Ideas | People | Trust
We’re BDO. An accountancy and business advisory firm, providing the advice and solutions entrepreneurial organisations need to navigate today’s changing world.
We work with the companies that are Britain’s economic engine – ambitious, entrepreneurially-spirited and high‑growth businesses that fuel the economy – and directly advise the owners and management teams leading them.
Role Purpose
The Business Information Risk Officer (BIRO) (Manager grade) role is responsible for leading the Chief Information Security Office (CISO) service to BDO’s business streams to effectively manage information security risk. This role will play a key part in ensuring the effectiveness of BDO’s information security risk management framework, procedures, and information security control framework.
The BIRO role is the focal point for effective engagement between business streams and the CISO team. This role will be a trusted adviser to business stakeholders and provide broad knowledge of the firm’s security strategies, policies, standards, processes, and road maps to enable streams to understand and meet information security requirements.
Leading a team of Business Information Risk Analysts and working with nominated information security risk leads in the business, the BIRO will take responsibility for assessing information security risk with the business and ensure that those risks are being managed by the risk owners. Where decisions are made to accept, reduce, share or avoid, the BIRO will ensure appropriate visibility and governance committees are informed.
The BIRO will also oversee the prioritisation of activities to support business requests and the delivery of other resources supporting risk assessments, always ensuring a consistent and high-quality service is being delivered to each business area.
This role reports to the Cyber Security Manager.
Principal Accountabilities
* Lead CISO’s risk management service to the relevant streams, including responsibility for the performance management of the service and a team of Business Information Risk Analysts.
* Utilising BDO’s information security risk management tools, procedures and control framework ensure an accurate risk posture is understood and defined for each business stream.
* Support the CISO team in maintaining ‘information security risk communities’ in the business to drive risk awareness and effective risk management.
* Support the business streams to identify, and maintain registers of information assets including infrastructure, systems, software, devices and data.
* Build and maintain effective relationships with the risk partners, risk owners, risk managers and other stream stakeholders.
* Develop collateral and appropriate materials to support engagement with business stakeholders, to explain CISO’s role, key information security concepts and build awareness of information security risk and BDO’s control framework.
* Identify information security responsibilities and controls ownership of third parties, streams, CISO and IT security teams.
* Proactively identify and support risk owners and managers to manage and regularly review IS risks and issues for streams.
* Support the business to assess criticality of assets and services.
* Lead information security aspects of business change and maturity improvements.
* Third party due diligence assessments.
* Gap analysis with BDO standards and policies.
* Identifying security capability, maturity and responsibilities within streams.
* Risk identification leading to clear business ownership and treatment actions.
* Vulnerability and technical security assessments.
* Technical point of contact for business and 3rd parties service providers to ensure clarity on meeting expectations or alternate approaches for managing risks.
* Preparation of papers and supporting business attendees for committee attendance.
* Reporting maturity, risk posture and trends to stream quality and risk partners.
* Client due diligence and bid support.
* Targeted security awareness, education, and risk briefings.
* Contribution to development and implementation of security policies and standards, and the design of security services and processes.
* Ensure that BDO policy and contractual obligations, and in turn compliance, is understood for each business stream.
* Identify and communicate metrics and reporting requirements to stakeholders that demonstrate security controls are effective and support creation of corrective action plans to manage improvement or change where necessary.
* Creation and maintenance of a “security toolkit” with templates of key processes and controls, communicated in language that is relevant and understandable to all audiences.
* In support of security initiatives be able to demonstrate and track progress to all stakeholders.
* Support on security incidents by bringing together business and technical knowledge to aid impact analysis and response.
* People and performance management of Business Information Risk Analysts.
Technical Competencies
* Knowledge and experience of information security risk management frameworks and procedures.
* Experience of formal risk identification, assessment, and quantification methods.
* Knowledge of stakeholder engagement and management to achieve defined outcomes.
* Experience of service, performance, and people management to achieve defined outcomes.
* Highly self-motivated with keen attention to detail.
* The ability to build good relationships at all levels and influence stakeholders.
* Excellent verbal, written and interpersonal communication skills.
* Ability to work with others effectively, with 3rd parties, internal teams, promoting knowledge sharing within and across teams.
* Experience of managing and directing teams setting clear and achievable objectives aligned to the expected outcomes for the role.
* A good understanding of security frameworks including ISO27001/2, Cyber Essentials Plus, CIS Top 20, Data Protection Act 2018, OWASP Top 10.
* Have a relevant industry certification such as CISSP, CISM, CRISC, BRMP or similar.
#J-18808-Ljbffr