Chief Information Security Officer - CISO

Strategic services

• Advise on the management of cyber security risks by partnering with ICT and other key stakeholders to enable the alignment of business and information security strategies. Capture the value of security investments in order to identify and advise on safeguarding organizational “crown jewels” and assets driven by business need.
• Inspire key stakeholders in order to build commitment to Cyber Security Risk management.
• Communicate with senior management regarding:
  • Top cyber risks and how these relate to the current business challenges
  • Current security maturity level in relation to the threat landscape and industry peers
  • Emerging threats, including current and future trends, which threat actors are attacking UNOPS and explain how this may impact the organization
  • Providing status updates of any open audit and regulatory issues.
  • Public or private partnerships, including industry group.

Advisory services

• Understand the implications of new or emerging threats and help identify cyber security risks that arise as the business advances new standards, processes and strategies while driving UNOPS to continuously improve its security decision-making and risk mitigation capabilities.
• Help leadership and personnel be aware of and understand cyber security risks and empowering them to make decisions based on that understanding.
• Understand and communicate cyber security risk in terms of its potential to positively affect competitive advantage, business growth, and revenue expansion.
• Define cyber security risk metrics that “tell stories” to which business leaders can relate and move away from a strictly compliance-based to a risk-driven approach to security.
• Partner with business units to generate plans and recommendations for strategic as well as tactical management of system and information security processes, risks and threats.
• In collaboration with key stakeholders, create a risk-based strategic roadmap for the maturity of cyber resilience practices and capabilities at UNOPS. Align this with business and ICT objectives, including organizational risk appetite. 

Assurance and governance

• Establish and maintain a framework for information and system security governance based on threat assessment and risk management.
• Recommend appropriate governance mechanisms for monitoring information security practices, surfacing risks, reporting them and monitoring progress in mitigating against them.
• Partner with relevant policy owners to ensure compliance with information security standards, appropriate management approaches and reporting mechanisms. Propose corrective actions for non-compliance with information security policies and monitor their implementation.
• Provide independent assurance for the implementation of recommendations/improvements, including their effectiveness in addressing the information and system security threats.
• Address potential “false sense of security” by facilitating security testing to verify that countermeasures are working effectively and as expected holistically across technology, people, processes, brand and physical domains e.g. internal and external penetration testing, red teaming, purple teaming and wargaming based on business need.
• Work with relevant stakeholders to strengthen capabilities to detect and respond to cyber attacks (multi-vector across technology, process, human and physical) on the organization, including developing metrics to track the effectiveness of defensive capabilities.

Capability building

• Help build cyber resilience capability amongst the relevant stakeholder groups. Ensure awareness of, and compliance with information and system security standards.
• Communicate and be an advocate for the benefits of a risk-based approach, mapping of organizational assets and threat assessment. Promote holistic security across people, processes, technology and human aspects and empower business units and employees to take ownership of their role in securing UNOPS.
• In collaboration with PCG (HR), prepare and update the employee training and awareness plan for information and system security as well as the induction training on information and system security topics for new employees with regards to the current threat landscape. Drive the implementation of “phishing” tests to verify that the awareness training is working effectively.
• Develop a security integration model by either designating cyber risk champions within business units or aligning cyber risk personnel with business units to contribute towards ensuring that cyber security is a priority for all employees.
• Propose information security objectives as well as disciplinary actions against employees involved in the information and system security breaches.

Knowledge management and innovation

• Distill knowledge, best practices, threat assessment and risk-based approaches in information and system security management for UNOPS. Make it readily available.
• Maintain, update, and share knowledge of current and best-practice developments in information security with designated focal points and networks.
• Work with stakeholders to drive continuous improvements in information and system security.
• Participate in peer industry initiatives to collaborate and share threat intelligence, knowledge about current and future threats, and how to manage them.
• Attend recognized international hacking and security conferences to keep up with the latest cyber-attacks and defensive developments.
• Create a security training plan to attend relevant training courses to keep up with the latest developments and obtain any relevant security certifications.