Third-Party Security Manager

Third-Party Security Manager

 Abu Dhabi, NONE

 

Permanent

Role Purpose:
The Third-Party Security Manager is responsible for managing and overseeing third-party risk management and assisting in the review and maintenance of the third-party risk management framework to meet the Group's needs. This role involves supporting the Head of IS Third Party Security in making informed decisions regarding critical third-party vendors and proactively assessing associated risks.

Key Metrics:

• Percentage of third-party assessments completed on or before target dates within planned cost and quality requirements.
• Percentage of implemented risk mitigation controls from the total number of planned controls.
• Number of third-party issues remediated within target dates.
• Percentage of compliance with relevant regulatory requirements.

Key Accountabilities of the Role:

• Execute and supervise business services, processes, and technologies to conduct business impact analyses.
• Support the Head of IS Third Party Security in articulating risk appetite and third-party security requirements.
• Conduct detailed technical security assessments for third-party security and business operations.
• Perform data privacy impact analyses and assist businesses and vendors in completing assessments as a subject matter expert.
• Manage assessment projects under GISD, ensuring quality and timeliness of delivery.
• Coordinate with subsidiaries and international business units to deliver assessments for third parties and projects per departmental plans.
• Collaborate with internal audit, business units, and risk management teams to align third-party security requirements and mitigating controls.
• Execute technical security assessments for third-party security, reporting findings to GISD leadership and relevant teams.
• Maintain documentation related to the third-party security unit, including policies, procedures, and frameworks.
• Keep the third-party asset criticality register updated with vendor details periodically.
• Report and notify relevant units within GISD of all third-party issues and risks.
• Document and maintain all issues in the third-party issues register.
• Follow up regularly with business units on third-party issues and their action plans.
• Support digital security and cloud security initiatives and participate in the bank's digital transformation efforts.
• Ensure that third-party ecosystems are adequately protected and that security controls are followed by all third parties accessing bank data.
• Assist in maintaining the third-party security risk management framework aligned with the ORM framework.
• Develop and assist in reporting on third-party security KPIs and KRIs through dashboards for various forums.
• Communicate third-party risks and remediation plans to relevant stakeholders and ensure follow-up on implementation.
• Measure, monitor, and report on third-party risks.
• Engage staff and vendors to develop risk mitigation plans for identified risks in vendor reviews.
• Monitor and report on the execution of information security risk mitigation plans.

Specialist Skills / Technical Knowledge Required for This Role:

• Expert knowledge of information security systems and procedures, strong analytical and problem-solving skills, and excellent communication abilities.
• Strong knowledge of banking processes, information security technologies, and risk management practices.
• Bachelor's degree in business, technology, or a related field, or equivalent relevant work experience.
• Knowledge of information security risks, controls, and protecting PII in compliance with local and global laws.
• Strong interpersonal and presentation skills; ability to engage effectively with stakeholders.
• Experience in the banking and financial services sector preferred.
• Fluent in English.

Certifications Required:

• Mandatory: Certified in Risk and Information Systems Control (CRISC) and Certified Information Security Manager (CISM).
• Desirable: Certified Cloud Security Professional (CCSP), Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor.

Previous Experience:

• Minimum of 8-12 years in information security, risk management, and related fields; banking experience is mandatory.
• At least 5 years of direct information security experience.
• Preferred: 5 years in information technology.
• Experience with GRC/privacy tools and platforms.
• Strong communication and interpersonal skills.
• Proficient in Microsoft Office (Word, Excel, PowerPoint).
• Strong project management and coordination experience.