Information Security Manager

Job Title: Information Security Manager

Location: City, London

Salary: GBP70,000 - GBP80,000 + 10% Bonus + Benefits

Skills: Security, Manager, Strategy, Roadmap

Information Security Manager JOB Description

The Information Security Manager is responsible for establishing and maintaining a group wide information security management programme to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the group. The Information Security Manager position requires strong leadership skills with sound knowledge of business management and strong working knowledge of information security technologies. The Information Security Manager will proactively work with all areas of the business to implement practices that meet defined policies and standards for information security. They will also work closely with the Risk department to help oversee a variety of IT-related risk management activities.

The Information Security Manager serves as the owner of all assurance activities related to the availability, integrity and confidentiality of information in compliance with the organisation's information security policies.

The ideal candidate will be a consensus builder, and an integrator of people and processes. While the Information Security Manager is the leader of the security program, they must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of the business's activities. It cannot be undertaken at the expense of the enterprise's ability to deliver on its goals and objectives. Ultimately, the Information Security Manager is a business leader, and should have a track record of competency in the field of information security or risk management, with over five years of relevant experience, including two years in a significant leadership role.

Responsibilities

• Develop, implement and monitor a strategic, comprehensive enterprise information security programme to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organisation.
• Manage the enterprise's information security organisation, consisting of direct reports and indirect reports (such as individuals in business continuity and IT operations). The team is currently sized at five (including this role) and the job holder will be responsible for hiring, training, staff development, performance management and annual performance reviews.
• Facilitate information security governance through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
• Develop, maintain and publish up-to-date information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
• Create, communicate and implement a process for managing the Information Security aspects of vendor  management, including the assessment and treatment for risks that may result from partners, consultants and other service providers.
• Create and manage information security and risk management awareness training programs for all employees, contractors and approved system users.
• Provide regular reporting on the current status Information Security to business stakeholders.
• Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection.
• Provide Information Security guidance for IT projects, including the evaluation and recommendation of technical controls.
• Liaise with the enterprise architecture team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.
• Coordinate information security and risk management projects with resources from the IT organisation and business teams.
• Ensure that security programs are in compliance with relevant laws, regulations and policies to minimise or eliminate risk and audit findings.
• Liaise among the information security team and corporate compliance, audit, legal and HR management teams as required.
• Maintain an operational security response capability to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.
• Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
• Coordinate the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.
• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the programme, facilitate appropriate resource allocation, and increase the maturity of the security.
• Identify and organise in depth external penetration tests of infrastructure and applications
• Manage the cyber defence infrastructure within the group and maintain and enhance the configuration of the related systems
• Maintain and improve the data loss prevention system in use within the team
• Maintain a Vulnerability Management programme, including undertaking regular infrastructure tests utilising in house skills and technology. Escalate issues to the appropriate technology owner and negotiate and track remediation plans for any issues found.
• The Information Security Team are responsible for maintaining the companies ISO27001 certification
• Perform related duties and fulfil responsibilities as required.
• Minimum of five years of experience in a combination of risk management, information security and IT jobs. At least two years must be in a leadership role. Employment history must demonstrate increasing levels of responsibility.
• Maintains a significant Internet presence and therefore exposure and understanding to large scale web technology is required
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
• Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment.
• Ability to act calmly and competently in high-pressure, high-stress situations.
• Must be a critical thinker, with strong problem-solving skills.
• Knowledge, experience and understanding of PCI, ISO2700 and audit processes. Exposure to finance regulation is desirable
• Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
• Project management skills: scheduling and resource management.
• Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.
• Degree in business administration or a technology-related field, or equivalent work- or education-related experience.
• Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials, is desired.
• Experience with contract and vendor negotiations.
• High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.
• High degree of initiative, dependability and ability to work with little supervision.
• Knowledge of Sourcefire, Nessus, Symantec DLP, Splunk is advantageous.