We are currently recruiting for a Head of IT to join the A&O Shearman Belfast office, overseeingGovernance, Risk, and Compliance (GRC).
Apply today via the link below or contact Cathie.McNeill@aoshearman.com for more information.
About the team
The firm’s ability to keep our clients’ data secure is a bedrock for our reputation as a trustworthy professional services partner to many of the world’s large and prestigious organisations. Information security is not an afterthought; it is core to all that we do, to protect not only our data but that of our clients, and has the unwavering support of the Board.
Led by our new CISO, the in-house Information Security team is a core part of our technology services structure with mature or evolving capability across all areas of digital security and cyber defence. We align our efforts to the NIST framework and other recognised certifications including ISO27001 and SOC2 and strive to keep pace with the continually evolving threat landscape, in support of A&O Shearman’s strategy to lead where global complexity creates opportunity.
In addition, you will have the opportunity to share and gain intel from the firm’s cybersecurity lawyers. The global team have experience advising clients on hundreds of incidents. Leveraging this experience, they feedback practical lessons learned into clients’ cyber risk management and incident response programmes.
What you will do
The Head of IT Governance, Risk, and Compliance (GRC) will lead the Information Technology (IT) and Information Security (InfoSec) Governance, Risk and Compliance capability as part of the Global CISO’s leadership team, overseeing all aspects of IT and InfoSec GRC by developing and implementing the GRC strategy, ensuring compliance with regulations and internal policies, and managing information security risk across the organization.
This will include leading key areas such as (but not limited to); compliance with client infosec requirements, maintenance and governance of infosec policies and frameworks, client facing incident response activities, infosec and compliance training and awareness, and behavioural security testing. The role will lead determine our external certification requirements in line with industry trends and emerging regulation.
This will include:
Governance
* Lead the development and maintenance of the information security governance framework, policies, and procedures tailored to the legal sector.
* Collaborate with business leaders to develop and maintain security posture, policies and procedures, including resolving escalations and objections to meeting these standards
* Establish a clear understanding of strategic information security risks across the global firm, and the strategic controls and assurance approach to protect it.
* Ensure GRC strategy is aligned with the firm’s global business objectives, regulatory obligations, and client expectations.
* Ensure strategic alignment of security policies with business objectives, regulatory requirements, and legal industry standards.
* Balance the need for regulatory and client compliance with the firm’s operational agility and innovation goals, consulting with peers and senior management to achieve this.
* Collaborate with leaders across departments including Legal, Procurement, Internal Audit, and Cyber Defence to ensure a unified and consistent approach to GRC across the firm.
* Develop and maintain the annual schedule of governance meetings ensuring timely preparation and submission of papers suitable for an executive audience.
* Oversee the provision of regular reporting on all GRC activities to management through the monitoring of KPIs/KRIs. Develop strategic improvement and investment plans based upon performance and risk reporting.
Strategic Risk Management
* Accountable for the instantiation of the firm’s enterprise risk framework into the IT organisation, ensuring risks are appropriately articulated, assessed and escalated where appropriate.
* Lead the strategic approach to the identification and quantification of cyber risk for the organisation including emerging risks (e.g. artificial intelligence), and communicate these effectively to senior stakeholders.
* Oversee the development and maintenance of a forward looking, threat-led, and innovative IT and InfoSec risk management programme for the organisation.
* Advise IT and business leadership of the relative merits of risk mitigation activities, supporting effective decision making on budget allocation and prioritisation of remediation activity.
* Collaborate with wider business leaders to ensure risk management practices are integrated into wider processes and client engagements. Advise senior stakeholders on any deviations that are sought from the firm’s standard engagement terms, assessing the likely implications from a cost, risk and reputational perspective.
* Oversee the third-party security risk management capability which manages third-party security risk by assessing and monitoring the security practices of vendors and partners .
* Advise on complex or exceptional policy and procedures covering the selection of suppliers, tendering and procurement.
* Ensure that supplier performance is properly monitored and regularly reviewed as defined by the Supplier Management Framework.
* Resolve conflicts between commercial procurement goals and security requirements by applying a risk-based approach to supplier management which is agreed with global leaders.
* Work closely with the Procurement team to ensure the strategic processes are in place so that all areas of commercial negotiation are documented and adhere to the Supplier Management processes.
* Maintain a contemporary view of geopolitical risk and advise colleagues in InfoSec and other relevant functions how this is affecting the firm’s current risk posture at any time.
IT & InfoSec Controls Assurance
* Lead the strategic 2nd line IT and InfoSec Controls Assurance programme. This includes designing, and implementing, through the IT GRC team, the organisational approach to controls assurance in line with the risk appetite. Report on outcomes to senior management.
* Working closely with Internal Audit senior management to establish a strategic programme to align on controls assurance across the three lines of defence.
* Prepare and present the outcomes of the controls assurance programme to senior leaders.
Compliance
* Ensure organisational compliance with relevant laws, regulations, industry standards, and frameworks (e.g. ISO 27001, SOC 2, NIST, SRA Code of Conduct).
* Own the annual plan and budget for accreditation activity to obtain or maintain suitable certification (e.g. ISO27000), including liaison with third party accreditors and the internal teams that will support the work.
* Manage relationships with regulatory bodies, external auditors, and legal industry associations, establishing proactive and collaborative ways of working on behalf of the firm
* Lead and manage the interaction with our highest risk clients, in liaison with our Client Audit Team and Client Relationship Partners, to ensure that we meet our obligations with clients. This will include:
* Interfacing with major financial institutions and other similarly complex organisations to oversee client audits, ensuring that client security requirements are met and any findings or concerns are managed and actioned.
* Providing expert advice to our in-house legal teams to support with the negotiation of exceptional security related contractual clauses for our clients.
* Integrate client and regulatory requirements into internal GRC frameworks to ensure seamless compliance and client satisfaction.
Leadership
* Lead and mentor the Information Security GRC team, consisting of highly talented professionals who operate the firm’s risk and controls frameworks and undertake general governance efforts for IT.
* Ensure the Information Security GRC team is appropriately staffed with suitable skills and capacity
* Manage a globally distributed team across the UK, US, and APAC, ensuring alignment of GRC practices and objectives across jurisdictions.
* Manage GRC services within agreed cost and quality parameters, continually seeking opportunities for improved efficiency and effectiveness.
* Collaborate with other departments to promote a culture of security and awareness.
* Work with the physical security and in-house legal teams to ensure a consistent and coherent approach to information security and security in general.
* Influence and align stakeholders across functions without direct authority, using subject matter expertise and strategic communication.
* Represent the firm in external forums and industry groups related to information security, building our profile as a leader in information security
* Support the business, technology, and architecture teams in mitigating cyber risk in a changing technological environment.
* Provide expert advice and guidance to security architects and cyber defence teams to ensure robust security controls are in place.
What you will have
* Bachelor's degree in Information Security, Computer Science, Law, or a related field. A Master's degree is preferred, or equivalent professional experience.
* Professional certifications such as CISSP, CISM, CRISC, or equivalent.
* Extensive experience in an information security leadership role.
* Proven experience in designing and implementing IT GRC strategy for a global organisation.
* Proven experience in working with senior stakeholders to influence GRC change and achieve common business objectives.
* Experience in successfully managing a global team.
* Strong knowledge of information security governance, risk management, and compliance frameworks.
* Practical knowledge of ISO 27001, SOC 2, NIST, SRA Code of Conduct.
* Excellent communication, leadership, and interpersonal skills.
You will stand out if you bring
* Ability to translate cybersecurity language into plain and accessible language.
* Proven record of leading cyber risk transformation initiatives within complex organizations.
* Cybersecurity knowledge, spanning people, processes, technology, emergency operations and management of incidents, recognizing the alignment of cybersecurity within the business and organizational culture.
* Legal experience highly desirable.
What we can offer you
We recognise that our people are our most valuable asset, which is reflected in the wide range of benefits that are available to our employees. Some of these benefits include: our occupational pension scheme, group income protection cover, private medical insurance, mental health resources and free apps, health and wellbeing services encompassing GP service, emergency back-up care support, parental and special leave, holiday entitlement increasing with length of service, holiday trading, online discounts and lifestyle management services.
Should you require additional support at any stage of the recruitment process due to a disability or a health condition, please do not hesitate to contact a member of our recruitment team who will work with you to provide any adjustments as required.
We are an equal opportunities recruiter and do not discriminate on the basis of race, colour, sex, religion, sexual orientation, national origin, disability, or any other protected characteristic.
[#video#https://youtu.be/WLYCYtSfJoc{#400,300#}#/video#]
#J-18808-Ljbffr