Chief Information Security Officer Technology Risk & Cybersecurity Director

Chief Information Security Officer Technology Risk & Cybersecurity Director

Country: Spain

Santander is looking for a Chief Information Security Officer (CISO) for SCIB, based in our Boadilla del Monte (Madrid, Spain) office.

WHY YOU SHOULD CONSIDER THIS OPPORTUNITY

At Santander (www.santander.com), we push the boundaries and create innovative, customer-centric tech solutions for Santander. We collaborate to provide these world-class technical solutions by adopting Agile across our business as we digitally transform our platforms and services to create the bank of the future.

Cybersecurity is one of the Santander Group's main priorities and a crucial element to make Santander a cyber-resilient organization that can withstand, detect, and rapidly react to cyberattacks, while constantly evolving and improving our defences. The protection of systems, information and customers is a priority for the Group and a crucial component of Santander's purpose of "helping people and companies to prosper" and our goal of "offering excellent digital services for our customers”.

If you share our passion for technology and are up for the challenge, come join us!

Our mission is to contribute to help more people and businesses prosper. We embrace a strong risk culture and all our professionals at all levels are expected to take a proactive and responsible approach toward risk management. 

 

Santander is proud of being an organization where there are equal opportunities regardless of age, gender, disability, civil status, race, religion or sexual orientation.  

WHAT YOU WILL BE DOING

Santander Corporate & Investment Bank supports corporate and institutional clients, delivering tailored services and value-added wholesale products suited to their complexity and sophistication.

The CISO of SCIB will be responsible for implementing and running the Santander Global Information Security program to ensure that SCIB along its perimeter of information assets and associated technology, applications, platforms, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. That will involve identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

The CISO position requires a visionary leader with sound knowledge of business management, but also deep knowledge and/or previous experience within investment banking environments (as well as strong understanding of regulatory requirements inherent to this activity), and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem.

He/She should understand and articulate the impact of cybersecurity on (digital) business and be able to communicate this to the senior stakeholders.

The CISO must be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations.

The role reports hierarchically to the T&O of SCIB with functional reporting line to the CISO Entity Engagement Global Head and is also a member of the Global CISO Leadership Team.

Tasks and Responsibilities

Lead the Organization

• Set and supervise correct implementation for SCIB cyber security strategy in line with Santander Group’s Cyber Security Corporate Framework and Strategy, SCIB regulatory requirements and business needs
• Leads the information security function across SCIB company to ensure consistent and high-quality information security management in support of the business goals
• Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas
• Manages the budget for the information security function, monitoring and reporting
• Functional management of the local CISOs in SCIB Branches.

Implement the Strategy

• Implements the information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate
• Support and enable adoption of Santander global defenses across systems and information of SCIB
• Implements and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization
• Assists with the identification of non-IT managed IT services in use and facilitates a corporate IT onboarding program to bring these services into the scope of the function, and apply standard controls and rigor to these services
• Works effectively with business units to facilitate information security risk assessment and risk management processes

Build the Network and Communicate the Vision

• Creates the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required

Operate the Function

• Drive implementation of Santander Group´s cyber security minimum requirements, policies and regulatory requirements in SCIB
• Implements a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties
• Works with the compliance area to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy
• Collaborates and liaises with the data privacy officer to ensure that data privacy requirements are included where applicable
• Facilitates the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings
• Ensures that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines
• Oversees technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk
• Manages and contains information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation
• Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action
• Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the corporate perimeter
• Coordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas
• Facilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem

Establish Governance and Build Knowledge

• Provides regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders as part of a strategic enterprise risk management program, thus supporting business outcomes
• Develops, socializes and coordinates implementation of security policies
• Understands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management
• Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
• Leads the security champion program to mobilize employees of the Entity

Requirements

Education, Training and Previous Experience

• Demonstrated experience and success in senior leadership roles in risk management, information security, and IT or OT Security
• Degree in business administration or a technology-related field such in science or engineering.

Desired, but not required:

• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials
• Experience successfully executing programs that meet the objectives of excellence in a dynamic business environment

Technical and Business Experience

• Knowledge and understanding of relevant legal and regulatory requirements regarding Cybersecurity
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
• Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
• Up-to-date knowledge of methodologies and trends in both business and IT

Knowledge and Skills

• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists
• Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization
• Ability to lead and motivate the information security team to achieve tactical and strategic goals.
• Excellent stakeholder management skills
• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• Project management skills: financial/budget management, scheduling and resource management
• A master of influencing decisions when achieving a desirable outcome is vital

Personal Characteristics

• Poise and ability to act calmly and competently in high-pressure, high-stress situations
• High degree of initiative, dependability and ability to work with little supervision while being resilient to change
• High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
• Has good judgment, a sense of urgency and has demonstrated commitment to high standards of ethics, regulatory compliance, customer service and business integrity.
• A critical thinker, with strong problem-solving skills
• Strong problem-solving and trouble-shooting skills
• Self-motivated and possessing of a high sense of urgency and personal integrity

OTHER INFORMATION

Our team members come from very different types of companies, including banks, tech companies, trade companies, start-ups, and consulting firms. We believe in the power of diversity in backgrounds, nationality, gender, and more.

Would you like to grow with us? Join our team!

If you want to know more about us, follow us on https://es.linkedin.com/company/banco-santander and https://www.linkedin.com/company/santander-corporate-investment-banking/

#SCIB