Chief, Information Security, Risk and Governance, P5, Fixed-term, post no. 18680, ICTD Digital Core, Valencia, Spain

UNICEF is going through an exciting digital transformation that will influence the work of the entire organization. UNICEF is looking for dynamic, innovative leaders to drive the transformation and play a key role in shaping the way forward. The Chief Information Security, Risk and Governance establishes and maintains the organizational Information and Cyber Security Framework within UNICEF. This role develops and maintains Information and cyber security Policies and standards, including establishing and administering a regular cyber security awareness program.

UNICEF works in some of the world’s toughest places, to reach the world’s most disadvantaged children. To save their lives. To defend their rights. To help them fulfill their potential.

Across 190 countries and territories, we work for every child, everywhere, every day, to build a better world for everyone.

And we never give up.

For every child, a connected world.

The overarching strategic goal of UNICEF’s Information and Communication Technology Division (ICTD) is to transform and build partnerships with our stakeholders to successfully implement UNICEF programmes globally through innovative technology-enabled solutions.

How can you make a difference?

UNICEF is going through an exciting digital transformation that will influence the work of the entire organization. UNICEF is looking for dynamic, innovative leaders to drive the transformation and play a key role in shaping the way forward.

The Chief Information Security, Risk and Governance establishes and maintains the organizational Information and Cyber Security Framework within UNICEF. This role develops and maintains Information and cyber security Policies and standards, including establishing and administering a regular cyber security awareness program.

The incumbent will work closely with stakeholders to maintain a set of security standards and practices for the whole organization and provide risk management methodologies geared towards hybrid cloud application systems and supporting IT infrastructure components. This role will guide senior management on identified risks that may impact UNICEF's operational ability and image and stays abreast of industry standards and best practices related to information and cyber security risk. This includes ensuring information security governance within UNICEF and contributing to interagency governance forums together with other UN agencies.

This position reports to the Deputy Director, Strategy Risk and Governance and supervises a team of four international staff: Information Security Specialist, ICT Specialist, ICT Manager (Risk), and ICT Manager (Digital Information Governance).

Key responsibilities:

Information Security Governance

• Leads and provides framework and secretariat for organizational governance of information security for UNICEF. This includes governance within the global ICT function, and with business divisions and offices worldwide. Represents UNICEF in interagency and industry governance forums.
• Chairs the UNICEF Computer Security Incident Response Team, manages the interaction between the incident response teams, impacted business divisions and the Chief Information Officer. Advises the Chief Information Officer on incident disclosure.
• Permanent member of the UNICEF Enterprise Architecture Council.

Security Strategy and Policies

• Develops and maintains UNICEF's global IT security strategy in collaboration with IT teams and business units across the organization, including recommendations on IT security policies, procedures, best practices and guidelines.
• Reviews and advises on policy compliance. Benchmarks corporate information security compliance against industry standards.

Design of Testing and Validation

• Partners with the platform, infrastructure and application teams to specify test design parameters (models, plans and concepts) to ensure tests adequately simulate system weaknesses, strengths and defend against adversaries.
• Advises ICT security operations unit on methods and practices to enhance the security operations as per evolving requirements and trends.
• Orchestrates on-demand or periodical information security risk assessments in accordance with organizational policy, industry best practices and regulatory requirements. Analyzes findings and provides recommendations.

Continuing Security Awareness

• Promotes awareness of IT security throughout the organization via training and advocacy initiatives.
• Advises business units and users of UNICEF's applications and networks on the implementation of security measures to their respective applications and services.
• Conducts seminars for end-users on security practices such as password retention, data backup and sharing to increase security awareness within the organization.
• Resolves security related calls escalated from the IT Help Desk. Maintains documentation for end-user security practices.

Risk Assessment and Management

• Performs risk assessments during the conceptual design and technical design stage of any IT application, infrastructure or system to establish appropriate controls.
• Provides strategic guidance and recommendations on appropriate risk management methodologies geared to the sensitivity, potential risks, vulnerabilities, and threats of any application system or IT infrastructure component. Develops and promotes global guidelines to perform security risk assessments covering the entire IT environment.
• Advises the organization on strategic risks arising from government regulation and policy and their impact on UN privileges and immunities.

Pragmatic Guidelines, Security Architecture and Standards

• Develops and maintains guidelines and standards for application and IT infrastructure security, including information security aspects of disaster recovery planning for emergency response, backup operations, and post-recovery.
• In partnership with the Platform and Service Delivery security and architectural teams, responds to security requirements both proactively and as per incidents. Participates in the development and exercises of disaster recovery plans globally.
• Defines the enterprise information security architecture. Validates infrastructure and application security architecture against the enterprise information security architecture. Participates in the identification of suitable security vendors (penetration testers, security software vendors and services etc.). Defines the protection profile for application interface integration including standards, approaches and monitoring.

Management of Agreements for IT Security Services

• Provides technical advice and participates in contracts negotiations for the establishment of Long-Term Agreements and Service Level Agreements.
• Oversees contractor performance and monitors delivery on key performance indicators. Reviews and approves the technical quality of delivered work products.
• Monitors task orders are performed within agreed cost and schedule and provides final acceptance of services delivered.

Leadership and People Management

• Strategically leads, supervises, develops, and empowers staff under supervision.
• Promotes culture of performance management, providing timely guidance, feedback and support to team.
• Monitors work progress and ensures results are achieved according to schedule and performance standards.
• Promotes a team environment of staff well-being, accessibility and inclusion.
• Develops sectional work plan and targets based on strategic division and organizational priorities.

Any other duties as assigned by the ICTD Director, Chief Information Officer.

To qualify as a champion for every child you will have…

Academic Degrees and Certifications Required:
• An advanced university degree (Master’s or higher) in software engineering, information systems management, or a related field. A first University Degree (Bachelor’s Degree or equivalent) in a relevant field combined with 2 additional years of professional experience may be accepted in lieu of an advanced university Degree.
• Specialized training is required in:
  -Theoretical foundations of computer science with practical applications of cloud technologies, software, database, network, and system development
  -IT security and risk analysis, fundamentals of operating systems, database and network technology
• Desirable certifications include PMI/Prince2, ISC2 CISSP/CCSP (very desirable), Microsoft Azure Security, and AWS Security

Professional Experience:
A minimum of 10 years of relevant professional working experience is required with exposure to:
• Information security governance at the global or regional level
• Strategic planning and design for security of distributed hybrid cloud IT systems and networks
• Internet architecture and applications, web-based applications and systems, groupware, and client/server computing
• Network operating systems and protocols, database, transactional applications, security tools and technological innovations in IT products and services
• Modern IT operating models and enterprise architecture
• Foundational elements in data and information privacy regulation
• PCI and payment security regulations
• Finance and budget management
• Political and diplomatic negotiations with authorities
• Information security across all layers of the IT stack: In addition to traditional applications, databases, operating systems, hardware and networks, the incumbent must have deep knowledge of hybrid cloud, big data, modern open source and cloud native stacks. Exposure to encryption techniques, and strong hands-on exposure to vulnerability testing of applications and systems.

Other Skills and Qualifications:
• Proven business partnership skills and strong ability to network and influence at high level with stakeholders are required.
• High level of integrity and leadership skills are required.
• Fluency in English is required. Knowledge of another official UN language (Arabic, Chinese, French, Russian or Spanish) is an asset.

For every Child, you demonstrate…

UNICEF's values of Care, Respect, Integrity, Trust, and Accountability (CRITA) and the core competencies as follows:

• Builds and maintains partnerships
• Demonstrates self-awareness and ethical awareness
• Drive to achieve results for impact
• Innovates and embraces change
• Manages ambiguity and complexity
• Thinks and acts strategically
• Works collaboratively with others
• Nurtures, leads and manages people

View our competency framework here.

Remarks:

UNICEF is committed to achieving gender balance at the P5 level by end of 2021 and will prioritize eligible and suitable female candidates. Qualified female candidates are strongly encouraged to apply.

UNICEF is committed to diversity and inclusion within its workforce, and encourages all candidates, irrespective of gender, nationality, religious and ethnic backgrounds, including persons living with disabilities, to apply to become a part of the organization.

Mobility is a condition of international professional employment with UNICEF and an underlying premise of the international civil service.

UNICEF has a zero-tolerance policy on conduct that is incompatible with the aims and objectives of the United Nations and UNICEF, including sexual exploitation and abuse, sexual harassment, abuse of authority and discrimination. UNICEF also adheres to strict child safeguarding principles. All selected candidates will, therefore, undergo rigorous reference and background checks, and will be expected to adhere to these standards and principles.

UNICEF only considers higher educational qualifications obtained from an institution accredited/recognized in the World Higher Education Database (WHED), a list updated by the International Association of Universities (IAU) / United Nations Educational, Scientific and Cultural Organization (UNESCO). The list can be accessed at http://www.whed.net/

This is a re-advertisement.  Candidates who previously applied do not need to re-apply and will be included for consideration.

Only shortlisted candidates will be contacted and advance to the next stage of the selection process.