Purpose of Job

Supporting the ‘AD, Senior Risk Officer, Information Security’, in the management and technical aspects of Information Security (IS) across the EBRD; Information Security Consultant will be responsible for helping to deliver key IS (and Cybersecurity) projects and performing risk identification and mitigation activities.  

The successful candidate will:

• Identify, mitigate and managing IS and Cybersecurity risks posed to the EBRD and its clients.
• Provide independent IS and Cybersecurity oversight, technical assessment and consultancy in accordance with good practice, including but not limited to:
  • Data Leakage
  • Training and Awareness
  • Ethical Hacking
  • Third Party Risk Management
• Assess and advise on technical risk mitigation measures, review identified risks, analyse security incidents and communicate risk mitigation actions, plans and activities to management and peers for strategic decision-making.
• Act as the primary Subject Matter Expert (SME) for Risk Management on Cybersecurity oversight and assurance, supporting senior management to take informed decisions around IS risks.
• Work closely with the IT Department on technical aspects of IS and Cybersecurity risk, providing challenge and solution/remediation design contributions.
• Pro-actively encourage ‘good’ IS practice across the Bank, as embodied in ISO27001 and NIST.
• Author IS policies and procedures. 

Background

This role sits within the Operational Risk Management (ORM) team, with ORM sitting within the wider Risk Management department. They are the ‘second line of defence’ within a three-line of defence model. ORM consists of three pillars, of which IS and Personal Data Protection is one pillar (OpRisk and Internal Controls Framework (ICF) being the other two). ORM are responsible for managing key operational risks, including IS and ensuring these risks are identified, assessed, and remediated effectively. This includes performing risk assessments and reporting the risks (and remediation plans) to the EBRD’s Risk and Executive Committees.

The IS element of ORM is the Bank’s second line of defence, and is responsible for the independent identification, reporting and mitigation of operational risks, IS risks. The Information Security Consultant supports the AD, Senior Risk Officer and ORM Director in Bank-wide risk mitigation and provides support and advice to departments across the Bank, MD Risk Management, the CRO and RiskCom.

Facts / Scale

• Bank-wide – The scope covers all key areas of the Bank and all management levels; engagement with key stakeholders and departments including Information Technology (where they leverage IT resources - technical experts, project managers and application specialists), Legal, Compliance, Human Resources as well as key front-line business areas.
• Building and maintaining relationships key contacts Bank-wide and all levels. Maintaining relationship with suppliers, external consultancies and consultants that provide specialist and BAU services to the Bank.
• No direct reports but will be required to manage external resources and staff (consultants, consultancies and suppliers) to deliver IS projects; has use of Senior Officer for some support.

Accountabilities & Responsibilities

• Project manage elements of the Bank’s Business-As-Usual (BAU) activities including but not limited to: 
  • Cybersecurity Programme Assurance
  • Red and Purple Team Assessments
  • Social Engineering and Training and Awareness
  • Information Classification
  • Dark-Web and Disinformation
• Perform detailed risk assessments of the Bank’s information assets and IT Facilities using industry accepted methodologies. 
• Design and undertake risk assessments related to the Bank’s Cybersecurity Resilience Programme.
• Be familiar with security frameworks, compliance requirements and security operations.
• Undertake Business Impact Assessments and Information Security risk assessments across the business, identifying risks, deficiencies, improvements and requirements in technical controls, with regulatory, statutory and contractual compliance requirements.
• Be accountable for compliance to regulatory, statutory and contractual Information Security requirements to internationally recognised standards.
• Track risk mitigation actions, in accordance with risk mitigation plans. They will write and provide reports and analysis on ongoing risk mitigation and maintain the InfoSec risk register.
• Perform oversight of first-line (IT) remediation activities, assess adequacy of this remediation and help to fill any gaps identified.
• Develop and enhance the Bank’s InfoSec Framework. 
• Develop and enhance the Bank’s InfoSec risk reporting.
• Work with external security consultants and consultancies to deliver risk identification and remediation activities.
• Work extensively and closely with the IT Department, in particular, the IT Security team; they will therefore have knowledge of IT Security practices and technologies which will enable them to discuss and address security/risk issues on a technical basis where this is required. 

Knowledge, Skills, Experience & Qualifications

• Bachelor's Degree (2:1 or equivalent)
• Hold at least one industry recognised security qualification/accreditation (CISM, CISA, CISSM, ISO 27001 Lead Auditor/Implementer)
• Knowledge of Information and IT Security Frameworks, in particular NIST and ISO27001
• Excellent report writing, communication and presentation skills are a must
• Ability to take technical information and present in risk and business language is a must
• Good project management skills, ability to develop well thought out solutions and have strong relationship management skills are a must
• Effective communication skills and the ability to influence challenge and engage EBRD people at all levels are essential
• Strong written and spoken communication skills in English language
• Able to work autonomously
• Good attention to detail and accuracy
• Strong presentation skills
• Ability to guide projects to apply appropriate security standards and policies
• Working knowledge of technologies and tools to drive observability and infrastructure insight (monitoring / telemetry / logging)
• Good technical knowledge of the following is desirable: secure email, cloud & network security data leakage controls, identity and access management
• Ethical hacking background is advantageous

What is it like to work at the EBRD?

Our agile and innovative approach is what makes life at the EBRD a unique experience! You will be part of a pioneering and diverse international organisation, and use your talents to make a real difference to people's lives and help shape the future of the regions we invest in. 

The EBRD environment provides you with:

• Varied, stimulating and engaging work that gives you an opportunity to interact with a wide range of experts in the financial, political, public and private sectors across the regions we invest in;
• A working culture that embraces inclusion and celebrates diversity;
• An environment that places sustainability, equality and digital  transformation at the heart of what we do.

Diversity is one of the Bank’s core values which are at the heart of everything it does.  A diverse workforce with the right knowledge and skills enables connection with our clients, brings pioneering ideas, energy and innovation. The EBRD staff is characterised by its rich diversity of nationalities, cultures and opinions and we aim to sustain and build on this strength. As such, the EBRD seeks to ensure that everyone is treated with respect and given equal opportunities and works in an inclusive environment. The EBRD encourages all qualified candidates who are nationals of the EBRD member countries to apply regardless of their racial, ethnic, religious and cultural background, gender, sexual orientation or disabilities.  As an inclusive employer, we promote flexible working and expecting our employee to attend the office 50% of their working time.

Please note, that due to the high volume of applications received, we regret to inform you that we are unable to provide detailed feedback to candidates who have not been shortlisted (for further consideration).