Chief Risk Officer- KSA

Responsibilities:

1. Ensures compliance with all applicable cybersecurity regulations and standards in the region, especially those issued by the Saudi Arabian Monetary Authority (SAMA), and provides necessary support and cooperation to regulatory bodies during audits and inquiries.
2. Follows up on the review of security procedures and mechanisms, participates in defining security responsibilities and controls, and works with external information security consultants to enhance the bank's information security posture.
3. Conducts in-depth analysis of past cybersecurity incidents to prevent recurrence and to continuously improve the cybersecurity system.
4. Oversees, reviews, and periodically updates the bank’s Information Security Policy and technology framework (COBIT), assesses risks based on NIST standards, evaluates data protection mechanisms and encryption practices, and ensures proper access controls to backup media and devices. Reviews them periodically in line with the branch's strategy by analyzing and managing cybersecurity risks, access controls, and information security documentation standards, and contributes to developing and implementing these policies to improve information governance.
5. Manages the implementation of the cybersecurity program, develops an approach to integrate cybersecurity into bank operations at all levels, manages cyber risk assessments, recommends mitigation controls and procedures, defines cybersecurity requirements for current and new projects, and oversees information/system classification processes.
6. Evaluates the adequacy of cybersecurity risk controls and approves exceptions based on acceptable risk levels and regulatory guidelines, in coordination with the group-level information security team.
7. Measures and develops the performance of cybersecurity programs and key risk indicators, ensures compliance with cybersecurity policies, standards, and procedures, and regularly reports the cybersecurity program status to the Board of Directors and relevant committees as needed.
8. Reviews system user reports to ensure the application of authorized user access policies across bank data, identifies users violating approved policies, and takes corrective actions to prevent future breaches.
9. Assesses the efficiency of IT infrastructure security by monitoring performance indicators, using appropriate tools, and reviewing configuration reports.
10. Manages security and cyber incident response and digital forensics, and implements necessary actions to address and minimize impacts in alignment with business continuity plans and in coordination with relevant internal and external parties.
11. Manages access control policies at all levels in coordination with information owners and helps develop the necessary procedures for access transitions.
12. Ensures the bank’s compliance with information protection laws and regulations, including the General Data Protection Regulation (GDPR) and the Personal Data Protection Law (PDPL) in Saudi Arabia, by monitoring data handling, processing, and storage practices.
13. Develops and enhances cybersecurity procedures by simulating cyberattack scenarios such as phishing and penetration testing to safeguard the bank’s interests.
14. Ensures external service providers comply with the bank’s cybersecurity standards by conducting regular security assessments and ongoing monitoring to protect the bank’s rights.
15. Collaborates with external information security consultants to improve the bank’s information security framework.
16. Prepares periodic information security reports for relevant departments and committees at the branch and head office levels. Reviews activities of various automated systems and prepares periodic reports on the Information Security / Business Continuity unit, reflecting relevant security events.
17. Submits detailed cybersecurity risk reports to relevant committees and stakeholders, including trends, breach probabilities, and mitigation strategies quarterly or as required.
18. Oversees the review of information systems/cybersecurity control measures, periodically assesses information risk, recommends new technologies and countermeasures to align with global trends, and supervises the security of any new services or projects planned by the bank.
19. Develops and delivers information security awareness and training programs for bank staff in collaboration with the group-level information security team.

Requirements

Skills and Competencies (as previously translated):

• A university degree in Computer Engineering or any related field.
• A minimum of 10 years of experience in Information Technology (IT), including at least 5 years in Information/Cyber Security.
• Preferably holds certifications such as CISM, ISO 27001, PCIP, or any related certification.
• Strong planning and organizational skills.
• Decision-making capabilities.
• Full fluency in English (spoken and written).
• Strong analytical abilities.
• Proficiency in computer usage and working with implemented systems.
• Thorough knowledge of internal and external policies and procedures governing the work.
• Excellent interpersonal and communication skills.
• In-depth knowledge of PCI, COBIT, ISO 22301, cybersecurity standards, and any information security regulations issued by regulatory bodies.
• Ability to work under pressure.