The Information & Cyber Security Manager GRC (Governance, Risk and Compliance) is responsible for establishing and maintaining SGRE's overall IT risk & compliance management program.
The individual in this position is responsible for identifying, evaluating and reporting on IT & information security risks in a manner that meets SGRE's regulatory and other compliance requirements.
Works proactively with the various business units and other internal departments and external organizations to implement practices that meet SGRE's defined policies and standards for information risk management.
Is responsible for IT-related risk & compliance assessment and identification activities over the company's IT systems and information assets and for its IT-
dependent strategic business objectives
Member of the Information & Cyber Security group (IT CYB), will report directly to the the Head of the area.
Will manage a team of Information & Security Professionals
Contacts (internal and external)
Areas of responsability / Tasks
Manage all the risk&compliance-related activities of SGRE’s IT organization, including budgeting, planning, testing, reporting and recommending appropriate remediation measures.
Manage oversight and monitoring of risk mitigation and coordination of policy and controls to ensure that other managers are taking effective remediation steps.
Create, disseminate and (as required) update documentation of SGRE’s matrix of identified IT risks and controls. Act as risk & compliance management liaison with all levels of the IT organization and with the lines of business and other internal departments and organizations.
Benchmark the risk management practices of other companies particularly those in related industries or with similar business models maintain an up-
to-date understanding of industry best practices, and monitor the legal and regulatory environment for developments that could require changes to SGRE’s established IT policies and practices.
Design,support and conduct risk assessments for information and IT assets, IT processes and IT related third parties.Coordinate information security and IT risk management projects with personnel from the IT organization, lines of business, and other internal departments and organizations.
Review risk assessments, analyze the effectiveness of SGRE's IT control activities and report on them with actionable recommendations to the required stakeholders.
Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation measures have been taken.
Manage a staff of information security professionals, train new staff, conduct performance reviews, and provide leadership and coaching, including technical and personal development programs for team members.
Develop a strong working relationship within the GRC team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.
In-depth understanding of strategic business risks. Ability to develop a comprehensive understanding of SGRE's business, market and industry and relate that knowledge to identified operations-
and IT-related risks. Knowledge necessary to propose relevant IT responses to changing business risks and regulatory changes
Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, project and application development teams, management and business personnel;
in-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls;
an excellent understanding of information security concepts, protocols, industry best practices and strategies.
Proficiency in performing risk, business impact, control and vulnerability assessments, and in defining treatment strategies.
Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) frameworks.
Essentials (Today and in future)
A minimum of six years of IT and information & cyber security related experience and at least two years in a supervisory capacity
A bachelor's degree in information systems or equivalent work experience; an M.B.A. or M.S. in information & cyber security is preferred
Tertiary qualifications in information or IT security, or industry qualifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) or equivalents in relation to the position (e.
g.CRISC, CGEIT, CISA,...)
Language skills : English fluent (spoken, written) and Spanish as a minimum
Project / Process :
Strong multi-project management, time management and organizational skills
Proven ability to build relationships and influence individuals at all levels in a matrixed environment, as well as external vendors and service providers, to ensure that segregation and overlapping roles are identified and coordinated
Strong intellectual and analytical skills, able to sort complex data
Systematic, structured and goal oriented work style
Excellent written and oral communication ability
Proficient in working in a fast-paced, complex, dynamic, multicultural business environment
Unquestionable integrity, objectivity, and independence.
Driven licence and own vehicle
Location in Zamudio
Open to international travel