Risk, Compliance and Security Manager (CISO) [#4717]

Risk, Compliance and Security Manager (CISO) [#4717]

Alteo is looking for a Risk, Compliance and Security Manager (CISO) for a permanent position based in Montreal.

Your main role will be to define the strategic axes and objectives in terms of information security, operational risks, and compliance. You will implement the ISMS, as well as the risk control system, and will be responsible for ensuring platform compliance and certification. In particular, you will reinforce the ISMS, implement operational risk management, deploy the permanent control system, promote it, and oversee its implementation throughout the organization, ensure that the IT continuity plan is maintained in operational condition, and implement data governance.

Responsibilities:

• Set up the organization and governance of the business unit management activity
  • Establish, with the support of general management, a framework for the organization and governance of the activity, with regular monitoring and reporting bodies.
  • Develop lasting relationships with all contacts involved in the performance of his/her mission.
  • Contribute, as required, to studies and discussions on risk, security, compliance, and data governance.
  • Promote the added value of risk management and level 1 permanent control activities within the business unit, and ensure smooth communication with Group-level control functions.
• Manage legal, regulatory, and contractual compliance on IS security and personal data protection issues at the business unit level
  • Recommend a compliance framework: identify the risks of non-compliance and ensure the implementation of appropriate preventive measures with regard to the Group's main compliance principles and legal, regulatory, and contractual provisions.
  • Ensure compliance of contracts (customers, suppliers, employees) and contractual clauses to meet security, confidentiality, and personal data protection requirements.
  • Implement all group instructions and procedures relating to compliance.
  • Ensure transparency and accountability in decision-making related to risks and compliance (reporting and record-keeping, etc.).
  • Ensure compliance with legal and regulatory obligations applicable to the business unit, drawing on the expertise of the Group's transverse functions in this area.
  • Raise awareness and encourage employees within the business unit to report breaches of the code of conduct or compliance issues (through whistle-blowing channels and investigations, etc.).
• Information System Security Management
  • Define the governance and organization of information security within the business unit.
  • Define and obtain approval from management and the Group CISO for IS security guidelines and objectives for all activities within its scope.
  • Define and implement the general IS security policy. Implement IS security procedures.
  • Identify, analyze, and assess risks, threats, and consequences (risk mapping).
  • Define and deploy IS risk management plans.
  • Raise awareness and provide training on security and data protection issues: promote the IT security charter to all users.
  • Manage IT security incidents: activate crisis units in the event of an IS incident, and ensure the necessary coordination with the departments involved.
  • Ensure that IS audits and penetration tests are carried out, in line with IS strategy, management needs, and regulatory and contractual requirements.
  • Carry out actions to reinforce the security culture within the business unit, and ensure the involvement of all players in IS risk management, so that everyone takes full ownership of their role, the benefit/risk cost is advantageous for the Group, and the level of residual risk accepted is aligned with the risk appetite defined by management.
  • Define and manage the IT security management system (standards, tools, incident tracking, audits).
  • Monitor regulatory and technical developments to ensure that the Information Systems Security Policy is in line with these changes.
• Permanent control
  • Define the organization and governance of the permanent control system, based on the orientations of the governing bodies.
  • Provide a permanent control framework and methodological guides to support its implementation. Ensure that they are kept up to date.
  • Assist department managers/heads in the deployment of the operational risk management and level 1 permanent control system, within their area of responsibility. Ensure follow-up.
  • Using a holistic approach, ensure that operational risks are identified and qualified (e.g.: self-assessment of risks and controls), and that the operational risk management system is deployed (e.g.: management of outsourced services, implementation and monitoring of key risk indicators (KRI).

Profile:

• BAC in IT or equivalent
• 8+ years' experience in a similar role
• Experience in the electronic payment industry
• Relevant certifications (e.g. ISO27001, ITIL, COBIT, CEH, CISSP, CISA, CRISC, PMP)
• Familiarity with internal control reference frameworks (e.g. de IIA, ISACA...)
• Project management skills
• Team management techniques
• Knowledge of IT architectures and associated tools
• Strong writing skills
• Understanding of IT risks: IT norms & standards and cyber-security Process modeling
• Knowledge of the banking and finance regulatory environment
• Customer orientation
• Compliance with commitments
• Taking the initiative
• Anticipating problems
• Reporting & Monitoring
• Involvement in the Quality process
• Strong relational skills
• Team spirit
• Flexibility