Senior Cyber Security Consultant

We are hiring Senior Cybersecurity Consultants for a full-time position in Riyadh, Saudi Arabia.

Mandatory Requirements are as follows:

• Arabic Nationals (Highly preferred)
• 7 to 10 years of experience
• Should be available to join in 1 month

Expectations and outputs required from the workforce to support cybersecurity management

The workforce to support cybersecurity management is expected to have the experience and qualifications that help implement three main tracks as follows:

• The first track: cybersecurity governance
• The second track: Cybersecurity risk management
• The third track: adherence to cybersecurity controls

Track One: Cybersecurity Governance

Objectives:

1. Cybersecurity strategy review:
   • Analyze, evaluate and update the current cybersecurity strategy to ensure its alignment with the strategic objectives and the requirements of the National Cybersecurity Authority.
   • Update the strategy implementation plan (Roadmap) based on the company's priorities and needs.
   • Measure the level of performance of key indicators (KPIs) to follow up on strategy implementation and measure the extent of achieving goals.
2. Strengthening cybersecurity governance:
   • Establish a clear cybersecurity governance framework that includes defining roles and responsibilities within the company.
   • Improve the decision-making process related to cybersecurity to enhance transparency and accountability.
   • Prepare periodic reports showing the extent of commitment and security performance and communicating them to decision-makers.
3. Develop policies, procedures and standards:
   • A comprehensive review of all current policies, procedures and standards related to cybersecurity.
   • Update documentation to ensure compliance with Essential Cyber Security Controls (ECC) and any additional requirements from the National Cyber Security Authority.
   • Improve policies and procedures to cover emerging aspects, for example cloud computing security management, cryptography, data classification, etc.
4. Ensure compliance and implementation of policies and procedures:
   • Develop an integrated plan to implement updated policies and procedures.
   • Develop oversight and follow-up mechanisms to ensure full compliance with security policies and procedures.
   • Measure the effectiveness of implemented policies and provide relevant improvement recommendations.
5. Developing a capacity building programme:
   • Prepare and implement a comprehensive training program for employees in supervisory and executive positions to enhance security awareness and understanding of policies and procedures, including advanced training courses in cybersecurity governance for decision-makers to facilitate the management of strategic initiatives.

Cybersecurity strategy review report including recommendations and updated roadmap.

Updated cybersecurity policies, procedures and standards consistent with National Authority requirements and best practices.

An executive plan to implement policies and procedures, including performance indicators and a monitoring and measurement mechanism.

A capacity-building training program that enhances skills and knowledge in the field of cybersecurity governance.

Monthly periodic reports explaining all the work and tasks carried out by the consultant for all project paths.

Track Two: Cybersecurity Risk Management

Objectives:

1. Assess and manage cyber risks of systems and information:
   • Identify risks associated with implementing current policies and procedures.
   • Review and classify technical and information assets to identify risks associated with them.
   • Create and update the company's cybersecurity risk register, including details about inherent risks, effectiveness of current controls, and remaining risks.
   • Updating the cyber risk management methodology to align with updated security policies and procedures within the governance framework.
   • Ensure that the methodology covers cloud computing and encryption risks.
2. External party risk management:
   • Evaluating cyber risks related to suppliers and cloud service providers in accordance with the requirements of the National Cybersecurity Authority.
   • Include assessment results in third-party cybersecurity risk register.
3. Develop a risk treatment plan:
   • Develop a remediation plan for identified risks, setting implementation priorities based on the impact and likelihood of the risk occurring.
   • Follow up on the implementation of plans to ensure effective risk mitigation.

An up-to-date cybersecurity risk register that includes:

• Assess inherent risks and residual risks.
• Evaluate the effectiveness of current controls.
• Third party risk assessment report with recommendations for improving security controls.
• A treatment plan for cyber risks, including procedures and schedule.
• Updated methodology for cyber risk management.
• A monthly periodic report on the most important cyber risks, recommendations related to them, and the implementation status of remedial plans.

Track Three: Adherence to Cybersecurity Controls

Objectives:

1. Compliance with cybersecurity controls issued by the National Cybersecurity Authority (NCA-ECC):
   • Ensure compliance with Core Cybersecurity Controls (ECC), Critical Systems Cybersecurity Controls (CSCC), Cloud Computing Cybersecurity Controls (CCC), Data Cybersecurity Controls (DCC), Telecommuting Cybersecurity Controls (TCC), and Social Media Account Cybersecurity (OSMACC).
   • Conduct periodic measurements of the level of compliance with security controls and document the assessment results.
2. Compliance with encryption standards issued by the National Cybersecurity Authority:
   • Define technical standards for encryption in accordance with best practices and based on approved technical and regulatory requirements.
   • Ensure that all encryption requirements specified by the National Cybersecurity Authority are applied to all sensitive systems and data.