Chief Information Security Officer - CISO

Contract

This is a IICA-3 contract. This kind of contract is known as International Individual Contractor Agreements. It is normally internationally recruited only. It's an external contract. It usually requires 7 years of experience, depending on education. More about IICA-3 contracts.

Background Information - Job-specific

The United Nations Office for Project Services (UNOPS) is an operational arm of the United Nations, supporting the successful implementation of its partners' peacebuilding, humanitarian and development projects around the world. Mandated as a central resource of the United Nations, UNOPS provides sustainable project management, procurement and infrastructure services to a wide range of governments, donors and United Nations organisations.

UNOPS Risk Unit, led by the Chief Risk Officer (CRO), is in charge of the enterprise-wide framework for risk management, internal control and information security and facilitating and overseeing its effective implementation across regions, functions and decision-making contexts. The CRO reports to the Chief Financial Officer and Director of Administration of UNOPS.

Under the overall guidance of the CRO, the CISO is responsible for shaping UNOPS approach to Information Security (IS) and related risks and risk responses. With a business-enabling approach, the CISO will collaborate closely with leadership, corporate functions and regional organization to drive risk-informed decision making and optimized security posture. Key duty is to ensure that addressing information security risks is embedded into the organizational culture, key Policies, processes and practices on data, IT and third-party management. The approach should align with leading international standards and ensure compliance with the applicable regulation.

Functional Responsibilities

Summary of functions:

• Information Security (IS) direction and advice
• Capability building and communication

• Information security (IS) management, assurance and oversight

  Information security direction and advice

• Draft the strategy for an optimized IS capability, in line with UNOPS operational model, project portfolio, risk appetite, IT strategy, applicable regulation and international good practice standards. Ensure development roadmap(s) are in line with the vision, strategy and approach.

• Build trust and partner with key stakeholders to establish a holistic and integrated approach for managing IS risks to strategy and global portfolio delivery.
• Define IS priorities and enables decisions on risk taking, transfer, mitigation and avoidance based on thresholds and trade-offs.
• Setting, communicating and training related Policies and evaluating their effectiveness as well as driving their implementation. Establishing a clear situational view through Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).
• Facilitate a culture within the IS domain of openness and accountability, resulting in proactive risk escalation and effective mitigation with clear and embraced ownership allocation. Lead by example.
• Identify and advise on mechanisms for driving the culture of accountability and IS becoming part of UNOPS organizational DNA.
• As a substantive contributor to the UNOPS digitalization journey, ensure that IS is incorporated into the UNOPS digitalization agenda and system requirements “by design”. As part of this, establish continuous horizon scanning and control automation capabilities.

• Build business cases for IS investments and manage associated budgets.

  Capability and Awareness building

• Establish a global (matrix) IS organization for a coordinated roadmap implementation. Build and manage an IS Operations Center (SOC) and 24/7 incident response capability.

• Set up and manage a portfolio of service providers to enable a hybrid delivery model.

• Foster collaborative relationships and partner with relevant senior stakeholders in order to:

  • Support offices in assessing their IS capability and addressing gaps identified.
  • Co-build organizational resilience capability cross-functionally, promoting a holistic approach across people, processes, and technology.
  • Empower Personnel to take ownership of their role in securing UNOPS.
• Be an advocate for the benefits of a risk-based approach, mapping of organizational assets and proactive threat assessment.
• Develop an IS integration model by designating, training and coordinating IS champions within the organization.
• Prepare and update an annual awareness plan including IS induction training for new personnel.
• Ensure that sound governance is in place to continuously improve UNOPS IS posture and benchmark it against relevant peers.
• Empower and train the organization on effective methods to take ownership over risk assessment, mitigation and continuity planning.

• Recognise exemplary IS behavior and make recommendations as appropriate to support addressing disciplinary action, for information and system security breaches.

  Information security management, assurance and oversight

• Work in collaboration with the regions and corporate functions in embedding IS into business development, contracting and delivery. Oversee and support associated due diligence and identify de-risking and business growth opportunities.

• Partner with relevant process owners to ensure embedding of IS requirements, appropriate management approaches and reporting mechanisms. Advice on corrective actions for non-compliance and monitor their implementation.
• Roll-out phased approach for application of international standards (e.g. ISO, NIST, COBIT).
• Act as lead expert on IS specific technology solutions and platforms including but not limited to Google Cloud Platform and ERP systems, and deploying dedicated IS solutions (e.g. SIEM/EDR/XDR, DLP, MDM, IAM).
• Act as a business partner to IT leadership. Collaborate with Information Technology function in ensuring that secure system development protocols and competences are effectively in place..
• Provide advice on data classification, data privacy, data loss prevention, asset inventory, IS architecture, vulnerability management, patch management, incident and problem management related protocols, methods and tools.
• Build IS awareness initiatives (e.g. phishing campaigns) and communication plans working closely with the CRO, the leadership and UNOPS communications team.
• Work with relevant stakeholders to strengthen the organizational capacity to detect and respond to cyber attacks (multi-vector across technology, process, human and physical), including developing metrics to track the effectiveness of defensive capabilities.
• Support reviewing, testing and improving business continuity and disaster recovery plans.
• Address potential “false sense of security” through control testing.
• Maintain ongoing intelligence on the cyber threat landscape. Advise leadership on associated risks to operations. Use scenario analysis, case studies, bow ties, and exposure quantification to articulate complex, technical themes in “business language”, enabling decision making.
• Define IS risk metrics that “tell stories” to which business leaders can relate, moving beyond compliance and audit focused to a risk-driven approach to IS.
• Implement robust governance mechanisms for monitoring IS practices, surfacing risks, reporting them, and monitoring progress in mitigating them. Ensure timely risk and incident escalation.
• Support independent assurance providers (e.g. Internal Audit & Investigations Group, United Nations Board of Auditors) verifying the effectiveness of the IS Management System.
• Oversee IS related KPI achievement and closure of audit related actions.
• Provide status updates on open roadmap, audit, and regulatory items.

Competencies

Develops and implements sustainable business strategies, thinks long term and externally in order to positively shape the organization. Anticipates and perceives the impact and implications of future decisions and activities on other parts of the organization. Treats all individuals with respect; responds sensitively to differences and encourages others to do the same. Upholds organizational and ethical norms. Maintains high standards of trustworthiness. Role model for diversity and inclusion.

Acts as a positive role model contributing to the team spirit. Collaborates and supports the development of others. For people managers only: Acts as positive leadership role model, motivates, directs and inspires others to succeed, utilizing appropriate leadership styles. Demonstrates understanding of the impact of own role on all partners and always puts the end beneficiary first. Builds and maintains strong external relationships and is a competent partner for others (if relevant to the role). Efficiently establishes an appropriate course of action for self and/or others to accomplish a goal. Actions lead to total task accomplishment through concern for quality in all areas. Sees opportunities and takes the initiative to act on them. Understands that responsible use of resources maximizes our impact on our beneficiaries. Open to change and flexible in a fast paced environment. Effectively adapts own approach to suit changing circumstances or requirements. Reflects on experiences and modifies own behavior. Performance is consistent, even under pressure. Always pursues continuous improvements. Evaluates data and courses of action to reach logical, pragmatic decisions. Takes an unbiased, rational approach with calculated risks. Applies innovation and creativity to problem-solving. Expresses ideas or facts in a clear, concise and open manner. Communication indicates a consideration for the feelings and needs of others. Actively listens and proactively shares knowledge. Handles conflict effectively, by overcoming differences of opinion and finding common ground.

Education/Experience/Language requirements

Education: - A Master’s degree preferably in computer sciences, telecommunications, mathematics, physics or related fields is required. A bachelor's degree with a combination of two additional years of relevant experience may be accepted in lieu of the master's degree - One or more of the following certifications would be critical to success in the role and should be possessed entering the role or within the first 6 months in it.

• CISA, CISM, CRISC (or other ISACA certs)
• CISSP (or other ISC2 certs)
• OSCP (or other Offensive Security certifications)
  • The following would be considered an asset: A University degree in Business Administration.
  • Experience with any of the following types of work would be considered an asset:
  • Solution development, Enterprise Architecture, System and/or network administration, Penetration testing, Risk management, Security consultation, IT management, IT security management, IT audit, Incident response, Project management, Team leadership.

Experience:- A minimum of 7 years of progressively responsible experience in technical and/or managerial roles in information technology and/or information-security management in a large international and/or corporate organization is required. - Within these 7 years, a minimum of 4 years’ responsibility in managing information-security systems or programs of complex organizations in diverse geographic settings is required.

Language Requirements: - Full working knowledge of English. - Knowledge of another official UN language is an asset.

Background Information - UNOPS

UNOPS is an operational arm of the United Nations, supporting the successful implementation of its partners’ peacebuilding, humanitarian and development projects around the world. Our mission is to help people build better lives and countries achieve sustainable development.

UNOPS areas of expertise cover infrastructure, procurement, project management, financial management and human resources.

Working with us

UNOPS offers short- and long-term work opportunities in diverse and challenging environments across the globe. We are looking for creative, results-focused professionals with skills in a range of disciplines.

Diversity

With over 4,000 UNOPS personnel and approximately 7,000 personnel recruited on behalf of UNOPS partners spread across 80 countries, our workforce represents a wide range of nationalities and cultures. We promote a balanced, diverse workforce — a strength that helps us better understand and address our partners’ needs, and continually strive to improve our gender balance through initiatives and policies that encourage recruitment of qualified female candidates.

Work life harmonization

UNOPS values its people and recognizes the importance of balancing professional and personal demands.

Contract type, level and duration

Contract type: IICA Contract level: IICA-3, ISC-11 Contract duration: Ongoing ICA – ‘Open-ended, subject to organizational requirements, availability of funds and satisfactory performance.

For more details about the ICA contractual modality, please follow this link: https://www.unops.org/english/Opportunities/job-opportunities/what-we-offer/Pages/Individual-Contractor-Agreements.aspx

Additional Considerations

• Please note that the closing date is midnight Copenhagen time
• Applications received after the closing date will not be considered.
• Only those candidates that are short-listed for interviews will be notified.
• Qualified female candidates are strongly encouraged to apply.
• UNOPS seeks to reasonably accommodate candidates with special needs, upon request.
• Work life harmonization - UNOPS values its people and recognizes the importance of balancing professional and personal demands. We have a progressive policy on work-life harmonization and offer several flexible working options. This policy applies to UNOPS personnel on all contract types
• For staff positions only, UNOPS reserves the right to appoint a candidate at a lower level than the advertised level of the post
• For retainer contracts, you must complete a few Mandatory Courses (around 4 hours) in your own time, before providing services to UNOPS.
• The incumbent is responsible to abide by security policies, administrative instructions, plans and procedures of the UN Security Management System and that of UNOPS.

It is the policy of UNOPS to conduct background checks on all potential recruits/interns. Recruitment/internship in UNOPS is contingent on the results of such checks.