The Chief Information Security Officer (CIO) serves as a key member of senior management, tasked with designing, executing, and leading the Group’s comprehensive information security, cybersecurity, and digital operational resilience framework. This position safeguards ARM’s critical information assets, technology infrastructure, client data, business operations, and essential digital services by establishing robust ICT risk management protocols, cyber defense mechanisms, resilience assessments, incident response strategies, business continuity plans, disaster recovery procedures, third-party technology governance, regulatory adherence, and executive and Board-level reporting.
Job Details
Develop and oversee the implementation of comprehensive information security strategies and governance frameworks to ensure robust protection of organizational assets. Establish and enforce policies, standards, and procedures that align with industry best practices and regulatory requirements. Lead the development of risk management processes to identify, assess, and mitigate potential security threats. Collaborate with cross-functional teams to integrate security measures into business operations, fostering a culture of security awareness and compliance. Ensure ongoing monitoring and continuous improvement of security policies and controls to adapt to evolving threats and technological advancements.
Formulate and execute a comprehensive, organization-wide information security and cybersecurity strategy that harmonizes with business goals, risk tolerance levels, and applicable regulatory standards.
Develop and implement robust security governance frameworks, including policies, standards, procedures, and control ownership, to ensure comprehensive coverage across infrastructure, applications, cloud services, end-user computing, and data environments.
Establish clear roles, responsibilities, and escalation procedures for cybersecurity, ICT risk management, data protection, and digital operational resilience initiatives across the entire Group.
Digital Operational Resilience and ICT Risk Management entails establishing robust frameworks to mitigate risks, ensuring seamless technology operations, and safeguarding critical digital infrastructure against disruptions. This role demands expertise in identifying potential vulnerabilities, implementing proactive measures to enhance system reliability, and maintaining compliance with evolving regulatory standards. Key responsibilities include overseeing risk assessments, developing resilience strategies, and coordinating cross-functional efforts to address emerging threats while fostering a culture of continuous improvement in digital safety and operational stability.
Own the digital operational resilience framework, encompassing identification, protection, detection, response, recovery, and learning phases for critical ICT assets and business services.
To sustain operational integrity, conduct ongoing evaluations of the organization’s technology assets, applications, data repositories, third-party systems, communication channels, and digital processes—all of which underpin essential business services—while maintaining comprehensive inventory records and criticality assessments.
Identify, evaluate, and track ICT and security risks, such as technology obsolescence, capacity limitations, single points of failure, access vulnerabilities, cloud-related threats, change-related hazards, and data integrity concerns. Additionally, compile and present comprehensive reports on these risks to stakeholders.
Establish resilience criteria for vital systems by establishing recovery time objectives (RTO), recovery point objectives (RPO), backup protocols, redundancy measures, failover mechanisms, and minimum security baselines.
Cybersecurity Operations and Threat Management professionals are tasked with safeguarding an organization’s digital infrastructure against cyber threats, ensuring the confidentiality, integrity, and availability of critical data. They design, implement, and oversee security protocols, conduct risk assessments, and monitor network activities to detect and mitigate potential vulnerabilities. Responsibilities include responding to security incidents, analyzing attack patterns, and developing strategies to enhance resilience against evolving threats. In addition, they collaborate with IT teams to deploy advanced security tools, perform regular audits, and ensure compliance with industry regulations. Strong analytical skills, proficiency in cybersecurity frameworks, and a deep understanding of threat intelligence are essential for this role.
Responsibilities include supervising security processes and ensuring the effective monitoring of vulnerability management, patch management, endpoint protection, identity and access management, privileged access management, and threat intelligence activities.
Verify that all control deficiencies identified through penetration tests, vulnerability scans, audit reviews, regulatory examinations, incidents, and risk assessments are addressed promptly and effectively.
Ensure the proper execution of preventive and detective controls aimed at mitigating risks associated with malware, ransomware, phishing, data leakage, unauthorized access, network intrusion, and social engineering threats.
Responding to incidents, managing crises, and ensuring regulatory compliance through timely reporting are critical responsibilities of this role. The position demands expertise in incident response protocols, crisis management strategies, and adherence to regulatory reporting requirements to mitigate risks and maintain operational integrity.
Oversee the evaluation and iterative enhancement of cyber and ICT incident response strategies, encompassing classification, escalation, containment, recovery, root-cause analysis, and lessons-learned processes.
Liaise with Risk Management, Compliance, Legal, Operations, Technology, Internal Control, Internal Audit, and business leaders to address material technology or cyber incidents.
Ensure prompt internal reporting to senior management and the Board, while providing assistance with regulatory and client notifications as mandated by relevant laws, contractual obligations, or supervisory guidelines.
Business Continuity, Disaster Recovery, and Resilience Testing involve assessing and validating an organization’s preparedness to maintain critical functions during disruptions, ensuring operational stability and rapid recovery in the event of unforeseen incidents.
Collaborates closely with risk management, business units, and technology teams to ensure business continuity and disaster recovery plans are fully integrated with critical business services and operational resilience objectives.
Collaborate with Risk Management to organize recurring disaster recovery simulations, cyber tabletop exercises, failover tests, backup restoration tests, penetration tests, scenario analyses, and post-incident reviews.
Track remediation actions from resilience tests through to completion, escalating any unresolved exposures to management governance forums.
Third-Party Technology and Cloud Risk Management encompasses the identification, assessment, and mitigation of risks associated with external technology providers and cloud-based solutions. This role requires thorough evaluation of vendors’ security protocols, compliance with industry standards, and adherence to regulatory requirements to safeguard organizational data and systems. Responsibilities include conducting due diligence reviews, monitoring ongoing performance, and ensuring seamless integration of third-party technologies while maintaining robust security frameworks. Additionally, the position demands collaboration with cross-functional teams to address vulnerabilities, respond to incidents, and uphold cloud security best practices.
Evaluate and track cybersecurity, data protection, and operational resilience risks associated with vendors, outsourced service providers, cloud platforms, fintech partners, and other third-party ICT entities.
Ensure that critical technology agreements incorporate robust provisions for security, confidentiality, audit compliance, data protection, incident notification, service availability, exit strategies, and continuity planning.
Conduct thorough assessments of concentration risk, dependency risk, and exit planning oversight for key ICT third-party service providers.
Ensuring adherence to regulatory requirements, safeguarding data integrity, and maintaining alignment with established standards are critical responsibilities of this role. The position demands rigorous attention to compliance frameworks, robust data protection measures, and meticulous alignment with industry best practices to mitigate risks and uphold organizational integrity.
Ensure compliance with applicable laws, regulations, frameworks, and standards—including NDA/NPR, ISO 27001, NIST, CIS Controls, CUBIT, and relevant digital operational resilience requirements such as DORA principles—throughout all operational and strategic initiatives.
Integrate data protection-by-design, privacy-by-design, and security-by-design principles into technology projects, digital initiatives, and change management processes.
Support regulatory examinations, internal and external audits, client due diligence reviews, and management assurance activities focused on information security and resilience. Additionally, oversee security awareness initiatives, foster a strong security culture, and provide executive education and Board-level briefings on cyber risk.
Develop key risk indicators (Kris), key performance indicators (KPIs), and comprehensive dashboards that comprehensively assess cybersecurity posture, operational resilience, incident patterns, third-party risk exposure, vulnerability levels, access control deviations, and control remediation progress.
Craft concise, risk-focused reports tailored for senior management, board committees, and relevant governance bodies. Oversee budget allocation, human resources, and program execution with strategic oversight.
Develop and oversee the information security budget to ensure investments in tools, personnel, training, and resilience capabilities are both effective and cost-efficient.
Foster the growth and effectiveness of the information security team by establishing clear goals, conducting performance evaluations, and implementing succession planning strategies.
Guide technology, product, and business teams through secure digital transformation initiatives, ensuring balanced risk management in implementation strategies.
Candidates must possess a bachelor’s degree in a relevant field or an equivalent combination of education and experience. Proficiency in industry-standard software or tools is essential, along with at least three years of hands-on experience in a comparable role. Strong analytical and problem-solving skills are required to address complex challenges effectively. Excellent communication abilities, both written and verbal, are necessary for collaborating with cross-functional teams. The ability to manage multiple priorities and meet tight deadlines is a key expectation. Familiarity with regulatory standards or compliance frameworks may be required, depending on the role. Candidates should demonstrate a commitment to continuous learning and professional development.
Proficient in information security, cybersecurity, ICT risk management, and digital operational resilience principles, with a strong foundational and practical comprehension of these domains.
Proficient in enterprise technology ecosystems, encompassing networks, cloud platforms, infrastructure, applications, databases, endpoints, identity platforms, and security tooling.
Extensive hands-on implementation of internationally recognized frameworks, including ISO 27001, the NIST Cybersecurity Framework, CIS Controls, CUBIT, ITIL, as well as business continuity and disaster recovery standards, is essential.
Proficient in articulating complex cybersecurity and technology risks in terms that resonate with senior management and the Board, emphasizing their impact on business strategy, regulatory compliance, financial performance, and operational continuity.
Demonstrates exceptional proficiency in incident management, crisis coordination, stakeholder engagement, and regulatory liaison activities.
Proven expertise in assessing third-party technology risks, overseeing outsourcing arrangements, evaluating cloud-related vulnerabilities, conducting vendor due diligence, and reviewing contract controls.
Proven capability to develop quantifiable Key Risk Indicators (Kris) and Key Performance Indicators (KPIs), along with the creation and management of interactive dashboards that enhance informed decision-making and reinforce accountability.
Exceptional leadership capabilities, along with superior communication, negotiation, and program management skills, are essential. The ability to produce clear and accurate documentation is also a key requirement.
Qualifications
BA/BSc/HND
