About the Role

Reporting to the Group Director – Risk and Compliance, the role holder will be responsible for embedding cybersecurity and information risk disciplines into the organization’s broader ERM framework ensuring technology-related risks are identified, assessed, quantified, and treated in a manner consistent with the organization’s risk appetite and governance structures. In addition to cybersecurity risk, the role carries oversight responsibility for the full spectrum of ICT risk across the Group’s technology estate, supervising the ICT Risk Specialist and ensuring that infrastructure, system, and change-related risks are integrated into the Group’s enterprise risk register alongside cybersecurity threats.

Key Responsibilities

• Support the Director, Risk and Compliance in embedding cybersecurity and ICT risk within the enterprise risk management framework, ensuring that technology risks are consistently captured in the organizational risk register, assessed against agreed risk appetite, and reported to governance forums in clear business terms.
• Provide direct line management and professional development for the ICT Risk Specialist, Cyber Risk Specialist, Project and Innovation Risk Specialist setting clear objectives, coordinating workplans, conducting performance reviews, and ensuring high-quality delivery across all four disciplines.
• Implement the CIC Group Cybersecurity Strategy and preparing reports on the Group’s cybersecurity risk appetite, monitoring quantified thresholds and for quarterly and annual cybersecurity risk reports to Management, regulators and Board of Directors.
• Lead the Group’s cybersecurity incident response capability directing the technical and governance response to material incidents in accordance with the Cyber Incident Response Plan.
• Direct the Group’s red and blue teaming programme commissioning annual red team adversarial simulation exercises, overseeing blue team defensive monitoring and response capability, reviewing findings from both disciplines, and driving remediation to strengthen the Group’s overall security posture.
• Provide expert input into the security design of IT architectures, system implementations, and digital transformation initiatives, ensuring security-by-design and privacy-by-design principles are embedded from project initiation.
• Implement the Group’s Third-Party Risk Management Framework for ICT-related vendors ensuring all such relationships are assessed, classified, and managed proportionately to their risk tier, and monitoring for supply chain cyber threats and third-party data breaches in line with the Framework’s escalation timelines.
• Supporting digital forensic investigations, maintaining chain of custody, and producing reports suitable for management, board and regulatory submission or legal proceedings.

General Responsibilities;

• Participate in budgeting and resource allocation for the Risk and Compliance function.
• Manage internal, external audit and regulatory engagements related to cybersecurity and information risk, coordinating audit responses and tracking remediation of findings.
• Maintain current knowledge of developments in cybersecurity legislation, regulatory guidance, threat intelligence, and industry best practice across all operating jurisdictions, disseminating relevant updates to stakeholders.
• Maintain and enforce cybersecurity risk policies and standards, reviewing them periodically to reflect changes in the threat landscape, regulatory environment, and organizational risk appetite, and ensuring compliance across all nine subsidiaries.

Who We’re Looking For

Essential Knowledge/Skills and Experience Required:

• Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, or a related field.
• A Master’s degree in Information Security, Risk Management, or a related discipline is an added advantage.
• Mandatory: One or more of CISSP, CISM, CISA, or equivalent senior cybersecurity certification.
• Desirable: CGEIT, CRISC, CEH, cloud security certifications (AWS Security Specialty, Microsoft SC-100/AZ-500), ISO 27001 Lead Implementer/Auditor, or a risk management qualification (IRM, CRMA).
• Total Experience: Minimum of eight (6) years of progressive cybersecurity or IT risk experience.
• Leadership Experience: At least four (3) years in a management or team lead role with direct reports across multiple security or risk disciplines.
• Industry Experience: Prior experience in financial services, insurance, or a regulated industry is strongly preferred.
• Frameworks & Standards: Strong working knowledge of ISO 27001, NIST CSF, and enterprise risk frameworks (e.g. COSO ERM, ISO 31000), with practical experience applying these in a compliance-driven environment

• Support the Director, Risk and Compliance in embedding cybersecurity and ICT risk within the enterprise risk management framework, ensuring that technology risks are consistently captured in the organizational risk register, assessed against agreed risk appetite, and reported to governance forums in clear business terms.
• Provide direct line management and professional development for the ICT Risk Specialist, Cyber Risk Specialist, Project and Innovation Risk Specialist setting clear objectives, coordinating workplans, conducting performance reviews, and ensuring high-quality delivery across all four disciplines.
• Implement the CIC Group Cybersecurity Strategy and preparing reports on the Group’s cybersecurity risk appetite, monitoring quantified thresholds and for quarterly and annual cybersecurity risk reports to Management, regulators and Board of Directors.
• Lead the Group’s cybersecurity incident response capability directing the technical and governance response to material incidents in accordance with the Cyber Incident Response Plan.
• Direct the Group’s red and blue teaming programme commissioning annual red team adversarial simulation exercises, overseeing blue team defensive monitoring and response capability, reviewing findings from both disciplines, and driving remediation to strengthen the Group’s overall security posture.
• Provide expert input into the security design of IT architectures, system implementations, and digital transformation initiatives, ensuring security-by-design and privacy-by-design principles are embedded from project initiation.
• Implement the Group’s Third-Party Risk Management Framework for ICT-related vendors ensuring all such relationships are assessed, classified, and managed proportionately to their risk tier, and monitoring for supply chain cyber threats and third-party data breaches in line with the Framework’s escalation timelines.
• Supporting digital forensic investigations, maintaining chain of custody, and producing reports suitable for management, board and regulatory submission or legal proceedings.
• Participate in budgeting and resource allocation for the Risk and Compliance function.
• Manage internal, external audit and regulatory engagements related to cybersecurity and information risk, coordinating audit responses and tracking remediation of findings.
• Maintain current knowledge of developments in cybersecurity legislation, regulatory guidance, threat intelligence, and industry best practice across all operating jurisdictions, disseminating relevant updates to stakeholders.
• Maintain and enforce cybersecurity risk policies and standards, reviewing them periodically to reflect changes in the threat landscape, regulatory environment, and organizational risk appetite, and ensuring compliance across all nine subsidiaries.

• Strong working knowledge of ISO 27001, NIST CSF, and enterprise risk frameworks (e.g. COSO ERM, ISO 31000), with practical experience applying these in a compliance-driven environment
• CISSP, CISM, CISA, or equivalent senior cybersecurity certification
• CGEIT, CRISC, CEH, cloud security certifications (AWS Security Specialty, Microsoft SC-100/AZ-500), ISO 27001 Lead Implementer/Auditor, or a risk management qualification (IRM, CRMA)

• Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, or a related field.
• A Master’s degree in Information Security, Risk Management, or a related discipline is an added advantage.
• Mandatory: One or more of CISSP, CISM, CISA, or equivalent senior cybersecurity certification.
• Desirable: CGEIT, CRISC, CEH, cloud security certifications (AWS Security Specialty, Microsoft SC-100/AZ-500), ISO 27001 Lead Implementer/Auditor, or a risk management qualification (IRM, CRMA).