Information Security Specialist for Second Line of Defense (f/m/d)

Your area of work:

The department Chief ICT Risk Officer / CISO combines IT & IS Risk Management in the 2nd Line of Defense. The department’s mandate is to set the IT and IS risk governance and framework, set the control objectives, control review methodology and risk assessment methodology, conduct independent risk assurance of 1st LoD IT and IS controls, and independently monitor and report on the level of IT and IS risk as well as to drive transformation and collaboration.

Your responsibilities:

• Prepare and execute assessments / testing to ensure that the control requirements are effectively implemented by first line
• Prepare assessment reports and communicate findings to relevant managers within designated departments or units
• Follow up on nonconformities and recommended improvements related to assessments to ensure timely resolution and implementation
• Participate in the continual improvement and providing support in second line ICT Risk Assurance methodology, frameworks, and processes to ensure their ongoing effectiveness
• Support the development and organization of the scope for ICT risk assurance activities
• Identify areas of weakness and potential for improvement, devising practical solutions to enhance controls and processes
• Validate regulatory nonconformities and corrective actions to ensure compliance with relevant regulations and standards
• Provide guidance and support for ad hoc assessment topics as needed

Your profile:

• Successfully completed university degree (bachelor, master, or comparable) in a relevant field
• At least two years of professional experience in IT and Information Security performing external audit / Internal Audit / Second Line Assurance / Implementation
• Experience working in the financial sector (ideally in EU regulated financial services), with familiarity with regulations such as BAIT, MaRisk, CSSF, and DORA
• Proven knowledge of common IT standards such as CSA-CCM, COBIT, BSI Grundschutz, ITIL, ISO/IEC 27000 series and professional certifications, e.g. CISA, CISM, CISSP, CEH, or CIA are preferred
• Strong understanding of the Three Lines of Defense model, risk management frameworks, methodologies, and best practices
• High analytical skills, quick conceptual understanding of complex matters and thinking outside the box
• Strong interpersonal skills, organizational talent, ability to work under pressure, assertiveness, communication style in line with seniority with a focus on clarity and integrity
• Effective communication and report-writing skills
• Very good knowledge of English language, both written and spoken; German is an advantage