Global Manager, Security, Risk And Compliance

Company:
Finning International Inc.
Number of Openings:
1
Worker Type:
Permanent
Position Overview:
Directly reporting to the Chief Information Security Officer, the Security, Risk and Compliance Global Manager role will be responsible for managing the global IT Security, Risk, and Compliance program. This leader role is responsible for designing, documenting, implementing and governing Information Security controls and IT compliance programs to meet corporate, legal and regulatory requirements. This role will also be accountable to strategically define and lead the delivery of the Cyber Security Awareness program in multiple languages at Finning globally.
The Security, Risk, and Compliance Manager will be accountable for the development and continuous improvement of Finning’s Information Services Management System (ISMS) based on industry frameworks such as ISO27001, NIST, and other applicable controls. This possesses a broad and in-depth understanding of technical and professional skills in many disciplines including: IT Governance, Risk Management, Information Security and Identity Access Management, Security Operations, Security Architecture, Legal and Regulatory Compliance, Audit, Organizational Change Management, Communications, Learning and Development, Analytics, Vendor Management, Policy Management, Project Management, and Data Governance.
:
Major Job Functions:
IT Governance

• Strategically build and automate a global Governance Risk Compliance (GRC) program to record applicable controls and collect and manage required supporting artifacts.
• Provide guidance towards cyber technical and contractual requirements during vendor procurement through contract reviews.
• Collaborate with key stakeholders to create, implement and govern the information security policies, standards, controls baseline and controls maturity model; ensuring corporate and regional regulatory compliance is regularly validated.
• Define and deliver appropriate GRC metrics to leadership.
• Primary liaison for all external and internal audits, including reviewing requests, monitoring audit execution, and review findings with IT Leadership. The audits may or may not be related to information security.
• Indirect ownership of all global IT security policies.

IT Risk

• Leadership of Risk Management and Compliance assessment team performing RA’s and compliance reviews ensuring on-premise information systems and cloud service providers and solutions are adequately protecting Finning and our customers information sufficiently.
• Direct applicable maturity assessments towards obtaining ISO27001, 27701, CSOX and SOC2 Type II certifications.
• Respond to customer and cyber insurance information security and data protection questionnaires.
• Develop and maintain global Risk Management framework, process, and risk register monitoring program.
• Assign risk weighting on policy exception requests and monitor risk treatment plans to closure.

Security Awareness

• Full accountability and program ownership for global cybersecurity awareness, strategic program definition and execution, vendor/contractor procurement and team management.
• Management of all content created and presented, metrics collecting, data analysis, continuous program improvement.

Performance Management
Provide leadership to regional governance, risk, and compliance and security awareness analysts. Oversee their goals, performance metrics, and career development.
Accountability:

• Develop, maintain, and deliver the global IT maturity measurement platform
• Manage relationships with stakeholders, ensuring that they receive the information that they need to drive remediation efforts or risk acceptance
• Mentor individuals, possibly within other parts of the organization to provide understanding of Risk Management concepts
• Manage team goal setting and business objectives within the program
• Identify and deliver on the communications needs of stakeholder groups in conjunction with business owners and subject matter experts
• Provide organizational leadership and guidelines to promote the development and exploitation of specialist knowledge in IT Risk Management
• Plan and schedule the delivery of awareness activities, based on learning objectives
• Evaluate project and/or program performance and recommend changes where necessary
• Analyze business processes for improvement; identify alternative solutions, assess feasibility, and recommend new approaches by establishing and communicating recommendations
• Facilitate translation of awareness communications
• Authority over Information Security Policy management including, creation, gap assessment, exceptions, and approval
• Set performance targets, and monitor progress against agreed quality and performance criteria
• Lead the provisioning of authoritative advice and guidance on the requirements for security controls in collaboration with experts in other functions, e.g. legal, security architecture, technical support
• Plan and manage the implementation of organization-wide processes and procedures, tools and techniques for the identification, assessment, and management of IT risk inherent in the operation of business processes and of potential risks arising from planned change.
• Negotiate with stakeholders at senior levels, ensuring that organizational policy and strategies are adhered to
• Allocate responsibilities and/or packages of work to vendors and consultants assisting in the program
• Manage content development, ensuring that adequate procedures, standards, tools, and resources are in place and implemented to provide the appropriate quality of material
• Responsible for leading execution of tasks associated with IT Security Governance, Risk, and Compliance
• Responsible for leading, developing, and executing the Information Management Security Systems (ISMS) program
• Contribute to reviews and audits of project and program management to ensure conformance to standards
• Ensure that program is being managed to realize business benefits
• Review information systems for compliance with legislation and specifies any required changes.
• Drive integration of risk and compliance services into business processes and operational objectives

Knowledge Required for the Role:

• In-depth knowledge of a broad range of standards and frameworks — for example, International Standards Organization (ISO27000 series), NIST Cybersecurity Framework, IT Infrastructure Library (ITIL), Payment Card Industry - Data Security Standard (PCI DSS), Bill-198, Personal Information Protection and Electronic Documents Act (PIPEDA), General Data Protection Regulation (GDPR)
• Understanding of organizational change management models such as PROSCI or ADKAR
• Proven expertise on multiple Security technologies including Email Management, Firewalls, Antivirus/EDR, Encryption, Employee Productivity Solutions, Cloud Security, IoT, SIEM, IPS/IDS, DLP, MFA, etc.

Qualification for the Role:

• Spanish is an asset, not mandatory
• 10 to 12 years of demonstrated experience in IT management or related disciplines (for example, Security Operations, Risk, IT Governance, Audit, and Compliance, etc.).
• Optional, Obtained minimum Lean Six Sigma Green Belt Certification
• Leadership or equivalent (GSLC), Certified Information Systems Security Professional (CISSP)
• Optional, Obtained GIAC Security Essentials or equivalent (GSEC)
• Professional certification in Information Security, Risk Management or Auditing, or working towards. (such as CISSP, CISM, CISA, CRISC, CIPP, ISO27000 Lead Auditor, etc.

Specific Soft Skills:

• High degree of initiative, commitment, dependability, and ability to work with little to no supervision
• Strong skills in presenting technical information to non-technical audiences
• Ability to establish and maintain harmonious working relationships with co-workers, staff, and external partners in all locations, and to work efficiently in a professional team environment
• Robust capability of written and verbal communication skills — including the ability to effectively communicate security and risk-related concepts to technical and non-technical audiences with strong interpersonal and collaborative skills
• Ability to thoughtfully evaluate and find an appropriate balance between security risk, compliance requirements, legal and contractual commitments, technical capabilities/limitations, and business goals
• Proven competency of statistical data analysis
• Ability to exercise judgement in recognizing scope of work and protecting strategic and sensitive information
• Ability to develop a comprehensive understanding of Finning’s business, market, and industry, and to relate that knowledge weighting of business risk
• Strong skills as a negotiator, to facilitate commitment to, and sign-off on and appropriate document levels of residual risk
• Strong leadership focus on mentorship, teamwork, psychological safety, and building trust
• Proven ability to communicate with people at all levels — from analysts to executives
• Willingness to take full ownership and skillfully manage competing priorities, anticipate issues, and proactively drive resolution
• High level of personal integrity, with the ability to handle confidential, legal, and other sensitive matters professionally and with the proper level of judgment and maturity

At Finning, we prioritize creating a diverse and inclusive environment. We are proud to be an equal opportunity employer, and we actively encourage all individuals to express themselves and achieve their full potential. As a company, we continuously strive to enhance our outreach to individuals of all backgrounds and identities. We do not discriminate against applicants based on gender identity, race, national and ethnic origin, religion, age, sexual orientation, marital and family status, and/or mental or physical disabilities. Furthermore, Finning is committed to collaborating with and providing reasonable accommodations /adjustments to individuals with disabilities. If you require an adjustment/accommodation at any point during the recruitment process, please inform your recruiter.