Senior Lead, Technology & Cyber Security Risk Oversight

Organization Unit Purpose     

              To support the implementation of the Emirates NBD Operational Risk management framework and its associated controls through the associated policies and risk management tools in an integrated, transparent and consistent way.

              

Job Purpose    

•            Lead the role in driving technology and information security risk related oversight requirements for the group to enable the execution of the enterprise risk management strategy. 

•            Conduct Risk and control self-assessment (RCSA)

•            Develop and implement KRI monitoring and demonstrate the risk posture of the group and its entities.

•            Collaborate with technology and business stakeholders at Group and International locations to manage risk reduction efforts

•            Oversight on Technology domains across Group

•            Investigating complex system/technology control failure events

•            Manage the technology risks across each business entity and subsidiary

•            Review regulatory submissions for technology domains for all entities. 

•            Provide expert advice to senior management and department heads of Emirates NBD, Emirates Islamic and International locations.

•            Maintain the Technology Risk register 

              

Job Content     

 

Technology Risk Assessment & Management

•            Perform Risk and Control Self-Assessments (RCSA) , ORCA’s and challenge first line of defense (1LoD) risk identification, ensuring robust risk profiling for critical business processes and systems (e.g., intraday liquidity management in core banking system, SaaS apps for fintech solutions).

•            Support Materiality assessments for technology initiatives 

•            Perform scenario planning to address unmitigated cyber threats (e.g., black swan events)

•            Develop IT risk tolerance models, including inherent and residual risk assessments, to guide risk acceptances

•            Support development of cyber risk oversight process, frameworks and systems

 

Technology Risk Oversight 

•            Oversee red teaming simulation and evaluation of controls across all domains, including cloud platforms using evidence-based control evaluation (EBCE) and risk-based methodologies

•            Execute deep dives into IT processes to identify gaps, propose solutions, and track mitigation actions.

•            Review cyber threats, supplier, pen testing and vulnerability assessment reports and recommend the remediations based on risk exposure

•            Lead independent review of cyber breach and tech control failures

•            Oversee the incident response for cyber incidents, technology disruptions, and control failures

•            Review incident response plans for core banking systems, incorporating scenarios for cloud, AI, and critical business system failures

•            Logical security Oversight: Oversee IAM frameworks, ensuring secure access with MFA, privileged access management (PAM), and compliance with security frameworks

•            Privacy Oversight: Manage data protection and privacy risks, ensuring compliance with various data protection regulations.

•            Oversee the regulatory submissions by 1st LOD

•            Data-Driven Oversight: Implement risk quantification tools (e.g., FAIR model) to prioritize investments.

 

Risk reporting (UAE and International)

•            Monitor and report risk metrics, Key Risk Indicators (KRIs), risk threshold, count to various committees and regulators, emphasizing inappropriate access, control, technology breakdowns, and emerging tech risks.

•            Oversee root cause analysis for operational risk events (historical, potential, external), ensuring timely resolution and lessons learned.

•            Quantify financial and reputational risks of incidents for executive reporting.

•            Deliver detailed and accurate report and memo with ability to articulate risks and security issues to both technical and non-technical stakeholders.

•            Maintain up to date risk register.

•            Act as a subject matter expert on Basel II/III risk structures, supporting audit and regulatory reviews.

•            Prepare regulatory filings and ensure timely remediation of findings.

 

Governance of Technology Risk

•            Develop a technology risk governance framework aligned with Basel III, ensuring Information security support business objectives.

•            Review processes related to change management, IT asset management, and platform security to minimize risks.

•            Strengthen the second line of defence (2LoD) control framework, ensuring robust oversight of 1LoD activities.

•            Facilitate governance committees to escalate and resolve critical IT risk issues.

•            Promote risk awareness through training and communication with business and engineering teams to enhance framework compliance

 

Teamwork

•            Achieve desired performance of the team

•            Support team members in their development within Group OpRisk and Emirates NBD

•            Strive to achieve the unit goals by supporting others and collaborating actively within and outside the team with colleagues from other units/departments.

              

Education         

•            Bachelor’s degree in Cybersecurity, IT, or a related field (or equivalent experience).

•            Minimum 7 of experience in Cybersecurity and Risk Management.

•            Technical Security Certifications such OSCP, GCTI, AZ500

•            Information Security Certification such as CISSP, CISM, CRISC

              

Experiences     

•            Minimum 7 years’ experience.

•            Information Security expertise

•            Financial services experience

•            Big4+

              

Knowledge & Skills     

 

Expert Knowledge and Hands-On Experience in Cybersecurity and IT Risk Management

•            Developing cyber security and risk management oversight frameworks for banking institute

•            Strengthen the second line of defense (2LoD) IT control framework, ensuring robust oversight of 1LoD activities.

•            Developing a cyber risk appetite framework incorporating all domains’ risk tolerances

•            Facilitate risk review forums to identify emerging risks and mitigation strategies for existing products 

•            Review risk-based approach on security architecture, cloud migrations, and AI deployments.

•            Promote risk awareness through training and communication with business and engineering teams to enhance framework compliance.

•            Red & Blue Teaming, Penetration Testing, and Vulnerability Assessment: Extensive hands-on experience in conducting red and blue teaming exercises to identify and mitigate security vulnerabilities. Proficient in performing penetration testing and vulnerability assessments to ensure robust security measures .

•            Execute deep dives into IT processes to identify gaps, propose solutions, and track mitigation actions.

•            Cyber threats Intel, Security Incident Response & Investigations: Demonstrated hands-on experience in managing and responding to security incidents. Skilled in conducting thorough investigations to identify root causes and implement corrective actions, Analyze threat intelligence for risks targeting IT infrastructure, cloud platforms, and AI systems

•            Review of Technology/System Failure Events: Hands-on experience in reviewing and analyzing technology and system failure events to identify weaknesses and improve system resilience . Conduct root cause analysis for operational risk events (historical, potential, external), ensuring timely resolution and lessons learned

•            Technology Exposure : Working knowledge and hands-on review experience of cloud technologies, containers, APIs, databases, networking, Encryptions, application and server management, core banking and payment systems, IAM, and middleware etc

•            Emerging Technologies: Knowledgeable in emerging technologies such as Blockchain/Distributed Ledger, AI, IoT, and quantum computing.

•            Cybersecurity and Technology Risk Assessment: Proficient in using various methods and tools for cybersecurity and technology risk assessment 

•            Experience in  Risk and Control Self-Assessments (RCSA), ensuring robust risk profiling for critical business processes

•            Assess technology risks in vendors, ensuring compliance with security, governance, and resiliency standards.

•            Risk metrics : Develop IT risk tolerance models, including inherent and residual risk assessments, to guide risk acceptances and vendor risk evaluations.

•            Monitor and report risk metrics, Key Risk Indicators (KRIs), and Key Performance Indicators (KPIs) to senior management and regulators

•            Information Security Assurance: Knowledgeable in information security assurance principles used to manage risks related to the use, processing, storage, and transmission of information or data .

•            Regulations and Frameworks: Comprehensive knowledge and understanding of technology and cybersecurity regulations and frameworks from various jurisdictions, including CBUAE, NESA, SAMA, DFSA, SCA, MAS, RBI, FCA, CB-Egypt, CB Turkey, and others .

•            IT Security Threat Monitoring and Remediation: Knowledgeable in current industry methods for evaluating, implementing, and disseminating IT security threat monitoring, detection, and remediation tools and procedures .

•            Industry Standards and Trends: Demonstrates technical expertise and awareness of key industry standards and trends across IT security and risk management practices 

•            Information Security Program Management: Knowledgeable in information security program management and project management principles and techniques.

•            Operational Risk Management: Demonstrated expertise in operational risk principles, including fraud, reputational, and regulatory risk management.

•            Technical to Business Translation: Ability to translate technical issues into business-related decision points

•            Stakeholder and Vendor Management: Experience in managing senior stakeholders and vendor management

•            Banking Processes: Knowledgeable in banking-related processes .

•            Execution Skills: High execution skills .

•            Communication Skills: Fluent in English with excellent analytical, investigatory, and communication skills to articulate complex risks to stakeholders .

              

Behavioral Competencies       

 

Thinking Related

•            Analytical Thinking: Ability to break down complex information and identify key components.

•            Problem Solving: Identifying issues and developing effective solutions.

•            Strategic Thinking: Planning and envisioning long-term goals and outcomes.

•            Critical Thinking: Evaluating information and arguments in a logical manner.

•            Creativity: Generating innovative ideas and approaches.

 

People Related

•            Communication: Clear and effective exchange of information.

•            Teamwork: Collaborating and working well with others toward common goals.

•            Empathy: Understanding and sharing the feelings of others.

•            Conflict Resolution: Managing and resolving conflicts in a constructive manner.

•            Leadership: Guiding and motivating others to achieve objectives.

 

Self Related

•            Self-Discipline: Maintaining control and focus to achieve goals.

•            Adaptability: Adjusting to new conditions and environments.

•            Self-Awareness: Understanding one's own strengths and weaknesses.

•            Resilience: Recovering quickly from setbacks and difficulties.

•            Time Management: Efficiently managing one's time to meet deadlines and commitments.

 

#LI-KS1