Head of IT Risk and Security

Job Type: Permanent - Full Time

Location: Sydney

Job Category: Information Technology

As the Head of IT Risk and Security at Axe Group, based in Sydney, Hybrid role, you' will be at the forefront of driving excellence in our Internal IT department. This is a permanent, full-time opportunity for a talented leader to make a significant impact in the realm of Information Technology. If you're passionate about championing risk management and fortifying security measures, we invite you to join our dynamic team and play a pivotal role in shaping the future of our IT landscape.

Job Description
The Head of IT Risk and Security is pivotal in protecting Axe Group's internal IT information assets, promoting a culture of risk and compliance awareness.

The role requires being hands on to implement technical solutions as well as working closely with the senior management and IT teams to ensure that security procedures are followed and the relevant protections are put in place.

Responsibility

• Developing a security strategy to mitigate potential risks
• Maintain information security policies, standards and procedures
• Protect against data loss and fraud
• Ensuring that systems are maintained to address known vulnerabilities
• Ensure IT and network implementations or modifications are protected through security best practices
• Promote a culture of risk and compliance awareness throughout the organisation
• Ensure that our vendors and IT contractors protect our information assets at a level no less than our own standards
• Manage our clients and prospects security requirements
• Real-time analysis of immediate threats, and triage of security risks
• Maintain regulatory compliance to all relevant and applied standards
• Ensure that the Principle of Least Privilege (PoLP) is implemented across the organisation
• Follow security best practices to identify, assess, monitor and escalate as appropriate, vulnerabilities and other cyber security threats, balancing priorities, cost vs benefits.
• Keep up to date with the latest threats and potential mitigations, available tools and compliance requirements within the finance sector and broader security community.

Work Involves

• Performing security review and approve changes to systems as part of the change control process
• Maintaining incident response plans, disaster recovery and business continuity plans and ensuring that they are regularly tested;
• Reviewing security policies, controls and cyber incident response plans;
• Spot checks of teams and tests to ensure that procedures are being followed;
• Managing incidents including reviewing investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities;
• Maintaining a current understanding of the IT threat landscape for the industry;
• Identifying, assessing, monitoring and escalating as appropriate cyber security threats;
• Schedule periodic security audits;
• Performing security awareness training as well as ongoing communication to staff of cyber security policies and procedures, with more indepth training for those who are non technical staff;
• Managing all teams, employees, contractors and vendors involved in IT security;
• Maintaining regulatory compliance to all relevant and applied standards (e.g. SOC2, CPS234 & PCIDSS);
• Provide training and mentoring to security team members;
• Constantly update the cyber security strategy to reflect changing laws and applicable regulations, and to leverage new technology and threat information;
• Communicate best practices and risks to all parts of the business;
• Complete external risk and security risk questionnaires;
• Ensure that our vendors and IT contractors are compliant with their risk and security responsibilities;
• Running monthly risk forums;
• Ensuring that systems are regularly patched and hardened;
• Managed the risk management procedures and maintain an up-to-date risk register;
• Monitor the internal threat detection and protection system and perform hunts for vulnerabilities;
• Ensure that any security vulnerabilities that have been raised are mitigated, coordinating between stakeholders and technical resources where needed;
• Perform general duties required to support the running of Axe Group offices.

Desired Skills And Experience
Skills required are:

• Current CISSP certification required.
• Demonstrable leadership and mentoring skills within a Cyber Security function
• Experience implementing and maintaining compliance to CPS234, SOC2 and PCI DSS.
• Experience conducting risk assessments to industry standards and dealing with third parties
• Ability to design, implement and execute Security Controls
• Encryption/data protection methods (SSL) and technical implementation of Encryption standards
• Experience engaging with internal and external stakeholders on compliance, security and governance issues
• A calm and positive demeanor, particularly in times of urgent and competing priorities
• Experience in writing and imbedding Security Policies and Standards
• Experience in managing security Incident Responses
• Hands on technical skills in security technologies are highly desirable – vulnerability management, threat hunting, SIEM, SAML, WAF
• Good verbal and written communication skills
• Can work independently, and can positively influence others

Other Desirable Skills

• Experience in the finance industry
• ITILV3 and security certifications such as CRISC, CCSP and CGEIT
• Experience with Elastic Stack