The Head of Information Security Risk Management provides oversight of information security risk, ensuring alignment with regulatory requirements, the Bank’s risk appetite and governance frameworks.

Drive continuous improvement of information security risk processes in line with international best practices, including NIST and ISO standards and national regulations and guidance including TCRMG.

Deliver independent risk insight and reporting to senior management and Board‑level committees to support informed business decision‑making.

Performance

• Oversee the Bank’s information security risk management function in line with strategic objectives and defined risk appetite.
• Continuously uplift and mature information security risk processes to ensure alignment with regulatory requirements and international best practices (e.g. NIST, ISO)
• Provide effective second‑line oversight and challenge to IT and business units on information security risk assessment, control effectiveness and remediation.
• Ensure information security risks and non‑compliance issues are identified, escalated, and resolved within agreed timelines.
• Oversee security risk assessment for major projects, significant changes, and new technologies.
• Deliver concise, risk‑focused information security reporting to Senior Management and Board‑level Risk Committees.

KPIs

• Complete update and full implementation of the in‑house information security risk assessment tool, with 100% adoption by in‑scope business units within the agreed timeline.
• Maintain an up‑to‑date enterprise information security risk register with 100% of material risks reviewed at least quarterly and formally approved risk owners assigned.
• Ensure 100% of in‑scope systems, business processes, and third‑party engagements undergo information security risk assessment in accordance with regulatory and internal requirements.
• Uplift and standardise information security risk acceptance processes, with 100% of risk acceptances documented, justified, time‑bound, and approved at the appropriate authority level.
• Achieve ≥95% of information security risk remediation actions closed on or before agreed target dates, with overdue items escalated in line with governance requirements.
• Ensure 100% of significant projects, major changes, and new technologies are subject to information security risk assessment prior to approval or production deployment.
• Demonstrate measurable uplift of risk management maturity against NIST and ISO/IEC 27005, evidenced by year‑on‑year improvement in maturity assessments or independent reviews.
• Effectively coordinate information security risk activities with external consultants, ensuring 100% delivery of agreed risk assessments within scope, timeline, and quality expectations.
• Deliver timely, accurate, and risk‑focused reporting to Senior Management and Board‑level Risk Committees in 100% of scheduled reporting cycles, with no material audit findings.
• Provide documented independent challenge on 100% of high and critical security risks, with clear evidence of review, recommendations, and management response.

Customer Service

• Enable the business to meet its goals securely.
• Ensure the team delivers high‑quality, professional services to internal stakeholders by adhering to internal policies, procedures, and agreed service level agreements (SLAs).
• Build and maintain strong, collaborative relationships with key internal stakeholders, including business units, technology teams, and control functions, to support effective risk management outcomes.
• Foster a professional, collaborative, and approachable service culture that enables clear communication, consistency, and ease of engagement for internal clients.
• Promote a positive team environment in which staff are proud to contribute to the Bank, are committed to supporting internal customers, and actively collaborate to achieve shared objectives.

Management and Compliance

• Operate as part of the second line of defence, providing independent oversight and challenge of information security risks, controls, and risk treatment decisions across the Bank.
• Ensure information security risk management practices are aligned with the Bank’s Total Corporate Risk Management Governance (TCRMG) framework and recognised standards, including NIST and ISO/IEC 27001/27005.
• Oversee the identification, assessment, reporting, and escalation of information security risks, ensuring alignment with the Bank’s risk appetite and regulatory expectations.
• Coordinate and support information security–related audits, regulatory examinations, and assurance reviews, ensuring timely, accurate, and consistent engagement.
• Promptly prepare any report as needed.

Learning and Growth

• Demonstrate initiative in developing and maintaining personal and team development plans, with regular discussion and alignment with the line manager.
• Actively seek and provide honest, constructive feedback to the line manager to support continuous improvement in customer service quality, processes, procedures, staff behaviour, and the overall public image of the branch.
• Commit to continuous learning by proactively staying up to date with the Bank’s policies, procedures, processes, products, services, and customer service principles, ensuring accurate and effective presentation of the Bank’s offerings to customers.
• Contribute to a learning-oriented culture by applying acquired knowledge and skills to improve individual performance, team effectiveness, and achievement of branch objectives.

Qualifications

• Bachelor’s or Master’s degree in Information Technology, Computer Science, Information Security, or a related technical or risk management discipline.
• One or more of CISSP, CISM, ISO27001, CRISC, CGRC, COBIT, COSO

Experience

• Minimum of ten years’ professional experience in Information Technology, Information Security, or related fields.
• Exceptional understanding of information security risk management frameworks, including COSO, ISACA, ISC², COBIT, NIST, and ISO/IEC 27005.
• Proven experience in leading the development and execution of IT risk, compliance, and information security governance processes and procedures.
• Excellent team leadership capabilities with strong written and verbal communication skills.
• Extensive experience in developing and maintaining information security strategies, policies, standards, procedures, and guidelines.
• Strong analytical skills with the ability to summarise findings clearly for reporting and improvement planning.
• Excellent command of English, with the ability to deliver presentations to senior management and Board-level stakeholders.
• High level of integrity, commitment, and professional responsibility.
• Strong attention to accuracy and detail.