Head of Cyber Security Risk Management Unit

Strategy

• Contributes to the development of department strategy and ensures translation and alignment during the development and monitoring of section strategy including objectives, targets and initiatives

Policies, Processes & Procedures

• Recommends improvements to departmental policy and directs the implementation of procedures and controls covering all areas of the section’s activity so that all relevant procedural/legislative requirements are fulfilled while delivering a quality, cost-effective service to customers

Budget

• Prepares and recommends the section’s budget by preparing analysis and data related to specific elements as directed
• Monitors the financial performance of the section against budgets so that areas of unsatisfactory performance are identified and rectified promptly and potential performance improvement opportunities are capitalized upon

Day- to-day operations

• Supervises the day-to-day operations of the Section to ensure that work processes are implemented as designed and comply with established policies, processes and procedures
• Creates necessary documents and seek necessary management approvals for financials, projects, and other issues. 

Cyber Security Risk Management               

• Ability to work with the organization's leadership to develop a risk management strategy to address cybersecurity related risks including a determination of risk tolerance.
• Support the Chief Information Security Officer (CISO) in the formulation of cybersecurity policies.
• Identify and assign individuals to specific roles associated with the execution of the Risk Management Framework.
• Assess in designing cybersecurity risk management functions, and related cyber security area as required.
• Design and develop key cybersecurity risk management functions and related cyber security area as required
• Promote and demonstrate the value of cybersecurity and cyber risk management to stakeholders within an organization.
• Ensure that cybersecurity risk management improvement actions are evaluated, implemented and reviewed as required.
• Ensure that organizational situational awareness is maintained from a cybersecurity risk perspective.
• Ensure that information relating to the organization's cybersecurity risk is appropriately managed, evaluated and shared to higher management and relevant stakeholders.
• Participate in the development or modification of cybersecurity program plans, policy, standards, framework and related documentation and process requirements.
• Ensure that appropriate reporting is provided to senior management as necessary, including the status of cyber risk poster in relation to the defined Cyber security risk appetite.
• Ensure that appropriate resources are allocated to meet the organization's cybersecurity risk management requirements.
• Use internationally available standard and best practices relating to cybersecurity risk management implementation to inform and enhance organizational documentation.
• Brief senior management on developments and trends in cybersecurity risk and threat poster.
• Brief senior management on cybersecurity controls required to protect, mitigate and remediate the organization’s cyber security risks.
• Report findings, risks and new threat vectors from international cybersecurity events, research and news to senior management as applicable to Riyad bank environment.
• Communicate relevant changes in the organization's cybersecurity posture to senior management in frequent bases.
• Ensure that cybersecurity risk management careers are managed in accordance with organizational HR policies and regulatory directives.
• Establish and collect metrics to monitor and validate cybersecurity risks management workforce capacity, capability and readiness.
• Establish cyber risk management career paths to allow career progression, development and growth within and between cyber risk career fields.
• Plan non-classroom educational techniques and formats to ensure continues knowledge sharing across cyber security fields and cyber security risk management.
• Provide cybersecurity guidance to leadership on relation cyber security risk poster, threat targeting the organization and best risk mitigation strategies.
• Ability to effectively communicate insights relating to an organization’s cyber risk and threat environment to improve its risk management posture.
• Directs and prioritize the activities of the cyber risk management taking into consideration the security risks that the organization is facing, so as to fully protect the banking operations from potential security breaches
• Guides the team in effectively identifying cyber security issues, concerns, gaps, threats and vulnerabilities in the current environment in order to ensure high level of security to the existing technology, people and process.
• Investigates the effectiveness of current security risk management program, taken into consideration external and internal subject matter experts and implement the recommended enchantment to meet regulatory requirement, best practices and Riyad bank policy.
• Identifies information security risks, issues, concerns, threats and vulnerabilities in the current environment and ensures the implementation remediation tasks per security policies across the Bank
• Leads the assessment and analysis of cyber security risk management across people, process and technology for the evaluation and identification of the potential cyber security risks that may face.
• Analyze and introduce solutions or controls that would enhance the overall cyber security risk poster of Riyad Bank, according to the results of the Cyber Security related assessments. 
• Keeps abreast of market trends and best practices to identify and propose Cyber Security solutions that will enhance the protection of the bank’s operation from potential security breaches of compromise
• Assesses the effectiveness of current cyber security risk processes and recommend specific security solutions to treat or mitigate the threats and vulnerabilities.
• Establishes adequate and effective Risk lines of communication with the relevant areas such as risk management and compliance as well as with external parties such as regulators.

Continuous Improvement

• Stimulates subordinates and contributes to the identification of opportunities for continuous improvement of systems, processes and practices considering ‘international best practice’, improvement of business processes, cost reduction and productivity improvement

Change Management

• Leads and directs the management of change through continuous improvement of division systems, processes and practices considering ‘international best practice’, changes in international standards and changes in the business environment which demand proactive action plans

Reporting

• Prepares timely and accurate management reports to meet the bank and department requirements, policies and standards

Committees and Meetings

• Represents the function and actively contributes in various committees/meetings (internal and external) as applicable and per authority levels in order to ensure relevant matters are dealt with in a timely and efficient manner

People Management

• Ensures all staff have clear objectives, regular performance feedback sessions, formal annual appraisals, and individual development plans, with particular emphasis on the development of talented Saudi national staff
• Ensures and facilitates the employment, training and development of staff within the section

Safety, Quality & Environment

• Ensures compliance to all relevant safety, quality and environmental management policies, procedures and controls across the department in order to guarantee employee safety, legislative compliance and a responsible environmental attitude

Related Assignments

• Performs other related duties or assignments as directed within the confinement of the departmental roles and responsibilities. 

• Knowledge of the organization's cybersecurity risk management processes, procedures and understanding of cybersecurity risk assessment methodologies, authorization processes and risk mitigation strategies.
• Knowledge of business practices within organizations, understanding of the organization's core business processes and how cybersecurity affects them.
• Knowledge of cybersecurity policies, procedures and regulations, key security management concepts and legislation, regulations and other standards applicable to organisation cybersecurity programme.
• Knowledge of vulnerabilities in applications, systems and their likely of being impacted by cyber security event, cybersecurity defense and vulnerability assessment tools and their capabilities within the IT environment, sources of information relating to the identification and effective treatment of vulnerabilities, cyber threat intelligence sources and their respective capabilities, system and application security threats and vulnerabilities.
• Knowledge of cybersecurity communication methods, principles and concepts that support the network infrastructure, in addition to evolving and emerging communications technologies and their implications for cybersecurity, network attack and their relationship to threats and vulnerabilities and the risks wireless networks pose for an organization's cybersecurity.
• Knowledge of encryption algorithms, their relative strengths and weaknesses and appropriate selection criteria.
• Knowledge of security system design tools, methods and techniques and policy-based and risk adaptive access controls, countermeasure design for identified security risks.
• Knowledge of cybersecurity operations concepts, terminology, principles, limitations and effects, incident categories, incident responses and timelines for responses.
• Knowledge of IT security principles and methods, best practice of IT risk management and methodologies, best practice of auditing and logging procedures, identification and reporting processes, best practice of analysis principles and methods, usage and applicability of root cause analysis techniques.
• Knowledge of different types of cyber attackers, different classes of cyberattacks, stages, their capabilities and objectives, attack methods, techniques and its likely to cause operational impact on the organization as result of cybersecurity breaches.
• Knowledge of organization's cybersecurity data classification requirement, data classification standards and methodologies as they relate to the management of cybersecurity risk and data security standards relating to personally identifiable information.
• Knowledge of confidentiality, integrity and availability principles and requirements.
• Knowledge of the principal methods, procedures and techniques for gathering, producing, reporting and sharing cybersecurity information.
• Knowledge of an organization’s threat environment, current and emerging cybersecurity threats and threat vectors, effective risk and threat assessment methods, risk scoring as part of a risk management process, use of cyber threat intelligence to inform the organization's cybersecurity planning and operations, the global social dynamics of the different cyber threat types , incorporate threat actors relevant to the organization , utilization of the threat intel sources to understand the attacks surface and information available about the organization.
• Knowledge of the organization's evaluation and validation requirements in relation to cybersecurity risk management.
• Knowledge of the capabilities, functionality and cybersecurity risks associated with content creation technologies, collaborative technologies and their implications for cybersecurity.
• Knowledge of relevant cybersecurity aspects of legislative and regulatory requirements, relating to ethics and privacy.
• Knowledge and understanding of new technologies and solutions from a cybersecurity perspective.
• Knowledge of supply chain risk management standards, processes and practices from a cybersecurity perspective and best practices for supply chain risk management.
• Knowledge of Payment Card Industry Data Security Standards (PCI-DSS).
• Knowledge of secure software deployment methodologies, tools and practices.
• Knowledge of the organization's formats for management and compliance reporting relating to cybersecurity risks, readiness and progress against plans.Knowledge of crisis management protocols, processes and techniques relevant to the organization's cybersecurity.
• Knowledge of systems testing and evaluation methods, cybersecurity vulnerabilities across a range of industry standard technologies, software integration or testing, including analysing and implementing test plans and scripts.
• Knowledge of the full spectrum of defensive and offensive cybersecurity capabilities, covert communication techniques, fundamental cyber operations concepts, terminology/lexicon (i.e., environment preparation, cyber-attack, cyber defence), principles, capabilities, limitations, and effects.
• Knowledge of penetration testing and red teaming principles, tools and techniques. hacking methodologies, emerging technologies and their potential for exploitation, penetration testing principles, techniques and best practice for penetrating application.
• Knowledge of best practice program management and project management principles and techniques.
• Knowledge of different learning assessment, test and evaluation techniques and how and when to use them.
• Knowledge of the capabilities and functionality of technologies for organizing and managing information, the impact of signature