Chief Information Security Officer

Reports to (role)

• CIO

What we do

The International Committee of the Red Cross (ICRC) works worldwide to provide protection and humanitarian assistance to people affected by conflict and armed violence. We take action in response to emergencies and, at the same time, promote respect for international humanitarian law. We are an independent and neutral organization, and our mandate stems essentially from the Geneva Conventions of 1949. We work closely with National Red Cross and Red Crescent Societies and with their International Federation in order to ensure a concerted, rational and rapid humanitarian response to the needs of the victims of armed conflict or any other situation of internal violence. We direct and coordinate the international activities conducted in these situations.

Purpose of the position

The CISO is responsible for implementing and running the enterprise information security program. This involves identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing ICRC’s objectives.

The CISO is responsible for establishing and maintaining the information security program to ensure that information assets and associated technologies, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization. CISO proactively implements practices that meet agreed-upon policies and standards for information security. The CISO understands and articulates the impact of cybersecurity on the ICRC, and communicates this to the Directorate and other senior stakeholders.

The CISO is knowledgeable about both internal and external environments, and ensures that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations. The CISO serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity and availability, but also to the safety, privacy and recovery of information owned or processed by the metier in compliance with regulatory requirements. Understands that securing information assets and associated technologies, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter.

The ideal candidate is a thought leader, a builder of consensus and of bridges between metier and technology.  CISO is the integrator of people, process and technology. While the CISO is the leader of the information security program, the candidate must be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that cybersecurity is foundational for the organization to deliver on its goals and objectives. Ultimately, the CISO is a “business” leader

Main duties and responsibilities (1/5)

Establishes governance and builds knowledge

• Facilitates an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board
• Provides regular reporting on the current status of the information security program to enterprise risk teams, senior metier leaders and the assembly as part of a strategic enterprise risk management program, thus supporting ICRC’s outcomes
• Develops, socializes and coordinates approval and implementation of security policies
• Directs the creation of a targeted information security awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences
• Understands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management
• Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
• Embeds Cyber Judgement across a decentralized or distributed decision making model
• Leads the security champion program to mobilize employees in all locations

Main duties and responsibilities (2/5)

Leads the Organization

• Leads the information security function across the ICRC to ensure consistent and high-quality information security management in support of the ICRC goals
• Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas
• Manages the budget for the information security function, monitoring and reporting discrepancies
• Manages the cost-efficient information security organization, consisting of direct reports and dotted line reports 

Sets the Strategy

• Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's objectives, and ensures senior stakeholder buy-in and mandate
• Develops, implements and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization
• Assists with the identification of non-IT managed IT services in use ("shadow IT") and facilitates a corporate IT onboarding program to bring these services into the scope of the IT function, and apply standard controls and rigor to these services; where this is not possible, ensures that risk is reduced to the appropriate levels and ownership of this information security risk is clear
• Works effectively with metier to facilitate information security risk assessment and risk management processes, and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite

Main duties and responsibilities (3/5)

Develops the Frameworks

• Develops and enhances an up-to-date information security management framework based on the NIST framework
• Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations
• Develops and maintains a document framework of continuously up-to-date information security policies, standards and guidelines. Oversees the approval and publication of these information security policies and practices
• Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets
• Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the information security, and reviews it with stakeholders at the executive and board levels

Main duties and responsibilities (4/5)

Operates the Function

• Manages the Security Operation Center
• Creates a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties
• Works with the compliance staff to ensure that all information owned, collected or controlled by or on behalf of the ICRC is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy
• Collaborates and liaises with the data protection team to ensure that data privacy requirements are included where applicable
• Defines and facilitates the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings
• Ensures that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines

• Oversees technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk
• Manages and contains information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the ICRC’s reputation

Main duties and responsibilities (5/5)

• Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action
• Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary metier processes may be outside the corporate perimeter
• Coordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas
• Facilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem

People Management Responsibilities

• Yes

Scope and Impact

• Strategic impact: drafts and follows up on T&I policies, strategies, priorities and planning at the global level.
• Is responsible for cyber security across the entire organization.
• Geographical remit: global.

Relationships

• Internally, reports to and participates in various risk and information-security decision-making bodies. May be called on to advise the Directorate. Has regular contact with most T&I managers both at headquarters and in the field.
• Externally, represents the ICRC’s cyber security apparatus to T&I service-providers and organizations working in information security.

Education and certifications required

• Demonstrated experience and success in senior leadership roles in risk management, information security, and IT or OT security
• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials is an asset
• Degree in business administration or a technology-related field,
• Excellent command of English, French is an asset

Experience required

Technical and Business Experience

• The CISO position requires a visionary leader with sound knowledge of business management and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. 
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
• Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
• Up-to-date knowledge of methodologies and trends in both business and IT

Additional information

• Location: Geneva
• Type of role: Open Ended Contract
• Duration of assignment: 6 years
• Activity rate: 100%
• Estimated start date: ASAP
• Application deadline: 18/12/2022

The ICRC values diversity and is committed to creating an inclusive working environment. We welcome applications from all qualified candidates.