R&D Security Risk Management (RD SRM) operates within the R&D domain, which includes Development & Engineering and System Engineering. The Information Security Risk Manager is responsible for keeping information security risks within the R&D risk appetite by identifying and assessing risks, driving risk mitigation and monitoring execution.
As part of this profile, you will support the RD SRM department as a whole, with responsibility for information security across multiple focus areas, including identity and access management, application security, cloud security, intellectual property protection and projects.
Perform information security risk management activities across all focus areas. These activities include the execution of generic risk assessments, analysis/evaluation of identified risks and proposed mitigating controls. This may also include:
Conducting Information Systems Security Assessments (Application Security)
Completing GRC assessments for new business/IT projects (on-premise and cloud)
Assessing DevOps environments
Prepare risk reports, guiding the process on management response and driving the mitigation of agreed controls
Maintain the R&D security risk register (including product security risks)
Identify product security exceptions
Support the product security incident management process
Alignment with other security competences (IT and Business) within the security community
Perform generic risk assessments for identified risks and create risk reports
Ensure compliance to security policies and standards
Provide and contribute to security awareness trainings for specialized topics, such as secure software development.
Bachelor degree and relevant education in Information Security.
In possession of one or more valid industry certifications (CISM, CISA, CISSP, CRISC, CCSP).
7+ years of relevant experience in information security risk management.
Proven experience with the ISO27001/2 framework; background in ISO31000 is also beneficial.
Knowledgeable of relevant laws and regulations (GDPR, privacy and US export regulations).
Proven knowledge and experience in the IT security domain.
Experience in dealing with IaaS and PaaS (information) security risks (preferably on Azure and GCP.
Knowledge of Identity and Access Management processes.
Familiarity with development and engineering processes, way of working and culture.
Ability to translate IT threats and vulnerabilities into business risk and drive mitigation.