Chief Information Security Officer United Kingdom
Job description
Job Title Chief Information Security
Officer (CISO)
Reports to Chief Technology Officer
Operating Group Information Security Location Isle of Man, Guernsey, Ireland
(Dublin / Navan), UK (Southampton),
home based
Job Purpose
The Chief Information Security Officer (CISO) is responsible for the long-term strategic management of
Utmost’s information security technology and governance according to the Information Security
Management System (ISMS) framework. The CISO is expected to define, develop, and maintain a
business-aligned Information and Cyber Security strategy and operating model for the ongoing
protection of computer networks and information.
You will be a strategic and lateral thinker with exceptional leadership credentials and a sophisticated
approach to stakeholder and supplier management (ideally within the finance sector).
The role requires:
a good overall understanding of the business and the jurisdictions in which we operate; the applicable
legal and regulatory obligations (in particular data protection requirements); a thorough understanding
of the technology underpinning Utmost’s IT systems; and a broad, up-to-date knowledge of information
security frameworks, vulnerability management, incident management and response, secure
development techniques and approaches, Cyber Security engineering and operations, and
management and governance of Cyber risk and Cyber Security.
Key Responsibilities include:
Information Security Strategic leadership
Governance & standard development and monitoring
Security Incident Management
Cyber Risk management
Driving Information Security awareness
Main tasks and responsibilities Key Performance Indicators
Security incident Management
Ownership and management of the Information Security
Incident Management Process. Manage incidents and
their follow-up actions, agreeing the required actions and
ensuring that all required actions are carried out as
required.
Manage the documentation of policies, procedures,
security guidelines and runbooks to assist in the timely
resolution of Security Incidents.
Assist with development of relevant BCP plans for IT and
business from a security perspective.
Ensure that the business
process documentation
created as part of the ISMS
creation is maintained as and
when processes change.
Security Incidents managed
and closed out as required
Escalation of incidents within
agreed timeframes
Adequate and robust testing
of BCP plans
Ensure all new
implementations are included
in BCP plans/solution
Cyber Risk
Oversight, management, and reporting on all risks
pertaining to information security, including all forms of
cyber risk and all risks relating to the protection of personal
data throughout the businesses in all locations.
Developing and monitoring Key Risk Indicators (KRI) and
Key Performance Indicators (KPI), relating to the information
security controls of the businesses.
Assist in the ongoing assessment of risk to the security of
information, assets, and personnel.
Assist in management of cyber risk including risk reviews and
mitigation planning.
Risk assessments carried out to
standard, to agreed schedule,
and as required.
Ensure complete and
accurate risk register in place
and monitored
Governance / Standards
Assist with the initial certification and ongoing adoption of
NIST framework.
Develop and maintain information security documentation
to agreed standards.
Facilitation of external information security audits,
management reviews and internal information security
audits.
Define and manage the monitoring of key measures of ISMS
performance.
NIST alignment and
accreditation
Documentation that meets
standards and drives
processes.
Audits progressed smoothly
and with least disruption to the
business as possible.
All agreed security KPIs
(Including security controls)
monitored and reported as
required.
Information Security Strategic leadership
Drive and coordinate the management of security through
the sharing of ideas between key security players; the
monitoring of threats and subsequent identification of
opportunities for improvement; and the on-going
monitoring of security activity (e.g., penetration testing
actions) to meet targets; and drive and manage the
development of information security to ensure approaches,
techniques and tools continue to meet needs.
Ensure that the team become an active part of projects at
an early stage to ensure that all projects take information
security into account; and to carry out - or oversee -
information security risk assessments and ensure that the
results are acted upon.
Provide training, coaching and internal consultancy to the
business at all levels in relation to the Information Security
Management System, the NIST framework and a wide
variety of IT controls and information security controls, and
in respect of new and evolving IT standards, cyber risks, and
information security issues.
Authorise the release of system changes into production
environments according to agreed parameters and
processes.
Provide information security guidance to IT team as part of
project and software development lifecycles.
Perform regular internal and external security audits and
testing including penetration testing.
Sharing of security ideas
actively promoted.
Audit actions (inc. penetration
tests) managed and followed-
up in a timely fashion.
Applicable threats identified
and actioned within agreed
timescales.
Ongoing measurable
improvements to approaches
implemented to ensure
information security is
maintained long term.
Guidance in security risk
assessments provided and
carried out as required.
Corrective changes
documented and agreed
based on risk assessments and
carried out to plan.
Change releases checked
and authorised as required
and in a timely manner.
Project Security Risk
Assessments carried out as
required.
Information Security Awareness
Assist in the development and delivery of training,
education, and initiatives to promote security awareness
throughout the businesses.
Broad and effective staff
security awareness delivered
through various media and
judged to be effective.
Cyber Risk Management
Preparation, management, and reporting of the
Information Security Risk Assessment in conjunction with the
overall Business Operational Risk Assessment.
Reporting on Key Risk Indicators and Key Performance
Indicators.
Provide IT and information security control risk input into
projects from inception.
Contributing to the creation
of a culture of risk awareness
and the highest standards of
corporate governance.
Preparation, management,
and reporting of the
Information Security Risk
Assessment in conjunction
with the overall Business
Operational Risk Assessment.
Assess operational risks
associated with day-to-day
activities and implement risk
mitigation controls as
necessary.
Ensure operational risk events
are reported on a timely
basis and risk event actions
are completed within
agreed timelines.
Customer Management Maintain effective relations
with all key stakeholders
across company.
Commits to exceeding expectations and needs to
internal/external customers, possesses “customer first” mind
set.
Ensures that work is accurate and well presented, that
customer care is given priority above all else and that effort
is made to exceed the minimum standard required in all
areas.
Shows concern for detail no matter how small.
Takes a pride in doing a job well.
Quality and timeliness of
communication updates to
all relevant parties.
Appropriate service is
delivered at all times, across
all business lines and
feedback is sought from key
stakeholders to fully assess
the service quality.
Culture
Is a role model in
demonstrating the
behaviours and culture
across the organization.
Represents company
strategy and commercial
decisions in a proactive and
positive manner.
Leads by example, to
motivate and assist with
managing change across
the organization
Knowledge, Skills, and Behaviours
Essential or Desirable
Knowledge
, Experience or qualifications
At least 8 years’ experience in Information Security, and
experience in people and IT management.
Experience in security tools, technology, and
architecture.
Management experience that encompasses information systems
or information security experience.
Relevant certification is preferred (ISO27001 or NIST lead auditor,
CISSP, CISM, CRISC, CCRO) along with following experience:
NIST implementation
Internal audit knowledge
Risk analysis – systems/projects/changes
Security technical knowledge / skills
Information Systems such as Active
Directory, VMware, Firewalls, Network,
Storage, QRadar/SIEM
IT hardware, software, process appreciation
Essential
Essential
Essential
Preferred
Skills
Process mapping and data analysis skills.
Analytical skills – Interprets quantitative and qualitative
information to achieve objective and produces effective
solutions to problems.
Ability to work within tight deadlines and deliver solutions within
defined time periods.
Experience working in a complex operational environment.
Essential
Essential
Essential
Essential
Effective verbal and written communication skills and strong
interpersonal skills, good at reporting.
Behaviours
Cooperative, flexible, adaptable, and persistent.
Diligence - Being careful about detail and thorough in completing
work
Integrity - Being honest and ethical
Must be willing to travel occasionally between offices in all Utmost
territories where required (infrequent)
Essential
Essential
Essential
If you would like to apply for this role, please send your cover letter and CV to
Utmost Group is an equal opportunities employer
