The role of Head of IS Security is to enable The company to manage its’ security effectively by providing strategic direction, functional leadership and oversight across The company. In addition, to provide in-depth technical expert security knowledge, support and advice in the delivery of cost effective IS security risk management to defined service levels, ensuring compliance with IS Security policies and standards across The company as defined including legislative (such as data protection and software copyright law) or regulatory requirements (such as Gambling Commission) and commercial obligations (such as PCI DSS).
Security and Risk Strategy, Policies and Procedures
- Ensure adherence to any / all applicable legislation as well as The company IS Security policy and principles, including Gaming Commission and PCI-DSS.
- Direct the development and communication of The company strategic direction for security.
- Set the Information, Security and Risk Policy and supporting guidelines to meet legal, regulatory and business needs
- Direct an effective research programme to ensure The company is kept abreast of technology, business and regulatory developments to the benefit of The company
- Develop, own and police compliance to the Security policies (including applications, data, hardware and networks)
- Ensure the alignment / integration of security management with business strategies and requirements
- Ensure the alignment of security with The company
- Manage threat assessment and security control reviews, business risk assessments, and reviews that follow significant breaches of security controls
- Establish and manage an incident response service to contain, investigate and prevent future breaches
- Ensure adherence to all The company policies and guidance as defined including legislative (such as data protection and software copyright law) or regulatory requirements (such as Gambling Commission) and commercial obligations (such as PCI DSS)
- Lead awareness and training initiatives relating to security throughout the department
- Ensure the integrity of systems through provision of appropriate services (e.g. penetration testing)
- Ensure the availability of services through provision of appropriate controls, monitors and response with respect to, for example, intrusion detection and denial of service attacks
- Ensure that on a daily basis systems are monitored for any anomalous activity
- Maintain awareness of new security technologies, legislation and standards and be aware of new risks and vulnerabilities
- Lead the resolution of Internal Audit actions
Customer Service and Relations
- Work with the executives to stay aware of business needs and concerns at all times;
- Work with the IS Procurement Manager to maintain relations with vendors and keep them informed and involved in future IS Security strategies;
- Maintain currency in latest security trends;
- Be constantly aware of the status of technology risk and delivering regular security reports to management
- Provide on request technical specialist advice and support key customers ensuring that security standards and requirements are understood and complied with
- Establish board level reporting structure to report on-going progress of security and risk delivery
- Communicate and enforce applicable security principles and procedures across The company; Create and disseminate security best practices through management teams and ensure that users are informed of security policies
- Work with Audit to ensure security risks are managed and target operating model is defined with roadmap for getting there
- Working with Internal Audit, conduct and manage regular security audits of systems to ensure continued system integrity
- Work with the Head of IS Architecture to define security policies that systems must adhere to and establish the level of certification (e.g. internet facing applications certified to BS7799)
- Direct the work of all IS security specialist staff, including project and task definition and prioritisation and quality management
- Work with the Head of IS Services to ensure that appropriate policies and procedures are in place to ensure the operation of appropriate security controls as a service to business system users (e.g. password and user account integrity)
- Support the Head of IS Services and The company business colleagues to define appropriate Service Level Agreements that include details of the information security requirements in measurable terms and specify how they will be verifiably achieved
- Work with IS Operations staff to define Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided
Operational Budgeting and Reporting
- Understand the budgeting and cost elements of the security framework and the detailed breakdown of components;
- Develop a quarterly forecast as required to ensure future requirements are catered for.
People Management, Team Leadership and Development
- Create team spirit and ensure morale is maintained at high levels through effective communication
- Ensure that team / individuals all have clear understanding of roles and responsibilities as well as an understanding of the wider business priorities and how their activities fit into the wider business goals
- Ensure that resources are managed to ensure optimal utilisation.
- Policy and standards are in place for all platforms where risk levels are high or distributed administration is prevalent
- Mechanisms are in place for identifying security failures
- Security review and approval is a standard part of the Project Framework
- Objectives and targets for security management are set, recorded and reviewed on a regular basis
- Reports and notifications of security incidents / control are circulated on a regular basis
- SLAs and OLAs are monitored and The company IS Senior Management receive regular reports on the effectiveness and status of provided services
Qualifications, skills & experience
- Exceptional experience in the eCommerce security sphere is required – likely an acknowledged leader in the field.
- A strong customer focus, recognising internal and external customers, establishing effective relationships. Aware how the external market affects the business and service
- Strong communication (verbal/written) and influencing skills, with an ability to manage internal and external relationships up to senior levels of management
- Effective team building skills to encourage positive team environment
- Proven track record and ability in leading technical staff, using wide-ranging skills (including planning, organising and interpersonal skills)
- Likely to have gained significant practical experience in IS, IS Security or equivalent areas including some years at a Senior Security or Risk Analyst level (or equivalent)
- A strong technical knowledge and appreciation of IS / IS Security principles including regulatory, legislative and industry practices gained through practical experience and/or professional qualification(s)
- Proven track record in analysing complex technical situations, articulating technical security issues and associated risks, making recommendations, influencing outcomes, decision making and ensuring successful delivery
- A technical knowledge and working application of most computer, database, applications, Internet and network and communication technologies employed across The company. In sufficient depth and breadth to be able to deliver the services (as detailed in the principle accountabilities section 4.) for multiple and complex environments / projects
- Direct experience of the ITIL Information Security Process and IS 270001
- Security certifications – CISSP, CISA, CISM, GIAC
- Technical certifications – CCSP, CCSA, CCSE, CEH,
- ITIL certification or experience of working within an ITIL oriented organisation.
- Security project management experience.
- Good knowledge of server and desktop systems
- Holds a degree in an IT discipline