Director - Cyber Security

Job description:

The Head of Cyber Security will lead a strategic office responsible for setting the cybersecurity governance, risk, compliance, and oversight of security operations management across corporate (IT) and Industrial (OT) environments. Lead a team responsible for the maintenance of the EGA-wide cyber security program to ensure the digital ecosystem and assets are adequately protected from breaches, exploitation, and internal threats.  The role is responsible for overseeing the internal cyber security operations including risk management, the definition of the policies, standards, and procedures, education awareness sessions, regulatory compliance, technologies, and data privacy

KEY ACCOUNTABILITIES:

Strategic role

• The Head of Cyber Security provides leadership and oversight in the strategic planning, execution, and assessment of all cyber security strategies, policies, procedures, and guiding practices to be implemented across IT and OT environments.
• The position establishes and leads a comprehensive EGA wide information security program to ensure that all IT and OT assets are adequately protected against current/future as well as internal/external threats.
• The position is responsible for identifying, directing, coordinating, evaluating, and reporting on information security risks in a manner that meets compliance and industry requirements while enabling the organization to respond and mitigate cyber security and information risk.

• The position serves as the key liaison and focal point for all information security communications and initiatives, as well as coordinates its internal staff, external resources, national and international agencies, and related third parties.

• The Head of Cyber Security works closely with automation control system leads and OT cybersecurity champions to establish security controls for the OT environment and secure the integration of IT and OT networks/environments while maintaining the segmentation to prevent lateral movement to the critical OT systems.

• The position may also be responsible for budgeting, project prioritization, industry and media relations, and providing testimony advice to leadership and executive agencies in matters of cyber security.

• The Head of Cyber Security should have deep knowledge of technology, infrastructure (e.g., cloud, on-premise, server environments), automation and control systems, OT security, and secure OT architecture to support the enablement of the organization to advance the digital ecosystem and its cyber security.

Budget

Oversees the consolidation and recommends the Cyber Security budget for both IT and OT environments and monitors financial performance versus the budget so that the business is aware of anticipated costs/revenues, areas of unsatisfactory performance are identified and potential areas of cost reduction or performance improvement opportunities are capitalized upon

Training & Awareness

Manages the development of staff training and awareness programs on all enterprise IT and OT security best practices; provides support, training, and guidance to EGA management and staff to ensure all security management policies, standards, and procedures are understood, and monitors and audits implementation to ensure policies are adhered to

Relationship Management

• Establishes effective relationships with plant managers, plant control system engineers, plant instrumentation engineers, and other OT teams to work closely with them to secure OT environments and enhance monitoring them from the emerging cyber threats.

Develops and maintains effective business relationships with all additional relevant internal departments and external entities such as vendors, contractors, consultants, and other stakeholders, etc with the highest standards of business ethics, whilst promptly attending to all critical issues to ensure the services required by the organization are delivered in the most effective manner

Leadership

Manages the effective achievement of departmental objectives through the leadership of the Cyber Security department – setting individual objectives, recruiting qualified staff, managing performance, developing, and motivating staff, provision of formal and informal feedback and appraisal – to maximize subordinate and departmental performance

• Safety, Quality & Environment

• Ensures compliance with all relevant safety, quality, and environmental management policies, procedures, and controls across the department in order to guarantee employee safety, legislative compliance, and a responsible environmental attitude.

Ensures the implementation of security controls in the OT environment in a manner that doesn't compromise the performance of the OT systems, doesn't affect the safety of the control systems, and doesn't lead to disruption of production and plant operations

Authority/ Decision making:

• Thinking within defined policies and objectives, under general direction. The application of polices is defined by the job holder who must establish the plan, determine the priorities, and prescribe the processes needed to achieve the objectives

• Work is subject to broad practices and procedures, general direction is provided

• Work with the 1st and 3rd LoD to ensure that the cybersecurity operations team and the auditing teams are aligned on the organization cyber protection

QUALIFICATIONS & SKILLS:

Minimum Qualifications:

• Bachelor's degree in Computer Engineering or Computer Science or equivalent

Certifications such as CRISK, PMP, CISA, CISM, GICSP, ISO27001, Lead Auditor, etc. are highly desirable

Minimum Experience:

• 10-15 years of experience in IT and OT systems, IT and OT systems security, on-premise and cloud infrastructures, networking, system development, and IT/OT security management, overseeing cyber security operations, preferably with a large manufacturing organization with at least four (4) years in positions of progressively increasing managerial responsibilities

• Experience in managing IT/OT security vendors and contractor relationships

Skills:

This position requires the ability to create, manage and maintain effective relationships with a wide range of individuals and groups to provide technical and managerial counsel, and to influence others with a broad array of information.  These groups include: EGA leadership and board, security and law enforcement agencies, external vendors, and professional cyber security organizations. The position requires the ability to manage staff who possess highly technical skills in a rapidly changing environment.

The position requires a strong appreciation of:

• The aluminium manufacturing sector and EGA's products and business strategies
• Industrial automation control systems and security of OT environments

• Security architecture and secure integration between the IT and OT environments

• IT/OT technologies, markets and vendors including firewall, intrusion detection, assessment tools, encryption, certificate authority, web, and application development

• Information systems industry and best practices in network, application, and hardware platform security
• Audit and assessment methodologies, procedures, and best practices that relate to information networks, systems, and applications
• • Detailed technical expertise of cloud architectures (including hybrid on-prem), especially Microsoft Azure, networks, routers and switches, wireless technologies, and IOT platforms
• Experience managing the security of cloud IaaS, PaaS, SaaS services on Microsoft Azure such as but not limited to Microsoft 365, ServiceNow, and DataBricks.
• Application security, database technologies used to store enterprise information, directory services, financial information, and information systems auditing
• Identity and access management, security program policies, processes, standards, requirements and procedures, and various supporting security technologies
• The person must possess well-developed skills in:
• Managing advanced IT and OT security technical staff within the organization environment
• Understanding business objectives and the planning processes to achieve them as well as legislative and political processes that influence them
• Working with diverse populations of legislative, judicial, law enforcement, technical information staff, government employees, the media, and the general public
• Communicating technical issues to non-technical employees
• Motivating and supporting staff to achieve business goals
• Communicating industry standards, best practices, testing techniques, and the interpretation of assessment, testing, and metrics
• Interpreting industry best practice information and assessment results to provide consultative direction
• Providing assistance in the identification, prioritization, and remediation of systems vulnerabilities to diverse users
• Managing large and complex projects to plan, manage and coordinate diverse technical projects
• Leading complex projects, establishing priorities, and allocating resources / workloads in a team environment
• Developing collaboration among the diverse agencies and offices, government, and other agency groups to motivate them to act on requirements and recommendations for risk management