INFORMATION RISK MANAGEMENT LEAD

INFORMATION RISK MANAGEMENT LEAD

Our global marketing communications client has a rich 100+ year history of excellence in service and growth predominantly through acquisition. Their portfolio of companies reaches over 1,500 agencies in over 100 countries connected by a parent company dedicated to leveraging their collective and individual offerings.

Role Overview:

Reporting to the Global Managing Director of Governance, Risk and Compliance, the Information Risk Management Lead is responsible for planning, strategy development and execution of Risk Management programs to measure and maintain the effectiveness of the organization’s cybersecurity, business resilience and Third-Party Risk. Key to this role is partnering throughout the organization and coordinating with all risk functions (Security, Internal Audit, Privacy, Compliance, Controls) to support the successful achievement of the organization’s risk management activities and optimizing operational performance.

The Information Risk Management Lead will evaluate the maturity of the organization’s security program and benchmark against leading practices to ensure industry leading approaches, policies, processes, and tools are implemented to mitigate and counter risks and potential threats. This role will advise on cybersecurity, business resilience and Third-Party Risk Management reference architecture leading practices, and test/ensure the effectiveness of controls, as well as assist the global family of agencies, networks, and practice groups in complying with the relevant regulations.

Performing continuous assessment of the organization’s global threat landscape, to enhance or implement control processes and tools to ensure more effective risk management. The Information Risk Management Lead will provide management and oversight of a team charged with executing daily functions and strategic initiatives, as necessary.

Key Focus Areas:

• Cyber Risk Management is a key area of focus.

• Supported by a Business Resilience Lead and a Third-Party Risk Management Lead oversee the operational day to day management and contribute to strategic implementations.

• Recruit, retain, and maintain a qualified team of security risk management professionals to protect company assets and support security risk initiatives.

• Apply a deep understanding of general security concepts and methods, including cyber strategy and transformation, cyber risk management, cybersecurity architecture, operations and monitoring, infrastructure and application security, cyber threat management, cloud security, emerging technologies security, cyber regulatory compliance and controls, cyber resiliency and business resilience, incident response and crisis management, data protection and privacy, and third-party risk management.

• Work with leaders of the Governance, Risk and Compliance team to define, publish, and maintain global information security policies and standards, taking into consideration industry standards and frameworks, such as ISO 27001, CobiT, NIST, and others.

• Identify, maintain, and refresh the organization’s top risks, and articulate their likelihood, severity and impact using specific purpose Risk Registers.

• Align information security processes with Cyber Security frameworks such as ISO27001, PCI and NIST 800-53 to ensure compliance with stated metrics and documented controls.

• Develop and maintain an operational Cyber Security Risk Framework.

• Support efforts to perform at least annually, risk assessments, and establish a robust risk and compliance program that includes the tracking of risks and findings, creation and implementation of remediation plans, mechanisms for risk acceptance, and escalation procedures.

• Measure compliance with policies and standards as part of assessing the overall cyber risk management capability of the enterprise and develop strategic plans as required.

• Provide active risk data contributions to the Information Risk Management Committee (IRMC) and Risk Sub-committee, which consists of key IT, security, and business stakeholders, to provide strategic direction for the enterprise risk governance.

• Develop risk transparency reporting and communications, with accompanying mitigation plans.

• Investigate, recommend, and follow up appropriate corrective actions for identified security deficiencies and policy exceptions.

• Provide guidance on security controls involving password and access management, segregation of duties, logging and monitoring, data encryption, data backup and recovery, disaster recovery, business continuity management, etc.

• Ensure the information security risk register is properly maintained and ensure that risk issues and other variances including risk acceptance are resolved in a timely manner.

• Oversee entitlement reviews of critical systems to protect the organization’s information assets from internal and external threats.

• Provide periodic reporting on information security issues and gaps for compliance with the enterprise information security policies, standards, and procedures among employees, contractors, alliances, and other third parties.

• Coordinate the execution of security governance and assessment control initiatives. Work with Governance, Risk and Compliance leadership while supporting IT and the business regarding efforts to implement and maintain a business continuity and disaster recovery plan for all practice groups and networks across the enterprise.

Qualifications/Experience:

• Subject Matter Expertise in IT Risk and Cyber Security Governance required.

• Subject Matter Expertise in Business Resilience and Third-Party Risk Management is preferred.

• Bachelor's degree required, preferably in computer science, information systems, engineering, business administration, or related field.

• 6+ years of defining Information Security Governance documentation, technical experience in the security aspects of multiple platforms, operating systems, software, communications and network protocols or an equivalent combination of education and work experience.

• Minimum of 5 years of Risk Management, Information Security, IT Auditing, or equivalent experience.

• Demonstrate a strong understanding of the Information Security, IT environment and its impact on business risk.

• Deep understanding of enterprise security tools preferred (i.e., SIEM, vulnerability scanners, firewalls, identity governance and administration).

• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and NIST-800 series.

• Demonstrated understanding of technological trends and developments in the areas of information security, risk management, and business continuity.

• Demonstrated managerial experience, specifically in the administration and management of the information security function.

• People and team leadership experience is needed. There is a team of 9 this person will lead.

• Strong interpersonal skills with the ability to work effectively in a matrixed organization.

• Strong project management skills, technical writing, and presentation skills.

• Ability to rapidly learn and apply advanced and emerging technical security principles, theories, and concepts.

• Experience working in a complex global environment is needed, preferably in one that was moving toward centralization.

• Certified in one or more of the following: ISO27001, CISA, CRISC, CGEIT, CISM, CISSP, CCSK, CCSP, PCI, ITIL.

Skills and Abilities:

• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.

• Excellent problem solving and analytical skills, individual must be a team player, strategic and analytical thinker, able to think “big picture”, as well as focus on trends and data coupled with industry themes, and able to multi-task on projects.

• Ability to build-out security strategy aligned with business objectives that will continually improve and enhance cybersecurity within the organization.

• Demonstrate the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.

• Possess a strong technology background with the ability to challenge or validate technology decisions from a position of knowledge and experience.

• Possess the ability to rapidly assimilate business strategies, coupled with the insight to seize high impact opportunities by applying creative problem-solving solutions.

• Track record of managing across multiple global locations, with a solid understanding of the challenges and benefits.

• Ability to lead and motivate global cross-functional, interdisciplinary teams to build-out new capabilities and achieve tactical and strategic goals.