Reporting to the Head of IT the Security Manager will be responsible for developing, implementing and maintaining a good information security practice within the Serco Middle East division.
The security manager will work with the Group Security Manager to ensure that the SME divisions information security practice and strategy is aligned with Serco’s global practices, policies and standards.
Provide advice to key business stakeholders to ensure alignment with strategic initiatives and report on the status of risk facing in Serco Middle East division and make recommendations, as appropriate, for the mitigation of those risks.
Work closely with contracts to identify IT security risks and assist in developing IT security (including cyber security) plans within the contractual framework.
This role will also be responsible for the management and oversight of internal and external IT Audits and Risk reviews, in so doing they will collect evidence to prove compliance to Group Policy and Standards.
As part of the IT Leadership team and in collaboration with its other members, provide input to IT management issues and strategy setting sessions. Participate in governance and ensure all IT solutions follow appropriate governance.
Structure and reporting relationship
• The Security Manager will report directly to SME Head of information technology. The role will be a single point escalation for all IT security and cyber security related services and issues within the business unit.
• Part of SME IT leadership team. The role will also have dotted line reporting into the Serco Group IT security function.
• Provide an oversight of program objectives, initiatives, and operations across the multi-sector and multi-sector environment Serco operates
• Developing, implementing and monitoring Serco’s security plans, policies, procedures and systems across the breadth of Serco’s activities
• Develop and implement security related procedures required for day-to-day activities
• Working with Serco Middle East contracts to develop an IT cyber security plan.
• Assess and provide guidance on a range of security issues within a technology and business environment that is undergoing significant change.
• Ensuring effective security of Serco Middle East information systems and networks by collaborating with cross-functional teams responsible for service delivery operational management of security technologies.
• In cooperation with the Group Security Manager developing, promoting an awareness culture appropriate for Serco, maintaining and monitoring and enforcing compliance of security policies, procedures and standards
• Identifying security requirements for new applications and other software products.
• Advising management on security issues, including legislation and adoption of new security technologies.
• Managing implementation of security and control techniques as per business requirements and reviewing periodically for on-going validity.
• Facilitation, guidance or support for high severity security incidents.
• Evaluation of the proposed Disaster Recovery and Business Continuity plans for new systems implementations and major systems modifications.
• Random testing of control activities to check for possible gaps.
• Ensuring that IT staff have the required Security and Risk skills and/or knowledge to carry out their roles.
• Contribute and audit local change management processes to prevent security weaknesses being introduced into infrastructure and processes.
• Attend monthly Group Security Team meetings with the Group Security Manager.
• Support other Serco divisions in specific areas of technical expertise where appropriate.
• Being awareness of the current policies and procedures and their responsibilities for protecting corporate and contract assets from cyber security
• Work with both internal and external parties to perform security risk assessments across Serco Middle East and make recommendations to management on how to respond.
• Apply security appropriate security controls to all Serco Middle East projects and perform regular reviews of projects to identify any areas of non-compliance with policy requirements.
• Working with bid team and IT solution architects to ensure the bids IT solution is compliant with Serco Group security standards and SMS. Taking ownership for the IT security component of the solution.
• Ownership of the IT security incident management process and working with the IT leadership to mitigate IT risk
• Ownership of IT audits (internal and external) and perform due diligence with internal team to assure compliance
• Manage and perform risk assessments of third party data processing of Serco and its customer’s data against contractual security requirements.
• Work with the Contract managers to provide risk assessments of third parties providing services to contracts.
• Provide overall management of the security awareness training programme across Serco Middle East
• Bachelor’s degree in Computer Science or equivalent
• Has a professional security qualification (e.g. CISSP)
• ITIL V 3.0, Service Management qualification.
• At least 5+ years (min) experience as a Security Manger
• At least 12+ years of relevant experience in information risk and security senior roles.
• Considerable implementation or management experience with commonly accepted industry standards and/or best practises including COBIT, ISO27000, and ITIL.
• Excellent knowledge of systems, software, technologies communication and suppliers to support business needs with particular emphasis on Microsoft based products
• Strong communication skills – Able to communicate effectively on technical and business issues with both, internal and external stakeholders
• People management and technical skills
• Innovative – able to convert stakeholder requirement into workable solutions
• Excellent time management skills
• Flexible but methodical and thorough approach – process oriented
• Skill to communicate ideas to technical staff, business users and the wider stakeholders with equal clarity
Essential technical, professional skills, knowledge and essential experiences
• Demonstrates a high level of management skill, with particular emphasis on interpersonal, communication, influencing and negotiating skills and the ability to motivate staff. Demonstrates the ability to delegate effectively to more technical staff, whilst maintaining full management control.
• Understanding of current legal and regulatory requirements relating to information security and privacy across Middle East.
• Understanding of security practices and framework that can be implemented for industrial systems like railway infrastructures
• Broad knowledge and understanding of relevant business functions with particular emphasis on security.
• Demonstrates a thorough and current understanding of developments in information security, and is able to assimilate and interpret advice from specialists, technical and otherwise.
• Experience of managing and negotiating with suppliers.
• Experience of leading teams to analyse, assess and resolve complex technology requirements, problems and issues.
• Has the ability to interface with, and gain the respect of, stakeholders at all levels and functions of the company.
• Is an energetic self-starter and confident, with strong interpersonal skills.
• Has good judgment, a sense of urgency and demonstrated commitment to high standards of ethics, regulatory compliance, customer service and business integrity.
• Ensures that operational methods, procedures, facilities and tools are established, reviewed and maintained.
Additional dimensions, KPIs or special features of the role
• Experience working across multiple geographical and time zone boundaries would be an advantage.
• Broad expert knowledge of Information Security and Risk Management principles and practices.
• Broad knowledge of information systems, operating systems, databases and networking.
• High level knowledge or IT risk assessment programs.
• An understanding of various aspects of Disaster Recovery and Business Continuity.
• Applies and maintains specific security controls as required by organisational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems and to enhance resilience to unauthorised access.
• Contributes to vulnerability assessments. Recognises when an IT network/system has been attacked internally, by a remote host, or by malicious code, such as virus, worm or Trojan etc., or when a breach of security has occurred.
• Facilitates scoping and business priority-setting for change initiatives of medium size and complexity.
• Monitors benefits against what was predicted in the business case and ensures that all participants are informed and involved throughout the change programme and fully prepared to exploit the new operational business environment once it is in place.
• Ensure compliance with the Serco Management System and all relevant business processes, procedures and work instructions to deliver all work with appropriate quality and governance standards
• Ensure security and integrity of all data provided including reporting performance, finance and customer information; reference Serco non-disclosure policy
• To exercise personal duty of care for their own health, safety and welfare and for those affected by their acts or omissions; reference SMS GSOP-HSE1-6 Serco organisational HSE responsibilities
• Report any accidents, incidents, breaches or potential breaches to appropriate management or the speak up process
Any other role specific leadership attributes
• Ability to manage multiple priorities, tasks and diverse teams
• Commercial awareness
• Willing to share knowledge
• Ability to grasp concepts and solve problems
• Attention to detail, focus on quality
About the Company:
Serco is a FTSE 250 international service company which combines commercial know-how with a deep public service ethos.
Serco customers are looking for expertise in managing their people, processes, technology and assets more effectively. We advise economic decision makers, design innovative solutions, integrate systems and – most of all – deliver quality services directly to the public.
Serco supplies to governments, government enterprise, agencies and companies who seek a trusted outsourcing partner with a solid track-record of service excellence. Serco people offer operational, logistical and technical expertise in the Transport, Justice and Immigration, Defence, Education and Healthcare industries as well as in the commercial sectors of Facilities Management.
Serco Middle East have been in the Region since 1947, starting out delivering Air Traffic Control Services in Bahrain; a service we are proudly still running today and have expanded to include many other Airports in the region.
We have expanded significantly since that time across the UAE, Saudi Arabia and Qatar. We have been supporting the RTA to operate the Dubai Metro since 2009, are preparing to launch the flagship Saudi Arabia Passenger Rail service from Riyadh to Qassim in 2016. We deliver Facility Management services to both Cleveland Clinic and Healthpoint Hospitals in Abu Dhabi, large-scale medical facilities in Saudi Arabia and a range of educational and commercial properties in the UAE. We also deliver postgraduate education to Officers in the Qatar Armed Forces through the Joaan Bin Jassim Joint Command and Staff College in Doha.
Focusing on our core values, and creating a positive environment for employees to thrive, we look forward to a bright future as we continue to grow with the region.