The Information Security team report to the Global Chief Information Security Officer (CISO). The team work with unified principles and processes around the world while maintaining regional stakeholder relationships. High standards are achieved by the adherence to international best practice principles (ISO 27001) and continual improvement methodologies.
The scope of the Information Security function includes all strategic security planning and control oversight to ensure effective risk mitigation takes place within the firm. In many cases, the operational running of security controls is the responsibility of IT Service Delivery teams or departments such as HR, Facilities, Procurement, General Counsel etc., The Information Security team remains responsible for ensuring the effectiveness of the overall control framework and ensuring that any related risks are identified / incidents managed.
The Head of Information Security is one of two ‘head of’ positions in the Information Security function at Norton Rose Fulbright; ‘Head of Information Security – Policy & Improvement’, and ‘Head of Information Security – Operations & Risk’. These roles are accountable for a number of CISO office functions as detailed in table at the end of this document. Reporting directly to the CISO, these senior roles are critical in defining and delivering the goals of the Information Security function.
The role has worldwide accountability for the delivery of effective outcomes within their functional area. The Head of Information Security is expected to be able to delegate appropriately and work towards achieving critical success measures for their accountable functions. The success of this role is dependent upon building a lasting alignment between information security provisions and business requirements. In particular, the role must take into consideration:
- The special requirements of the Firm with regard to client confidentiality, as well as regulatory requirements such as data protection.
- Achieving a balance between protecting the firm and ensuring that users can work effectively; being pragmatic but cognizant of risk.
The Head of Information Security is accountable for the successful delivery of their functional areas. Refer to the table at the end of this document for a description of each accountable functional area.
Successful delivery of functional area’s activities is likely to include the following:
- Setting vision and goals for functions owned.
- Take accountability and motivate others to meet those goals. This includes maintaining roadmaps and strategy for each functional activity.
- Proactive leadership to ensure Information Security risk reduction, including a continual service improvement mind-set.
- Effective line management of the functional managers.
- Deliver Information Security change initiatives to time / budget and that meet defined business goals.
- Delivery of Information Security activities directly aligned to the global Information Security strategy.
- Measure effectiveness and trends through meaningful KPIs.
Further responsibilities include the active building and maintenance of in-region stakeholder relationships on behalf of the CISO. These stakeholders include the IT Leadership Team, General Counsel, Compliance, Risk, Procurement, HR, Facilities, COO, and Managing Partners within region. Responsibilities include:
- Actively manage regional stakeholders through frequent interactions and a deep understanding of the regional business landscape.
- Provide thought leadership, advice and assessments to regional stakeholders, both on request and proactively.
- Facilitate business outcomes by pragmatic application of risk-based judgement.
- Maintain subject matter expertise on regional legislation that has Information Security implications.
- Maintain ownership and ensure compliance to the data protection and Information Security elements of the firm’s policies.
- Liaise with and seek advice from Compliance and GC teams as necessary to support decision making processes.
Further to functional and regional responsibilities, the Head of Information Security may be called up on to undertake other activities such as:
- Deputize for the CISO, where required.
- Chair and direct regular security forum meetings as requested by the CISO.
- Act as an evangelist for the CISO office. Identify and take all chances to remind staff of the aims of Information Security at Norton Rose Fulbright.
- Remain current on the changing threat landscape, the impact upon the residual risk profile of the Firm and how the responding control framework should evolve.
- Maintain ISO 27001 aligned processes and controls.
- Provide incident response support as necessary from a leadership perspective.
- To undertake other reasonable duties as requested by the CISO.
Please note this job description does not cover or contain all activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities and activities may change at any time with or without notice.
Skills and Experience Required
Qualifications and Experience
- Education - An IT or Information Security qualification / experience, including appropriate ISO 27001 qualifications or 10+ years’ experience in a similar role.
- Substantial and successful leadership experience in large, matrix and geographically dispersed global organisations where IT and Information Security have played a key role to the business.
- Demonstrable experience in setting and achieving goals for Information Security functions.
- Significant technical knowledge of various Information Security technologies and evidence of a continuous learning mind-set.
- A relevant industry certification, such as CISSP, CISM, CRISC or similar, is an advantage.
Leadership & Management Behavioral Competencies
- Results-oriented, outcome-driven leadership style.
- Ability to develop an end-state vision of ‘what good looks like’, setting goals, incremental targets and delivering results.
- Motivational, with presence and proven leadership and influencing skills.
- Outstanding interpersonal skills, with strong presence and the ability to build long lasting relationships with stakeholders to executive level.
- Open, confident and persuasive, with excellent presentation and communication skills.
- Integrity and professionalism, with a consistent and uncompromising adherence to best practice.
- Strong stakeholder management skills, including the ability to communicate complex Information Security concepts in business language.
- Passionate and driven to exceed expectations and to deliver with integrity.