The Chief Information Security Officer (CIO) holds a senior leadership position tasked with designing, executing, and managing the Group’s comprehensive information security, cybersecurity, and digital operational resilience strategy. This role safeguards ARM’s information assets, technology infrastructures, client information, business operations, and essential digital services by establishing robust ICT risk management protocols, strengthening cyber defenses, conducting resilience assessments, streamlining incident response protocols, maintaining business continuity and disaster recovery plans, overseeing third-party technology partners, ensuring regulatory adherence, and providing executive and Board-level reporting.
Job Details
Develop and oversee the implementation of a robust information security strategy and governance framework, ensuring alignment with organizational objectives and compliance requirements. Establish policies, standards, and procedures to mitigate risks, protect sensitive data, and maintain the integrity of digital assets. Provide leadership in aligning security initiatives with business goals, while fostering a culture of security awareness across the organization. Monitor emerging threats, regulatory changes, and industry best practices to continuously enhance the security posture.
Design and execute a comprehensive, organization-wide information security and cybersecurity strategy that aligns with business goals, risk tolerance levels, and applicable regulatory standards.
Develop and implement robust security governance frameworks, including policies, standards, procedures, and control ownership, across infrastructure, applications, cloud services, end-user computing, and data environments.
Establish clear roles, responsibilities, and escalation protocols for cybersecurity, ICT risk management, data protection, and digital operational resilience throughout the organization.
Digital Operational Resilience and ICT (Information and Communication Technology) Risk Management encompasses the strategic frameworks, processes, and controls designed to safeguard an organization’s digital infrastructure, ensure uninterrupted service delivery, and mitigate potential threats in an increasingly interconnected technological landscape. This discipline focuses on identifying vulnerabilities, assessing risks, implementing robust governance structures, and maintaining compliance with evolving regulatory standards to enhance operational stability and resilience against cyber threats, system failures, and other ICT-related disruptions.
Develop and oversee the digital operational resilience framework, encompassing identification, protection, detection, response, recovery, and learning processes for critical ICT assets and business services.
Ensure the organization maintains a comprehensive inventory and criticality assessment of technology assets, applications, data repositories, third-party systems, communication channels, and digital processes that support critical business services.
Identify, evaluate, and track ICT and security risks, such as technology obsolescence, capacity limitations, single points of failure, access vulnerabilities, cloud-related threats, change-associated risks, and data integrity concerns, then prepare comprehensive reports on findings.
Establish resilience criteria for essential systems by determining recovery time objectives (RTO), recovery point objectives (RPO), backup protocols, redundancy measures, failover mechanisms, and baseline security standards.
Cybersecurity Operations and Threat Management encompasses the systematic monitoring, detection, and mitigation of security threats to protect organizational assets. This role involves overseeing security infrastructure, analyzing potential vulnerabilities, and implementing robust defense strategies to counteract cyber threats. Professionals in this field are responsible for identifying and responding to security incidents, conducting risk assessments, and ensuring compliance with industry standards and regulations. Strong analytical skills, technical proficiency in security tools, and a deep understanding of threat landscapes are essential for success. Additionally, the position may require collaboration with cross-functional teams to enhance security protocols and respond to emerging threats promptly.
Responsible for supervising security procedures while maintaining oversight of vulnerability management, patch deployment, endpoint protection, identity and access management, privileged access management, and threat intelligence operations.
Conduct prompt corrective actions to address identified control deficiencies stemming from penetration tests, vulnerability scans, audit evaluations, regulatory inspections, incidents, and risk assessments.
Ensure the proper execution of preventive and detective controls aimed at mitigating malware, ransomware, phishing, data leakage, unauthorized access, network intrusion, and social engineering threats.
Incident response, crisis management, and regulatory reporting encompass critical responsibilities within the organization. These functions involve the timely identification, assessment, and mitigation of security incidents, as well as the coordination of response efforts to minimize operational disruptions. Additionally, they require the development and implementation of crisis management strategies to ensure business continuity and stakeholder confidence. Compliance with regulatory requirements through accurate and transparent reporting is also a key component, ensuring adherence to legal and industry standards.
Headline responsibility includes directing the testing and ongoing enhancement of cyber and ICT incident response plans, with a focus on classification, escalation, containment, recovery, root-cause analysis, and lessons learned.
Collaborate closely with Risk Management, Compliance, Legal, Operations, Technology, Internal Control, Internal Audit, and business stakeholders to address critical technology or cybersecurity incidents.
Maintain prompt internal reporting to senior management and the Board, while facilitating regulatory and client notifications as mandated by applicable laws, contracts, or supervisory directives.
Conduct comprehensive assessments of business continuity, disaster recovery, and resilience testing protocols to ensure organizational preparedness for unforeseen disruptions and catastrophic events.
Collaborates closely with risk management, business units, and technology teams to align business continuity and disaster recovery plans with key business services and operational resilience goals.
In collaboration with Risk Management, oversee the scheduling and execution of regular disaster recovery simulations, cyber tabletop exercises, failover tests, backup restoration tests, penetration tests, scenario analyses, and post-incident reviews.
Track remediation actions through to completion and report any unresolved exposures to management governance forums.
Ensure robust oversight of third-party technology and cloud risk management protocols to safeguard organizational integrity and mitigate potential vulnerabilities in external partnerships and cloud infrastructure.
Evaluate and track cybersecurity, data protection, and operational resilience risks associated with vendors, outsourced service providers, cloud platforms, fintech partners, and other third-party ICT entities.
Ensure that essential technology contracts incorporate key provisions such as security, confidentiality, audit, data protection, incident notification, service availability, exit, and continuity clauses to safeguard organizational interests and compliance obligations.
Develop strategies to assess concentration risk, dependency risk, and exit planning oversight for essential ICT third-party service providers.
Ensure adherence to regulatory requirements, safeguard data privacy, and align organizational practices with established standards and industry best practices.
Ensure compliance with applicable laws, regulations, frameworks, and standards, including NDA/NPR, ISO 27001, NIST, CIS Controls, CUBIT, and relevant digital operational resilience mandates such as DORA principles where applicable.
Integrate privacy, security, and data protection principles into technology projects, digital initiatives, and change management processes from the outset.
Assist with regulatory examinations, internal and external audits, client due diligence reviews, and management assurance initiatives focused on information security and resilience. Additionally, enhance Security Awareness, Culture, and Board Reporting by providing specialized security awareness training, conducting phishing simulations, delivering executive education programs, and presenting cyber risk briefings to the Board.
Develop key risk indicators (Kris), key performance indicators (KPIs), and comprehensive dashboards that provide visibility into cybersecurity posture, operational resilience, incident patterns, third-party risk factors, vulnerability exposure levels, access control exceptions, and the progress of control remediation efforts.
Prepare concise, risk-focused reports for senior management, Board Committees, and applicable governance bodies. Additionally, oversee budget allocation, staff leadership, and program management responsibilities.
Develop and oversee the information security budget to ensure investments in tools, personnel, training, and resilience capabilities are both strategic and cost-efficient.
Provide strategic direction, mentorship, and growth opportunities for the information security team, focusing on establishing well-defined objectives, conducting performance evaluations, and implementing succession planning initiatives.
Champion secure digital transformation by providing strategic guidance to technology, product, and business teams to ensure risk-balanced implementations.
Candidates must have a bachelor’s degree in a relevant field, along with a minimum of three years of professional experience in a similar role. Proficiency in industry-standard software and tools is essential, as is the ability to analyze complex data sets and derive actionable insights. Strong communication skills, both written and verbal, are required to collaborate effectively with cross-functional teams. Familiarity with project management methodologies and adherence to compliance protocols are also mandatory. Additionally, the role demands adaptability to evolving priorities and a commitment to continuous learning.
Proficient knowledge of information security, cybersecurity, ICT risk management, and digital operational resilience principles is essential.
Proven expertise in enterprise technology ecosystems, encompassing networks, cloud platforms, infrastructure, applications, databases, endpoints, identity platforms, and security solutions.
Expertise in the application of established frameworks including ISO 27001, the NIST Cybersecurity Framework, CIS Controls, CUBIT, ITIL, and standards for business continuity and disaster recovery is required.
Capable of effectively conveying complex cyber and technology risks in terms that resonate with business priorities, regulatory obligations, financial considerations, and operational realities for senior leadership and the Board.
Demonstrates exceptional proficiency in managing incidents, coordinating crisis response efforts, engaging with stakeholders, and navigating regulatory requirements.
Proficiency in evaluating risks associated with third-party technologies, overseeing outsourcing activities, managing cloud security risks, conducting vendor due diligence, and reviewing contract controls is required.
Proficient in developing measurable Key Risk Indicators (Kris) and Key Performance Indicators (KPIs), along with designing and maintaining dashboards that facilitate informed decision-making and accountability.
Proven expertise in leadership, communication, and the ability to influence stakeholders, coupled with exceptional documentation and program management capabilities.
Qualifications
BA/BSc/HND
