Job Description for an Information Security Engagement Consultant
Business Area: Information Security
Job Title: Information Security Engagement Consultant
Scope and Coverage: Global
Outline Purpose of Role:
* Managing complex relationships, issues, and ambiguity associated with embedding security into diverse business and technical functions.
* Drive business wide awareness of Risk Management, Security Processes and the part Information Security plays in mitigating and controlling risks.
* Triage new requests and understand the security resource required to support the secure implementation.
* Advise the business on the correct security controls and processes that should be in place within their area.
* Manage the risk profile of their business area to dive accountability for security controls and risk.
* Understanding and communicating the balance between the needs of the business in creating value, and the importance of managing Information Security Risk to an acceptable level.
Impact of Role:
* Help develop a proactive, risk-aware culture.
* Provide consultative advice and support to all business entities so that they can engage effectively with Information Security and its people, technologies, processes, and capabilities.
* Help drive business wide, adoption of good security practice.
Reports to: This role resides in the Cyber Security Function and reports to the Head of Information Security Engagement (Group BISO).
Direct Reports: Individual contributor with possible periodic oversight of seconded resources, contingent workers and systems integrators.
Key Elements of the Role:
The Information Security Engagement Consultant (ISEC) performs a critical role in the maintenance and implementation of security for the whole organisation. The ISEC is creative and innovative, capable of thought leadership, and is able to build strong and long-lasting relationships with key stakeholders throughout the business.
Strategic Partnerships:
* Help the organisation to adopt a risk-based approach to good security practice.
* Provide consultative advice and support to all business entities so that they can engage effectively with Information Security and its people, technologies, processes, and capabilities.
* Help embed an Information Security Management framework and communicate strategy to help drive Information Security awareness.
* Develop a clear understanding of the business area they are responsible for.
Security Consultation:
* The ISEC provides insight based on a knowledge of Information Security tools, technology, processes, standards, and trends. These skills coupled with strong relationship building abilities enable the ISC to:
* Communicate the criticality of risk management and information security to driving confidence to transact, while protecting against regulatory non-compliance, reputational damage, and financial loss.
* Work collaboratively with business owners within the various business entities to correctly identify strengths, weaknesses, vulnerabilities, and opportunities for improvement.
* Formulate clear recommendations, drive governance strategies, and influence business stakeholders and technology stakeholders at all levels.
* Drive continuous improvement in the adoption and exploitation of good information security practice across the business.
* Drive security innovation that enables new retail capabilities while working with IT GRC for maintaining appropriate risk controls.
* Facilitate communication between enterprise security teams and retail business units.
Delivery of security services:
* Triage, review and manage new project and security requests to provide a quality, repeatable security assessment.
* Coordinate between technical teams and business stakeholders during security incidents.
* Articulate JD Sports’ Information Security policies, standards, processes, and strategy to build understanding and buy-in from the business owners enabling them to engage with information security, and consume information security controls and services.
* Help ensure that information security requirements are considered at the earliest phases of a project, so that the capabilities and services that drive JD Sports’ business have security and information protection built in as standard.
* Provide training and awareness to the business to allow a greater understanding of their role in protecting JD.
Key Attributes of The Jobholder:
* Clear, concise, and engaging communication skills, both verbally and written, including an ability to use the full functionality of commonly used reporting and presentation tools.
* Strong mentoring, and organisational skills with experience of leading and working collaboratively within multi-disciplined teams.
* An ability to manage and inspire diversely located teams to adopt good security practice and exploit the power of the available tools.
* A proven ability to work collaboratively and constructively with the various internal entities of large complex organisations and third-party providers.
Jobholder Business Impact:
* The job holder must demonstrate a comprehensive understanding of information security and risk management services to drive understanding and adoption of good practice to protect:
* The business,
* Operations,
* Data repositories,
* Compliance with regulatory requirements,
* Finances such as cash flow and revenue,
* Brand reputation and customer confidence,
* Shareholder value,
* Audit findings to prevent fines and penalties,
* Customer data.
Quality:
* Support the adoption of repeatable processes, methods, and tools to drive consistent, trusted services.
* Deliver a high-quality consultative engagement with the wider organisation.
* Monitor Information Security adoption and help ensure compliance with applicable JD Sports policies and standards as well as recognised best practices.
* Identify and drive opportunities for continuous improvement initiatives while increasing security coverage on an ongoing basis.
* Help the business respond to developments in best practice, new and emerging threats, and changes in regulatory requirements.
Leadership:
* Provide strategic risk guidance and security thought leadership for IT projects, including the evaluation and recommendation of mitigating controls.
* Use strong communication skills, and a consultative style of engagement to incrementally drive a risk and security aware culture throughout all parts of JD sports, and its various entities.
* Provide thought leadership, recommendations, and oversight to help implement recognised best practice.
* Use successful implementations as portable examples of excellence that can serve as a template for accelerating global adoption and coverage.
* Provide risk and security subject matter expertise to support and mentor the various businesses and teams within JD Sports.
Key Skills:
* Ability to advise, guide and inspire adoption of Information Security and Risk Management best practice resulting in an increasingly robust security posture.
* Proven track record of developing people and relationships.
* Ability to extract clarity from fast-paced, evolving scenarios by helping to clarify the inevitable ambiguity arising within a large, complex, and interdependent organisation.
* Ability to articulate goals, achievements, risks, expectations, and needs to individuals and teams at all organisational levels.
* Ability to formulate and help deliver information, security and risk management, training and awareness programs in collaboration with HR.
* Demonstrable experience of a wide range of technology security solutions and controls, including hybrid cloud and on-premise security capabilities.
* Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700X, NIST, CIS, the IT Infrastructure Library (ITIL), Control Objectives for Information and Related Technology (COBIT), Critical Security Controls for Effective Cyber Defense, or the ISF Standard of Good Practice / IRAM2.
* Awareness of various operating systems including but not limited to Windows, Linux, Unix.
* Awareness of Database technologies (SQL, Oracle, DB2, Mongo) and associated controls optimised for their protection.
* Awareness of security controls in widely used technologies e.g., MS Office 365.
* Awareness of Incident Management and Response tools - IBM Resilient, Remedy, Remedy CMDB.
Qualifications:
* Industry Standard qualifications and training such as SANS, GIAC or CISSP are desirable.
Values and Behaviours:
* The job holder will be a strategic thinker who is respectful and collaborative and able to work easily within a diverse and dispersed team of professionals and will exhibit:
* Goal-oriented focus,
* Strong schedule keeping,
* Openness,
* Integrity,
* Empathy,
* Accountability,
* Enthusiasm,
* Flexibility,
* Creativity.
#J-18808-Ljbffr