By continuing to browse this site, you agree to our use of cookies. Read our privacy policy

Senior Manager, IT Security

Geneva (Switzerland)

  • Organization: Gavi, Vaccine Alliance
  • Location: Geneva (Switzerland)
  • Grade: CS4 - Career Step 4 - Professional - Both internationally and locally recruited position - Senior level
  • Occupational Groups:
    • Security and Safety
    • Managerial positions
    • Information Technology and Computer Science
  • Closing Date: 2021-09-30

Click "SAVE JOB" to save this job description for later.

Sign up for free to be able to save this job for later.

We are committed to fostering a just, equitable and diverse culture free from racism and discrimination in which all staff, partners and stakeholders feel empowered, safe and heard.

Gavi, the Vaccine Alliance is a public-private partnership committed to saving children's lives and protecting people's health by increasing equitable use of vaccines in lower-income countries. The Vaccine Alliance brings together implementing country and donor governments, the World Health Organization, UNICEF, the World Bank, the vaccine industry, technical agencies, civil society, the Bill & Melinda Gates Foundation and other private sector partners. Gavi uses innovative finance mechanisms, including co-financing by recipient countries, to secure sustainable funding and adequate supply of quality vaccines. Since 2000, Gavi has contributed to the immunisation of more than 822 million children and the prevention of more than 14 million future deaths. 


This role is responsible for developing and implementing information security and business continuity programmes, which include policies, procedures and controls designed to protect IT systems/platforms, enterprise communications, and assets from both internal and external threats, with excellent focus on process, control efficiency and risk management. This role will act as the subject matter expert on security and risk and must be able to translate risk mitigation and business continuity requirements into controls and develop metrics for ongoing security performance measurement and reporting. This role is also responsible for coordinating the internal and external IT audits and ensure risk mitigation is in place and reported on. 

Key Success Metrics
•    50% of the metrics for this position will be based on Gavi’s security operations for example, the number of security breaches;
•    20% of the success will be based on the successful implementation of the Gavi Business Continuity and IT Security policy, procedures and controls;
•    20% of the success will be measured by the update to the IT Risk register and implementation of risk mitigation plans;
•    10% of the success will be based on the timely response to internal and external audits.
•    Is part of the security team led by Gavi’s Chief Information Security Officer; leads the security team to develop a security programme and security projects that address identified risks and business security requirements;
•    Manages the process of gathering, analysing and assessing the current and future threat landscape, as well as providing management with a realistic overview of risks and threats in the organisation environment;
•    Tracks developments and changes in the digital business and threat environments to ensure that they're adequately addressed in security strategy plans and architecture artifacts;
•    Manages the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk;
•    Defines baseline security configuration standards for operating systems (e.g., OS hardening), network segmentation and identity and access management (IAM);
•    Develops standards and practices for data encryption and tokenisation in the organisation, based on the organisation's data classification criteria;
•    Develops and maintains a security architecture process that enables the organisation to develop and implement security solutions and capabilities that are clearly aligned with business, technology and threat drivers;
•    Conducts or facilitate threat modeling of services and applications that tie to the risk and data associated with the service or application;
•    Establishes a taxonomy of indicators of compromise (IOCs) and share this detail with the security operations center (SOC) and infrastructure team;
•    Validates IT infrastructure and other reference architectures for security best practices and recommend changes to enhance security and reduce risks, where applicable;
•    Validates security configurations and access to security infrastructure tools, including firewalls, IPSs, WAFs and anti-malware/endpoint protection systems;
•    Ensures a complete, accurate and valid inventory of all systems, infrastructure and applications that should be logged by the security information and event management (SIEM) or log management tool;
•    Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements;
•    Coordinates with DevOps teams to advocate secure coding practices, and to escalate concerns related to poor coding practices;
•    Design, coordinate and oversee security testing procedures to verify the security of systems, networks and applications, and manage the remediation of identified risks;
•    Provides security communication, awareness and training for audiences, which may range from senior leaders to staff;
•    Leads security issues and incidents, and participate in problem and change management forums;
•    Works with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation;
•    Provides support and guidance for legal and regulatory compliance efforts, including audit support.
•    Manages security projects and provide expert guidance on security matters for other IT projects;
•    Assists and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing and maintenance of disaster recovery plans;
•    Works with the CISO and IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security programme.

Requirements and Qualifications
•    Excellent knowledge of key infrastructure domains including networking, cloud platforms, directory management, data centers and data management systems;
•    Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) frameworks;
•    Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans;
•    Expertise in cloud security and solutions like SAP, Salesforce, Azure, O365 and Snow and expertise in security configuration in Azure and O365;
•    Ability to build excellent relationships at all levels and across all business units and organisations, and understand business imperatives;
•    An excellent understanding of the business impact of security tools, technologies and policies;
•    Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organisation, project and application development teams, management and business personnel;
•    In-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; an excellent understanding of information security concepts, protocols, industry best practices and strategies.

Note: The essential functions listed in this section are not exhaustive of the job responsibilities; other duties may be assigned consistently with the department needs.
•    A minimum of 8 years of IT experience, with 5 years in an information security role and at least two years in a supervisory capacity;
•    Direct, hands-on experience or excellent working knowledge of managing security infrastructure — e.g., firewalls, intrusion prevention systems (IPSs), web application firewalls (WAFs), endpoint protection, SIEM and log management technology;
•    Verifiable experience reviewing application code for security vulnerabilities;
•    Direct, hands-on experience or a excellent working knowledge of vulnerability management tools;
•    Documented experience and a excellent working knowledge of the methodologies to conduct threat-modeling exercises on new applications and services;
•    Experience designing the deployment of applications and infrastructure into public cloud services.
•    Direct, hands-on experience or excellent working knowledge of managing security infrastructure — e.g., firewalls, intrusion prevention systems (IPSs), web application firewalls (WAFs), endpoint protection, SIEM and log management technology;
•    Demonstrated experience in investigating security incidents is necessary;
•    Demonstrated experience in responding to audits is key.
•    Communications:
  1.     Ability to explain complex technology concepts;
  2.     Treating all individuals with fairness and respect;
  3.     Demonstrating sensitivity for diversity and cultural differences;
  4.     Showing great drive and commitment to the organisation mission;
  5.     Maintaining high standards of personal integrity.
•    Client Orientation:
  1.     Understands clients' needs and concerns;
  2.     Responds promptly and effectively to client needs.
•    Drive for Results:
  1.     Makes things happen;
  2.     Execution and delivery oriented; meets deadlines;
  3.     Commits to organisational goals.
•    Teamwork:
  1.     Collaborates with others in own unit;
  2.     Works effectively with individuals of different culture and gender;
  3.     Willing to seek help as needed. Escalates quickly and appropriately to resolve issues.
•    Learning, change and knowledge sharing:
  1.     Open to new ideas;
  2.     Shares own knowledge; applies knowledge in daily work;
  3.     Acts as a change champion in support of organisational change efforts.
•    Analytical Thinking and Decisive Judgment:
  1.     Proactively identifies obstacles and resolves prior to becoming issues;
  2.     Analyses issues and problems systematically.
•    Fluent English is required;
•    Other languages desirable, particularly French.
•    Bachelor’s degree in information security, computer science or related field; advanced degree preferred;
•    Certification in information security and audit;
•    Certification or deep knowledge in the following regulations, standards and frameworks: ISO27001, NIST, GDPR, ITIL and TOGAF;
•    Certification in business continuity is a plus.
•    Gavi Secretariat;
•    Gavi Audit and Risk teams;
•    KMTS Service Providers;
•    Gavi partners.
If you wish to apply, please provide a cover letter and resume through our Careers webpage and apply by clicking on “Senior Manager, Information Security”. Deadline for applications is 30 September 2021.

Become part of our community and join us on Facebook and Twitter for updates about our mission to save children’s lives! You can also follow our hashtag #vaccineswork.
We do our best to provide you the most accurate info, but closing dates may be wrong on our site. Please check on the recruiting organization's page for the exact info. Candidates are responsible for complying with deadlines and are encouraged to submit applications well ahead.
Before applying, please make sure that you have read the requirements for the position and that you qualify.
Applications from non-qualifying applicants will most likely be discarded by the recruiting manager.

What does it mean?

Click "SAVE JOB" to save this job description for later.

Sign up for free to be able to save this job for later.