Business Information Security Manager

LSEG

LSEG is your trusted global financial markets infrastructure and data provider. Discover how we deliver value for our customers.

The purpose of this role is to assist the Director of Business Information Security (BISO) in all security matters relating to the oversight of Information Security, Cyber Security and Data Privacy within the Regulatory Reporting business line of LSEG’s Post Trade division. The successful candidate will be charged with ensuring that the critical business systems and data assets of Regulatory Reporting are adequately protected, and that all related information security and cyber controls remain effective and within risk appetite and/or have appropriate risk treatment plans in place to bring them back into risk appetite.

The role will best suit an experienced Information Security Manager with extensive experience gained from having previously operated within Senior Management level InfoSec/Cyber roles within the FS or FMI industries.

The successful candidate must be a subject matter expert in Information Security, as the role demands a very strong knowledge in all areas of information security and cyber security, as well as in-depth knowledge of legacy, existing, and emerging technologies including cloud and security technologies/controls. In addition to a solid foundationary Security Governance Risk and Compliance (Security-GRC) skillset, a prior background in information security engineering, security architecture, and security operations will be advantageous in this role given the various levels of stakeholders as well as the tech/cyber projects that the successful candidate will engage with daily.

Key responsibilities include:

Assisting in the oversight of Information Security by:

• Reviewing and assessing the information security and cyber controls that enable Regulatory Reporting to conduct its business in a secure manner, and gap analysis of the same.
• The oversight of InfoSec/Cyber related control gap/risk remediation activities.
• Monitoring and analysing the information security roadmaps, strategies, programmes, and projects within Regulatory Reporting, and identifying and reporting risks, trends and future opportunities for improvement and enhancement.
• Proactively engaging and working closely with the technology and cyber teams that are delivering technology and cyber services to the firm.
• Attending risk and governance meetings to provide updates to the Regulatory Reporting stakeholders from the three lines of defence regarding the delivery and progress of the various strategic cyber initiatives and broader cyber programme within LSEG.
• Working with colleagues from the three lines of defence to define the current risk posture of Regulatory Reporting and collaborating with those stakeholders to remediate identified risks/issues.
• Engaging with external third parties who provide services to Regulatory Reporting and working closely with the established internal third-party oversight functions to ensure appropriate and contracted levels of security are met.
• Establish and maintain a Cyber Risk Profile of Regulatory Reporting in line with other areas of LSEG.
• Assisting with the establishment and maintenance of a Risk Control Assessment (RCA) that focuses on InfoSec/Cyber risks and associated controls, etc.
• Maintaining the established key performance and key risk indicators and ensuring that all management information (MI) is an accurate reflection of the current control’s estate.
• Maintaining an accurate set of executive level presentation materials that clearly and accurately present the current state of security control within Regulatory Reporting.
• Assessing the security architecture solution designs and risk position of projects and initiatives undertaken by Regulatory Reporting and working closely with associated SMEs and design authorities to ensure projects are delivered in compliance with Policies and Standards, and with security design principles considered/implemented as key success deliverables.

Engagement with the business to:

• Develop an understanding of business goals and operational risks.
• Identifying key areas for improvement.
• Support the risk management decision processes and risk forums/committees.
• Assisting with the identification of emerging information and cyber security threats to the business, and the subsequent analysis to realise and oversee risk mitigation plans.
• Build strong relationships within the business to gain an understanding of security-related business risks.
• Work closely with governance stakeholders in the 1st, 2nd, and 3rd lines of defence on all matters relating to information security, cyber risk, data privacy, including all regulatory and legislative considerations.

Embedding Cyber across the firm by:

• Working closely with all necessary stakeholders in the business and technology areas to ensure compliance with established LSEG policies, standards, and procedures.
• Constructively and pragmatically challenging established controls to ensure, recommend, and accommodate continuous improvement.
• Ensuring Regulatory Reporting stakeholders understand their responsibilities in relation to security risk mitigation and remediation.
• Monitoring industry information security trends and keeping business leadership informed about information security-related issues and activities potentially affecting the organisation and specific business functions.

Security Governance, Technical, and Risk Review:

• The review and documenting of technologies and security controls across the firm, including areas such as office spaces, data centres and cloud.
• Executing and concluding security controls maturity assessments against industry standards such as the NIST Cyber Security Framework, ISO27001/2, SOC2, etc.
• Working closely with stakeholders to review all projects and initiatives, assessing them for appropriate/correct levels of security design and controls.
• Identification of technology and security risks across the firm and the assessment and appropriate risk scoring and presentation of the same.
• Produce appropriate risk remediation action plans and ability to present and take ownership of risk treatment proposals and action plans.
• Review and appropriate response to regulatory and legislative matters.
• Produce and present risks and risk postures/cyber maturity to senior/executive bodies.
• Able to clearly and precisely present complex cyber risk matters to clients and regulators.

Partnering with the different business control functions:

• Build knowledge of business units by assisting them with their security workloads, agendas, and difficulties.
• Maintaining a balanced relationship with risk, compliance, legal, human resources, and internal and external audit functions.

Knowledge of technology, security, and threat landscapes:

• Staying abreast of emerging technologies, including all security technologies.
• Sustaining a deep and in-depth knowledge of the cyber threat landscape.
• Maintain and constantly enriching knowledge of information security and cyber risks as they develop.
• Being able to propose and explain appropriate cyber risk counter measures clearly and concisely.
• Remaining informed and knowledgeable on primary global data protection regulations and legislation.

Experience and core skill requirements:

• 10 years minimum experience in senior InfoSec management roles.
• Extensive previous exposure to FS or FMI industry organisations.
• High performance in problem solving, innovating and critical thinking.
• Excellent written/verbal communication and stakeholder management skills.
• Ability to articulate ideas to both technical and non-technical audiences.
• Must be capable of working pragmatically and efficiently in both a team and alone.
• Able to prioritise workloads efficiently and appropriately with minimal supervision.
• Able to work in fast paced, high-volume workload environment, prioritising accordingly.

Must Have Security Certifications:

• CISSP

Desirable & Advantageous Certifications:

• CISSP-ISSAP, CISSP-ISSEP, CISM, CCSP, CCSK, CEH

Working knowledge of Security Standards / Frameworks:

• ISO27K, ISF SOGP, NIST CSF, CIS, CSA STAR, CBEST, TIBER-EU, SOC2

#J-18808-Ljbffr