirements as laid out in the policies of the bank.
- Execute Talent Management practises, such as having career discussions, participating in a talent review and following through on agreed activities. Participate in Talent Management initiatives/ practises as required by Group.
- Responsible for the retention of relevant skills in order to meet the business needs.
- Responsible for inspiring, motivating, leading and managing the allocated team Responsible for inspiring, motivating, leading and managing the allocated team.
- Develop and manage a Succession plan for your area, ensuring that the succession plans are updated on an annual basis.
- Takes personal responsibility for coaching and mentoring others.
- Effectively delegates authority and responsibility, in line with business objectives, to ensure the empowerment, motivation and effectiveness of all direct and indirect reports.
- Promotes a culture where the values of the Bank are seen to be ‘alive’.
- Ensures the implementation of the leadership competencies and employee engagement programmes (e.g. OHI).
- Partner with Human Capital Partner to facilitate and co-create Occupational Health Index (OHI) planner with team. Participate in executing the OHI planner to ensure culture is enhanced.
- Collaborate with Learning and Development consultant and or Human Capital business partner in creating and executing a learning and development planner for your business area.
- Ensure employees utilize SABA learning system to book training.
- Ensure employees execute all compliance training within the Group timeframes.
- Consult with learning and development consultant on needs not listed in Standard bank Group catalogue.
- Ensure all training plans agreed with employees are executed.
- Prepare and participate in annual Reward practises in accordance with Group policies, guidelines and timelines.
- Utilize recognition programmes in accordance with Group policies, practises, guidelines and timeframes thereby ensuring that staff are appropriately and consistently rewarded and recognised for their achievements and outputs.
- Fosters the transformation of the workplace and supports business in the achievement of the undertakings in the transformation scorecard.
- Action Exit process in accordance with Group policies, practises, guidelines and timeframes.
- Ensure that all systems access has been revoked on the agreed timeline of the termination of contracts as well as retracting all Standard Bank equipment (including cards, keys, etc).
- Manage sick leave and overtime reports and take corrective action where appropriate, alternatively collaborate with Human Capital Business Partner to assess risks and remedial action.
- Action and manage the Occupational Health and Safety procedures and report incident according to Group policies, procedures and timelines.
- Complete the Compensation Occupational Injury and Disease documentation in accordance with Group

Qualifications

- First Completed Degree
- Information Security related Certification (CISSP / CISM / CRISC / CISA)

Experience

- 7-10 years Prior industry experience in a corporate environment (preference Financial Institution) in an IT Security role.
- Experience in developing threat models, risk profiles, penetration testing, cyber-security risk and incident management, and a solid understanding of crime in the financial sector
- Experience in engaging with a broad spectrum of stakeholders including senior executives.
- 3-4 Years Experience in coordinating large initiatives across multiple areas.