The Chief Information Security Officer (CIO) serves as a senior executive entrusted with the design, execution, and governance of the Group’s comprehensive information security, cybersecurity, and digital operational resilience strategy. This pivotal position safeguards ARM’s critical information assets, technology infrastructure, client data, business workflows, and essential digital services through robust ICT risk mitigation, proactive cyber defense measures, resilience evaluations, incident mitigation protocols, continuity planning, disaster recovery frameworks, third-party technology governance, regulatory adherence, and transparent reporting to executive leadership and the Board.
Job Details
Developing and overseeing the organization’s information security strategy and governance framework entails establishing robust policies, standards, and procedures to safeguard digital assets. This involves aligning security initiatives with business objectives, ensuring regulatory compliance, and mitigating risks through proactive measures. Additionally, it requires fostering a culture of security awareness, conducting regular audits, and coordinating with stakeholders to maintain a resilient security posture.
Design and execute a comprehensive, organization-wide information security and cybersecurity strategy that harmonizes with business goals, risk tolerance levels, and applicable regulatory standards.
Develop and maintain robust security governance frameworks, including policies, standards, procedures, and control ownership, spanning infrastructure, applications, cloud services, end-user computing, and data environments.
Establish clear roles, responsibilities, and escalation protocols for cybersecurity, ICT risk management, data protection, and digital operational resilience throughout the organization.
Digital operational resilience and ICT risk management entails the strategic oversight and implementation of measures to ensure the stability, security, and continuity of digital systems and technology infrastructure. This encompasses identifying potential risks, establishing robust controls, and maintaining compliance with regulatory standards to safeguard against disruptions and cyber threats. The role involves continuous monitoring, incident response planning, and the integration of risk management frameworks to enhance operational efficiency and resilience.
Responsible for overseeing the digital operational resilience framework, ensuring comprehensive coverage of identification, protection, detection, response, recovery, and learning across critical ICT assets and business services.
To uphold business continuity, maintain a comprehensive inventory and criticality assessment of all technology assets, applications, data repositories, third-party systems, communication channels, and digital processes that support essential business services.
Conduct comprehensive evaluations to pinpoint, analyze, and track ICT and security risks—such as technology obsolescence, capacity limitations, single points of failure, access vulnerabilities, cloud-related threats, change management hazards, and data integrity concerns—before preparing detailed reports on findings.
Establish resilience benchmarks for vital systems by defining recovery time objectives (RTO), recovery point objectives (RPO), backup protocols, redundancy measures, failover mechanisms, and essential security baselines.
Cybersecurity Operations and Threat Management involves safeguarding digital infrastructure through proactive monitoring, incident response, and strategic defense mechanisms against evolving cyber threats. Key responsibilities include analyzing security vulnerabilities, implementing protective measures, and ensuring compliance with industry regulations to mitigate risks. The role demands expertise in threat detection tools, incident handling protocols, and a deep understanding of cybersecurity frameworks to maintain robust security postures. Candidates must possess strong analytical skills, technical proficiency in security technologies, and the ability to respond swiftly to emerging threats while collaborating with cross-functional teams to enhance organizational resilience.
Responsibilities include supervising security processes, tracking vulnerability management, handling patch management, overseeing endpoint protection, managing identity and access control, administering privileged access, and analyzing threat intelligence activities.
Conduct prompt remediation of control deficiencies identified through penetration tests, vulnerability scans, audit reviews, regulatory examinations, incidents, and risk assessments to maintain operational integrity and compliance standards.
Ensure the effective implementation of preventive and detective controls to mitigate risks associated with malware, ransomware, phishing, data leakage, unauthorized access, network intrusion, and social engineering threats.
Incident Response, Crisis Management, and Regulatory Reporting encompass the structured processes of identifying, mitigating, and resolving security breaches, operational disruptions, or compliance-related issues in a timely and efficient manner. These functions involve coordinating with cross-functional teams to execute response strategies, conducting thorough investigations to determine root causes, and ensuring adherence to legal and regulatory obligations by submitting accurate reports to governing authorities within prescribed deadlines.
Drive the evaluation and ongoing enhancement of cyber and ICT incident response plans, overseeing key processes such as classification, escalation, containment, recovery, root-cause analysis, and lessons learned.
Collaborate closely with Risk Management, Compliance, Legal, Operations, Technology, Internal Control, Internal Audit, and business leaders to address significant technology or cyber incidents.
Deliver accurate and prompt internal reports to senior management and the Board of Directors while facilitating regulatory and client notifications in accordance with applicable laws, contractual obligations, or supervisory directives.
Business Continuity, Disaster Recovery, and Resilience Testing involves the comprehensive evaluation of systems, processes, and protocols to ensure operational continuity and rapid recovery in the face of disruptions. This role encompasses the development, implementation, and periodic testing of strategies to mitigate risks, safeguard critical functions, and maintain organizational stability during unforeseen events. Responsibilities include coordinating recovery plans, conducting simulations, analyzing vulnerabilities, and ensuring alignment with industry standards and regulatory requirements to enhance overall resilience.
Collaborates with risk management, business, and technology teams to ensure business continuity and disaster recovery plans are fully aligned with critical business services and operational resilience goals.
In collaboration with Risk Management, oversee the scheduling and execution of regular disaster recovery simulations, cyber tabletop exercises, failover tests, backup restoration tests, penetration tests, scenario analyses, and post-incident reviews.
You are responsible for overseeing the tracking of remediation actions stemming from resilience tests through to completion, while escalating any unresolved exposures to appropriate management governance forums.
Third-Party Technology and Cloud Risk Management: Oversee the assessment, monitoring, and mitigation of risks associated with third-party technology vendors and cloud service providers to ensure compliance with organizational security policies, regulatory standards, and industry best practices. Develop and implement robust risk management frameworks, conduct thorough due diligence reviews, and collaborate with cross-functional teams to address vulnerabilities, enforce contractual safeguards, and maintain the integrity of critical systems and data. This role requires a deep understanding of cloud security architectures, vendor risk assessment methodologies, and emerging threats in the digital landscape.
Evaluate and continuously track cybersecurity, data protection, and operational resilience risks associated with vendors, outsourced service providers, cloud platforms, fintech partners, and other third-party ICT entities.
Ensure that critical technology contracts incorporate robust security, confidentiality, audit, data protection, and incident notification provisions, along with clear service availability, exit, and continuity requirements.
Provide oversight for concentration risk, dependency risk, and exit planning for critical ICT third-party service providers, ensuring comprehensive risk management and strategic continuity.
Ensures adherence to regulatory requirements, safeguards data privacy, and maintains alignment with industry standards and best practices in all operational activities.
Ensure compliance with applicable laws, regulations, frameworks, and standards, including NDA/NPR, ISO 27001, NIST, CIS Controls, CUBIT, and relevant digital operational resilience requirements such as DORA principles, where applicable.
Promote the integration of data protection-by-design, privacy-by-design, and security-by-design principles into technology projects, digital initiatives, and change management processes.
Support regulatory examinations, internal and external audits, client due diligence reviews, and management assurance initiatives focused on information security and resilience. Additionally, oversee security awareness programs, foster a strong security culture, and provide cyber risk briefings tailored to executives and the Board.
Develop key risk indicators (Kris), key performance indicators (KPIs), and dynamic dashboards to comprehensively monitor cybersecurity posture, operational resilience, incident patterns, third-party risk exposure, vulnerability levels, access control exceptions, and the progress of control remediation efforts.
Prepare concise risk-focused reports for senior leadership, Board Committees, and key governance bodies. Oversee budget allocation, manage human resources, and lead program execution.
Develop and oversee the information security budget to allocate resources efficiently, focusing on cost-effective investments in essential areas such as tools, personnel, training, and resilience capabilities.
Guide the information security team with strong leadership, mentorship, and professional growth initiatives, while establishing well-defined goals, conducting thorough performance evaluations, and implementing structured succession planning.
Champion secure digital transformation by guiding technology, product, and business teams in risk-balanced implementation strategies.
Seeking a motivated individual with a minimum of 3 years of experience in a related field, proficient in project management tools and methodologies. The candidate must hold a Bachelor’s degree in a relevant discipline, demonstrate strong analytical and problem-solving skills, and exhibit excellent verbal and written communication abilities. Familiarity with industry-specific software and regulatory compliance standards is essential. The ideal applicant will also possess leadership qualities, the capacity to work under pressure, and a dedication to continuous professional development.
A comprehensive grasp of information security, cybersecurity, ICT risk management, and digital operational resilience principles is required.
Proven expertise in enterprise technology environments, encompassing networks, cloud platforms, infrastructure, applications, databases, endpoints, identity platforms, and security tooling, is essential.
Proficiency in deploying frameworks like ISO 27001, the NIST Cybersecurity Framework, CIS Controls, CUBIT, ITIL, as well as business continuity and disaster recovery standards is required.
Proficient in articulating complex cyber and technology risks into comprehensible business, regulatory, financial, and operational impacts for senior leadership and Board members.
Proven expertise in incident resolution, crisis management, stakeholder relations, and regulatory compliance is essential. The ideal candidate will demonstrate robust skills in navigating disruptions, coordinating responses, engaging with key stakeholders, and ensuring adherence to regulatory standards.
Proven expertise in managing third-party technology risks, overseeing outsourcing activities, assessing cloud-related vulnerabilities, conducting thorough vendor due diligence, and reviewing contractual controls is essential.
Proven capability to develop quantifiable key risk indicators (Kris) and key performance indicators (KPIs), along with the creation and management of dynamic dashboards that enhance data-driven decision-making and strengthen accountability.
Dynamic leadership abilities, exceptional communication and influencing skills, meticulous documentation practices, and advanced program management expertise.
Qualifications
BA/BSc/HND
