Head of Cybersecurity Governance, Risk, and Compliance

OVERVIEW                                                                                                               

NEOM is an accelerator of human progress and a vision of what a new future might look like. A region in northwest Saudi Arabia on the Red Sea, NEOM is being built from the ground up to include hyperconnected, cognitive cities, ports, next-generation infrastructure and industries, enterprise zones, research centers, sports and entertainment venues and tourist destinations. 

 

As a destination, it will be a home for people who dream big and want to be part of building a new model for exceptional livability, creating thriving businesses and reinventing environmental conservation.

 

As a workplace, it is a place for people who share our core values of care, curiosity, diversity, passion, respect, and becoming a catalyst for change. 

 

Are you ready to help NEOM find solutions to the world’s most pressing challenges? Are you prepared to create a lasting legacy that benefits generations to come? Then we want to hear from you!

 

 

ROLE OVERVIEW

To direct the cybersecurity activities associated with Cybersecurity Management, Cybersecurity Policies and Procedures, Cybersecurity Roles and Responsibilities, Cybersecurity Risk Management, Compliance with Standards, Laws and Regulations, Supply Chain and Third-party Cybersecurity, Cybersecurity in Human Resources, Cybersecurity Resilience Aspects of Business Continuity Management (BCM), Periodical Cybersecurity Review and Audit, Physical Security, Vulnerability Management and Penetration Testing to support the secure achievement of NEOM's business goals within relevant laws and regulations

 

 

Key Responsibilities:

Company-wide Responsibilities         

• Ensure the implementation of cybersecurity GRC processes in accordance with company-wide strategies.
• Ensure the implementation of cybersecurity activities in line with other functions and with Subsidiaries.
• Ensure appropriate support is provided to the organization to enhance NEOM cybersecurity resilience and maturity.
• Work closely with senior leaders in other departments and with external stakeholders to raise awareness of the cybersecurity risks and challenges and support their management through integration into project design and delivery in relation to values of NEOM.

 

Planning and Strategy

• Coordinate with senior leadership of the organization to ensure that authorization decisions consider all factors necessary for mission and business success, including cybersecurity risks and challenges.
• Ensure appropriate data is collected and maintained to meet defined cybersecurity reporting requirements.
• Ensure that appropriate reporting is provided to senior management as necessary.

 

People Management

• Take responsibility for building and maintaining a high-performance team, ensuring effective teamwork and communication across the Cybersecurity GRC function.
• Support the management of talent acquisition, retention, and succession planning within Cybersecurity GRC function.
• Set performance objectives, provide necessary support, evaluate/appraise staff and provide regular feedback on performance.
• Lead and mentor the teams under Cybersecurity GRC function, fostering a culture of continuous learning and professional development.
• Ensure that appropriate resources are allocated to meet the organization's cybersecurity requirements.
• Foster a working environment and culture that supports, develops, and promotes equality and diversity

 

Budgeting and Financials        

• Support the CISO in managing the budget, ensuring optimal allocation of resources.
• Manage financial aspects of cybersecurity, including budgeting and resourcing.

 

Function-specific Responsibilities    

Cybersecurity Policies and Strategy Alignment

• Lead the development, regular review, and maintenance of cybersecurity policies and associated documentation, ensuring alignment with organizational cybersecurity strategy, business objectives, enforceable laws, statutes, and regulatory requirements.

 

Policy Implementation and Guidance

• Provide clear policy guidance to cybersecurity management, staff, and users, monitoring the effective implementation and application of cybersecurity policies, principles, and practices within planning and management services.

 

Cybersecurity Roles and Responsibilities

• Supervise resource allocation to cybersecurity roles, oversee periodic review and updates of cybersecurity responsibilities, and ensure standardized position descriptions are developed and maintained in alignment with established cybersecurity workforce roles.

 

Risk, Compliance, and Assurance Monitoring

• Oversee the development and implementation of methods for effectively monitoring and measuring cybersecurity-related risks, compliance, and assurance activities across the organization’s critical infrastructure.

 

Cybersecurity Risk Management

• Define, document, approve, and oversee implementation of cybersecurity risk management methodologies, ensuring periodic reviews, alignment with legal requirements, and risk assessments for technology projects, infrastructure changes, third-party engagements, and new services.
• Establish and manage a comprehensive risk management strategy, determining risk tolerance, developing mitigation strategies, and oversee continuous monitoring using appropriate tools.
• Assign roles clearly within the Risk Management Framework and supervise ongoing internal and external cybersecurity risk assessments and updates.
• Provide leadership to ensure cybersecurity risks are properly identified, documented, and managed through robust governance processes aligned with the organizational risk appetite.

 

Compliance with Cybersecurity Standards, Laws, and Regulations

• Monitor and support compliance with cybersecurity legislation, regulations, and organizational directives, providing periodic reviews of strategies, policies, and third-party contracts.
• Supervise the identification and resolution of cybersecurity incidents and vulnerabilities, ensuring alignment with financial, legal, contractual, and regulatory requirements.
• Evaluate cybersecurity defense policies and configurations, recognizing patterns of non-compliance, and recommending improvements.
• Collaborate with stakeholders to ensure continuous compliance monitoring and remediation, addressing cybersecurity aspects effectively within the organization and third-party services.

 

Periodical Cybersecurity Review and Audit

• Oversee cybersecurity compliance processes and audits for internal systems and third-party services, maintaining comprehensive audit logs, and supervising the remediation of identified issues.
• Ensure audits comprehensively test infrastructure, policies, software, systems, and applications against documented cybersecurity requirements, maintaining up-to-date assessment toolkits.
• Monitor risk analyses and cybersecurity audits, tracking audit findings, recommending cost-effective mitigations, and confirming that cybersecurity controls align with national, international, and organizational standards.
• Coordinate securely with external auditors, ensure thorough documentation of security measures and design processes, and validate compliance through regular and targeted audit practices.

Supply Chain and Third-party Cybersecurity

• Oversee cybersecurity risk protection related to third-party engagements, including outsourcing, mergers, acquisitions, and procurements, ensuring compliance with organizational policies and applicable regulations.
• Ensure effective communication and resolution during third-party cybersecurity incidents, documenting supply chain risks for critical system elements, and supervising third-party management controls.
• Collaborate closely with legal advisers and third parties to meet privacy and data security requirements, conducting cybersecurity training for third-party affiliates, employees, and contractors.
• Regularly assess the effectiveness of procurement practices in addressing cybersecurity requirements and supply chain risks, providing strategic oversight of third-party compliance and integration into organizational cybersecurity frameworks.

 

Cybersecurity Resources Management

• Manage cybersecurity risks associated with employees and contractors through all stages of employment, ensuring compliance with organizational policies, laws, and sound risk management principles.
• Supervise the development, implementation, and regular review of cybersecurity workforce management policies, career paths, and qualification standards.
• Oversee recruitment, retention, training, and skills gap assessments of cybersecurity personnel, establishing appropriate communication channels and integrating cybersecurity requirements into workforce planning.
• Ensure cybersecurity awareness across management levels and sectors, providing strategic expertise to influence organizational HR policies, career development, and workforce effectiveness.

 

Physical Security

• Oversee cybersecurity requirements for physical protection, ensuring identity access management, secure physical environments, documented policies, and regular reviews of physical security standards.
• Supervise physical security assessments of servers, systems, network devices, and infrastructure to identify and mitigate potential vulnerabilities.
• Ensure cybersecurity standards are applied effectively for physical access control, including secure areas entry, surveillance monitoring, asset protection, evidence handling, and secure disposal or reuse of classified physical assets.
• Collaborate with relevant teams to design and implement secure physical-digital interfaces, advising and mentoring staff on secure identity access management solutions.

 

Cybersecurity Resilience Aspects of Business Continuity Management (BCM)

• Ensure cybersecurity resilience is integrated into the organization’s business continuity and disaster recovery plans, clearly defining, documenting, approving, and reviewing cybersecurity requirements regularly.
• Collaborate with stakeholders to oversee cybersecurity incident response and recovery planning, maintaining sufficient resources to support cybersecurity resilience efforts.
• Provide cybersecurity guidance and oversight during development, implementation, and maintenance of effective continuity plans.
• Monitor and guide continuous enhancement of cybersecurity within business continuity operations, verifying inclusion in all continuity and disaster recovery procedures.

 

Penetration Testing

• Supervise and ensure rigorous penetration testing and vulnerability assessments across infrastructure, networks, web, and standard applications, documenting finding findings, risks, and mitigation recommendations clearly.
• Oversee simulated cyber-attacks and social engineering assessments to identify security gaps, vulnerabilities, and potential business impacts, ensuring findings are effectively communicated to technical and non-technical audiences.
• Ensure penetration testing strategies and methods remain current, reflecting realistic attack scenarios, and confirming alignment with business objectives.
• Monitor the execution of vulnerability scanning, remote network testing, and ensure the integration of findings into the cybersecurity strategy to maintain strong defense mechanisms.

 

Vulnerability Management

• Define, document, approve, and supervise the implementation and regular review of cybersecurity vulnerability management requirements, including periodic assessments, vulnerability classification, and remediation prioritization.
• Ensure comprehensive management of technical vulnerabilities through patch management programs, alerts, and subscriptions to trusted cybersecurity resources.
• Supervise technical and non-technical risk and vulnerability assessments, evaluating cybersecurity effectiveness, recommending security controls, and overseeing code and system security reviews.
• Ensure proactive vulnerability alerting and responsive cybersecurity measures built into system designs, overseeing network scouting and vulnerability analysis to maintain robust cybersecurity defenses.

 

Culture and Values

• Embrace NEOM’s culture and Values https://www.neom.com/en-us/about
• Act with honesty and integrity by following best practices, and upholding the robust standards and expectations set out in NEOM’s Code of Conduct.
• Maintain fair, ethical and professional work practices in accordance with NEOM’s Values and Code of Conduct.

 

BACKGROUND, SKILLS & QUALIFICATIONS

Knowledge, Skills and Experience

• 12+ years’ experience in information security or IT disciplines, including at least 7 years in management role overseeing strategic cybersecurity planning in complex organizational or governmental settings.
• Proven leadership capabilities, demonstrated through effective management, motivation, and coordination of large cybersecurity teams.
• Strong communication skills with the ability to clearly articulate complex cybersecurity concepts to diverse audiences, including non-technical stakeholders.
• Expertise in collaboration and relationship-building across internal business units, external entities, and stakeholders, effectively integrating cybersecurity into broader organizational goals.
• Demonstrated experience in budgeting, financial planning, resource allocation, and managing multiple concurrent cybersecurity projects and initiatives.
• Comprehensive knowledge of cybersecurity principles, regulatory compliance standards, privacy laws, risk assessment methodologies, and security frameworks.
• Skilled in developing, assessing, and maintaining cybersecurity policies, vulnerability management ]programs, penetration testing, and incident response processes.
• Ability to strategically integrate cybersecurity management with business operations, adapt to evolving cybersecurity threats, and ensuring alignment with organizational objectives.
• Experienced in cybersecurity workforce management, including staffing assessment, training, career path development, and effective integration of cybersecurity roles within organizational structures.
• Proficient in analyzing cybersecurity data, interpreting vulnerability assessments, recommending appropriate mitigation strategies, and clearly communicating technical risks to management and stakeholders.

 

 

 

Qualifications

Required academic achievements:

• Bachelor’s degree in information technology, Cybersecurity, Computer Science, or a related field (required) or Law.
• Master’s degree in Cybersecurity, Information Security, Information Systems, or a related field (highly preferred)

 

Required professional certifications

• Certified in Risk and Information Systems Control (CRISC), or
• Certified Information Systems Auditor (CISA), or
• Certified Information Security Manager (CISM), or
• Certified in the Governance of Enterprise IT (CGEIT)
• ISO 22301 Lead Auditor

 

Preferred professional certifications

• Certified Information Systems Security Professional (CISSP)
• Project Management Professional (PMP)
• Certified Compliance and Ethics Professional (CCEP)
• Certified Fraud Examiner (CFE)
• Certified Risk Management Professional (CRMP)
• Certified Regulatory Compliance Manager (CRCM)
• Certified Internal Auditor (CIA)
• Information Security Management System (ISMS) Lead Auditor (ISO 27001 LA)
• Certified Ethical Hacker (CEH)

• Offensive Security Certified Professional (OSCP)