Chief Information Security Officer Technology Risk & Cybersecurity Director

Country: Spain

Santander is looking for a Chief Information Security Officer (CISO) for SCIB, based in our Boadilla del Monte (Madrid, Spain) office.

WHY YOU SHOULD CONSIDER THIS OPPORTUNITY

At Santander (www.santander.com), we push the boundaries and create innovative, customer-centric tech solutions for Santander. We collaborate to provide these world-class technical solutions by adopting Agile across our business as we digitally transform our platforms and services to create the bank of the future.

Cybersecurity is one of the Santander Group's main priorities and a crucial element to make Santander a cyber-resilient organization that can withstand, detect, and rapidly react to cyberattacks, while constantly evolving and improving our defences. The protection of systems, information and customers is a priority for the Group and a crucial component of Santander's purpose of "helping people and companies to prosper" and our goal of "offering excellent digital services for our customers”.

If you share our passion for technology and are up for the challenge, come join us!

Our mission is to contribute to help more people and businesses prosper. We embrace a strong risk culture and all our professionals at all levels are expected to take a proactive and responsible approach toward risk management. 

 

Santander is proud of being an organization where there are equal opportunities regardless of age, gender, disability, civil status, race, religion or sexual orientation.  

WHAT YOU WILL BE DOING

Santander Corporate & Investment Bank supports corporate and institutional clients, delivering tailored services and value-added wholesale products suited to their complexity and sophistication.

The CISO of SCIB will be responsible for implementing and running the Santander Global Information Security program to ensure that SCIB along its perimeter of information assets and associated technology, applications, platforms, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. That will involve identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

The CISO position requires a visionary leader with sound knowledge of business management, but also deep knowledge and/or previous experience within investment banking environments (as well as strong understanding of regulatory requirements inherent to this activity), and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem.

He/She should understand and articulate the impact of cybersecurity on (digital) business and be able to communicate this to the senior stakeholders.

The CISO must be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations.

The role reports hierarchically to the T&O of SCIB with functional reporting line to the CISO Entity Engagement Global Head and is also a member of the Global CISO Leadership Team.

Tasks and Responsibilities

Lead the Organization

Set and supervise correct implementation for SCIB cyber security strategy in line with Santander Group’s Cyber Security Corporate Framework and Strategy, SCIB regulatory requirements and business needsLeads the information security function across SCIB company to ensure consistent and high-quality information security management in support of the business goalsDetermines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areasManages the budget for the information security function, monitoring and reportingFunctional management of the local CISOs in SCIB Branches.

Implement the Strategy

Implements the information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandateSupport and enable adoption of Santander global defenses across systems and information of SCIBImplements and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organizationAssists with the identification of non-IT managed IT services in use and facilitates a corporate IT onboarding program to bring these services into the scope of the function, and apply standard controls and rigor to these servicesWorks effectively with business units to facilitate information security risk assessment and risk management processes

Build the Network and Communicate the Vision

Creates the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required

Operate the Function

Drive implementation of Santander Group´s cyber security minimum requirements, policies and regulatory requirements in SCIBImplements a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third partiesWorks with the compliance area to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacyCollaborates and liaises with the data privacy officer to ensure that data privacy requirements are included where applicableFacilitates the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findingsEnsures that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelinesOversees technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing riskManages and contains information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputationMonitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of actionDevelops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the corporate perimeterCoordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areasFacilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem

Establish Governance and Build Knowledge

Provides regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders as part of a strategic enterprise risk management program, thus supporting business outcomesDevelops, socializes and coordinates implementation of security policiesUnderstands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity managementProvides clear risk mitigating directives for projects with components in IT, including the mandatory application of controlsLeads the security champion program to mobilize employees of the Entity

Requirements

Education, Training and Previous Experience

Demonstrated experience and success in senior leadership roles in risk management, information security, and IT or OT SecurityDegree in business administration or a technology-related field such in science or engineering.

Desired, but not required:

Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentialsExperience successfully executing programs that meet the objectives of excellence in a dynamic business environment

Technical and Business Experience

Knowledge and understanding of relevant legal and regulatory requirements regarding CybersecurityKnowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity FrameworkSound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologiesUp-to-date knowledge of methodologies and trends in both business and IT

Knowledge and Skills

Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialistsStrategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organizationAbility to lead and motivate the information security team to achieve tactical and strategic goals.Excellent stakeholder management skillsExcellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectivesProject management skills: financial/budget management, scheduling and resource managementA master of influencing decisions when achieving a desirable outcome is vital

Personal Characteristics

Poise and ability to act calmly and competently in high-pressure, high-stress situationsHigh degree of initiative, dependability and ability to work with little supervision while being resilient to changeHigh level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturityHas good judgment, a sense of urgency and has demonstrated commitment to high standards of ethics, regulatory compliance, customer service and business integrity.A critical thinker, with strong problem-solving skillsStrong problem-solving and trouble-shooting skillsSelf-motivated and possessing of a high sense of urgency and personal integrity

OTHER INFORMATION

Our team members come from very different types of companies, including banks, tech companies, trade companies, start-ups, and consulting firms. We believe in the power of diversity in backgrounds, nationality, gender, and more.

Would you like to grow with us? Join our team!

If you want to know more about us, follow us on https://es.linkedin.com/company/banco-santander and https://www.linkedin.com/company/santander-corporate-investment-banking/

#SCIB