The Chief Information Security Officer (CIO) holds a senior leadership position tasked with designing, executing, and supervising the Group’s comprehensive information security, cybersecurity, and digital operational resilience strategy. This role safeguards ARM’s information assets, technology infrastructure, client data, operational processes, and essential digital services by establishing robust ICT risk management protocols, fortifying cyber defenses, conducting resilience assessments, managing incident response, ensuring business continuity and disaster recovery plans, overseeing third-party technology dependencies, maintaining regulatory compliance, and delivering executive and Board-level reporting.
Job Details
Develop and oversee the implementation of a robust information security strategy and governance framework. Establish policies, standards, and procedures to safeguard organizational assets, ensuring alignment with regulatory requirements and industry best practices. Lead governance initiatives, conduct risk assessments, and facilitate compliance audits to mitigate threats and maintain a secure operational environment.
Formulate and execute a comprehensive, organization-wide information security and cybersecurity strategy that harmonizes with business goals, risk tolerance levels, and applicable regulatory mandates.
Develop and implement robust security governance frameworks, including policies, standards, procedures, and control ownership, across infrastructure, applications, cloud services, end-user computing, and data environments.
Establish clear roles, responsibilities, and escalation procedures for cybersecurity, ICT risk management, data protection, and digital operational resilience throughout the organization.
Digital operational resilience and information and communications technology risk management are crucial components of maintaining secure, stable, and efficient digital infrastructure. This role focuses on identifying, assessing, and mitigating risks associated with digital operations and ICT systems while ensuring compliance with regulatory frameworks and industry standards. Responsibilities include developing and implementing robust resilience strategies, monitoring emerging threats, and conducting thorough risk evaluations to safeguard against disruptions. Additionally, the position requires collaboration with cross-functional teams to integrate resilience principles into broader organizational processes, ensuring continuous improvement in digital operational reliability.
Oversee the digital operational resilience framework, ensuring comprehensive coverage of identification, protection, detection, response, recovery, and learning phases for critical ICT assets and business services.
Maintain an up-to-date inventory and conduct criticality assessments of all technology assets, applications, data repositories, third-party systems, communication channels, and digital processes that support critical business services.
Conduct comprehensive evaluations of ICT and security risks, such as technology obsolescence, capacity limitations, single points of failure, access vulnerabilities, cloud-related threats, change management risks, and data integrity concerns, while systematically documenting and reporting findings to stakeholders.
Establish resilience criteria for vital systems by determining recovery time objectives (RTO), recovery point objectives (RPO), backup protocols, redundancy measures, failover procedures, and baseline security standards.
Cybersecurity Operations and Threat Management involves safeguarding organizational assets against cyber threats through proactive monitoring, incident response, and risk mitigation strategies. This role requires expertise in identifying vulnerabilities, analyzing security breaches, and implementing protective measures to ensure data integrity and system resilience. Professionals in this field must possess a deep understanding of threat intelligence, security frameworks, and compliance regulations to effectively mitigate risks and defend against evolving cyber threats. Additionally, they are responsible for conducting regular security assessments, managing security operations centers (SOCS), and collaborating with cross-functional teams to enhance overall security posture. Strong analytical skills, attention to detail, and proficiency in security tools and technologies are essential for success in this dynamic and critical domain.
Responsibilities include supervising security processes and tracking activities related to vulnerability management, patch management, endpoint protection, identity and access management, privileged access management, and threat intelligence.
Proactively address and resolve identified control deficiencies stemming from penetration tests, vulnerability scans, audit reviews, regulatory examinations, incidents, and risk assessments in a timely manner.
Monitor the effective execution of preventive and detective controls to mitigate risks associated with malware, ransomware, phishing, data leakage, unauthorized access, network intrusion, and social engineering threats.
Incident Response, Crisis Management, and Regulatory Reporting: Responsibilities include overseeing the development and execution of incident response strategies to mitigate security breaches, managing high-stakes crisis situations to minimize operational disruptions, and ensuring timely and accurate submission of regulatory reports to comply with legal requirements. This role requires expertise in identifying and addressing security incidents, coordinating response efforts across departments, and maintaining detailed documentation for audit and compliance purposes. Strong analytical skills, meticulous attention to detail, and the ability to remain composed under pressure are essential for success in this position.
Spearhead the evaluation and ongoing enhancement of cyber and ICT incident response strategies, encompassing classification, escalation, containment, recovery, root-cause analysis, and lessons learned.
Coordinate with various departments, including Risk Management, Compliance, Legal, Operations, Technology, Internal Control, Internal Audit, and business leaders to address significant technology or cyber incidents effectively.
Ensure that internal reports are delivered promptly to senior management and the Board, while also facilitating regulatory and client notifications as mandated by applicable laws, contractual obligations, or supervisory guidelines.
Business Continuity, Disaster Recovery, and Resilience Testing involves designing, implementing, and validating strategies to ensure organizational preparedness for disruptions, emergencies, or catastrophic events. This role requires thorough planning and execution of recovery protocols to minimize downtime and data loss while maintaining critical operations. Responsibilities include conducting risk assessments, developing response plans, coordinating with cross-functional teams, and performing regular testing to validate effectiveness. The position demands expertise in identifying vulnerabilities, establishing recovery time objectives (RTOs), and ensuring alignment with industry best practices and regulatory requirements. Strong analytical skills, meticulous attention to detail, and the ability to communicate complex recovery procedures are essential for success in this role.
Collaborates closely with risk management, business, and technology teams to align business continuity and disaster recovery plans with key business services and operational resilience goals.
In collaboration with Risk Management, oversee regular disaster recovery simulations, cyber tabletop exercises, failover tests, backup restoration tests, penetration tests, scenario analyses, and post-incident reviews.
Track remediation actions stemming from resilience tests through to completion while escalating any unresolved exposures to the appropriate management governance forums for review.
Third-Party Technology and Cloud Risk Management encompasses the identification, assessment, and mitigation of risks associated with third-party vendors and cloud service providers. This role involves evaluating the security posture, compliance adherence, and operational resilience of external partners to safeguard organizational assets and data integrity. Responsibilities include conducting due diligence reviews, monitoring ongoing performance, and addressing any emerging threats or vulnerabilities in collaboration with cross-functional teams. Proficiency in risk assessment frameworks, regulatory requirements, and industry best practices is essential, along with strong analytical and communication skills to effectively convey findings and recommendations to stakeholders.
Evaluate and continuously track cybersecurity, data protection, and operational resilience risks associated with vendors, outsourced service providers, cloud platforms, fintech partners, and other third-party ICT entities.
Verify that essential technology agreements incorporate necessary provisions for security, confidentiality, audit compliance, data protection, incident notification, service availability, exit strategies, and continuity planning.
Formulate oversight frameworks for concentration risk, dependency risk, and exit planning concerning critical ICT third-party service providers.
Compliance, Data Protection, and Standards Alignment: Ensuring adherence to regulatory requirements, safeguarding data integrity, and maintaining alignment with established standards are critical responsibilities. This role involves developing, implementing, and monitoring policies and procedures to mitigate risks, protect sensitive information, and uphold organizational integrity. Proficiency in relevant laws, frameworks, and industry best practices is essential, along with the ability to conduct assessments, audits, and continuous improvement initiatives to sustain compliance and operational excellence.
Maintain compliance with applicable laws, regulations, frameworks, and standards, such as NDA/NPR, ISO 27001, NIST, CIS Controls, CUBIT, and relevant digital operational resilience requirements, including DORA principles, where applicable.
Integrate privacy, security, and data protection principles into technology projects, digital initiatives, and change management processes from the outset to ensure robust safeguards are in place.
Support regulatory examinations, internal and external audits, client due diligence reviews, and management assurance initiatives focused on information security and resilience. Oversee security awareness programs, foster a strong security culture, and provide executive education, along with delivering cyber risk briefings to the Board.
Develop key risk indicators (Kris), key performance indicators (KPIs), and comprehensive dashboards to monitor cybersecurity posture, resilience preparedness, incident trends, third-party risk, vulnerability exposure, access control exceptions, and control remediation efforts.
Prepare concise, risk-focused reports for senior management, Board Committees, and other relevant governance forums. Additionally, oversee budget allocation, staff management, and program execution.
Develop and oversee the information security budget, focusing on cost-effective allocation of resources for tools, personnel, training, and resilience enhancements.
Provide strategic direction, mentorship, and growth opportunities for the information security team while establishing measurable goals, conducting performance evaluations, and implementing succession planning initiatives.
Drive secure digital transformation initiatives by providing strategic guidance to technology, product, and business teams, ensuring balanced risk management in all implementations.
The role requires a minimum of five years of relevant professional experience, with a proven track record in project management or a closely related field. Proficiency in industry-standard software tools and strong analytical skills are essential. Candidates must demonstrate exceptional communication abilities and the capacity to collaborate effectively in cross-functional teams. A bachelor’s degree in a relevant discipline is mandatory, and additional certifications or advanced degrees may be advantageous. Familiarity with regulatory compliance and risk management frameworks is highly valued. The ideal candidate should exhibit leadership qualities and a commitment to continuous professional development.
A robust comprehension of information security, cybersecurity frameworks, ICT risk management methodologies, and the core principles of digital operational resilience is required.
Possesses an in-depth understanding of enterprise technology ecosystems, encompassing networks, cloud platforms, infrastructure, applications, databases, endpoints, identity platforms, and security tooling.
Seasoned professionals with hands-on application of widely recognized frameworks including ISO 27001, NIST Cybersecurity Framework, CIS Controls, CUBIT, ITIL, as well as business continuity and disaster recovery standards are encouraged to apply.
Proficient in articulating complex cybersecurity and technology risks in terms of their business, regulatory, financial, and operational consequences for senior leadership and the Board is essential.
Demonstrated expertise in handling incidents, coordinating crisis response efforts, managing relationships with stakeholders, and engaging with regulatory bodies.
Seeking a professional with expertise in managing third-party technology risks, overseeing outsourcing activities, evaluating cloud-related risks, conducting vendor due diligence, and reviewing contract controls.
Skilled in developing key risk indicators and performance metrics that are quantifiable, and proficient in maintaining dynamic dashboards to facilitate informed decision-making and foster accountability.
Experienced in leading teams, fostering clear communication, and driving influence to achieve organizational goals, with a strong emphasis on meticulous documentation and effective program management.
Qualifications
BA/BSc/HND
