The Information and Communications Technology (ICT) Risk department is part of the Group RISK ORC Functions within BNP Paribas. It is a part of the 2nd Line Of Defence (2LOD) under the Bank’s Chief Cyber & Technology Risk Officer. Among others, the department has responsibility for identification of key technology risks to the Bank and influencing business and technology partners to take sound risk management decisions.
This is achieved by delivering:
- Application & Infrastructure Risk Assessments working with the Business and Technology teams to identify security issues in existing and new systems, and agree corresponding actions to mitigate or accept risks. Tracking issues and agreed actions to completion.
- Horizontal Risk Assessments – Assessing technology risks in relation to a particular theme or technology across the organization. Examples could be assessments of the firewall change process, applications processing >$5m per day, applications hosted in the cloud, etc.
- Vertical Risk Assessments - Assessing risks to a product, service, technology or infrastructure. For instance we may complete a vertical assessment on our remote working solution (including Infrastructure, applications, data, threats etc.) or our Internet connectivity.
- Partnership to the Business and Technology teams in helping them understand their technology risk profile and influencing their risk management decisions.
One of the RISK ORC ICT initiatives include enhancing the cloud security capability across the Group and establishing a global community to discuss issues, risks and align to the strategic roadmap.
Key responsibilities for the Cloud Security Specialist include:
- Engaging with C-suite stakeholders across the Group to understand the current state cloud security.
- Perform root cause analysis and recommend process improvement opportunities / identify risk and relevant mitigating controls.
- Working with the function lead to prepare board level presentations on observations, gaps and global remediation roadmap including Cloud Security strategy, remediation plans and design solutions.
- Prepare and enforce standards and guidelines for cloud security globally.
- Build global community to discuss issues, risks and align to standardised processes and toolsets.
- Provide expert advice into first line of defense initiatives.
- Assist with audit related issues.
- Prepare / contribute to the development of independent testing controls.
- Support the RISK ORC community globally in defining better maturity models for independent testing.
Risk Management Environment:
Identification & assessment: Ensure that the identification and assessment of operational risks are effectively done across the organization by correlating input from Audit Findings, Internal Loss Data Collection and Analysis, External Data Collection and Analysis, Risk Control Self Assessments, Business Process Mapping, KPIs and KRIs, Scenario Analysis, and Quantified Measurement and Comparative Analysis.
Monitoring & Reporting: Implement a process to regularly monitoring operational risk profiles and material exposure to losses and provide appropriate reporting mechanisms to the board, senior management and the business lines. Data capture and operational risk reporting should be continuously enhanced and provide a feedback loop to enhance risk management policies, procedures and practices.
Control & Mitigation improve the effectiveness of the Internal Controls programme by reviewing the control environment, risk assessment process, control activities, information and communication and monitoring activities. Assess operational risk response strategies. Validate risk transfer options.
• Professional qualifications relevant to IT, Information Security and Business Continuity and (such as a university degree, CISSP, MBCI, CBCP, CISM or CRISC).
• Good knowledge of ICT topics
• Has the proven ability to think outside of the box, challenge industry norms and adapt quickly to evolving requirements.
• Candidates should be able to apply a consulting approach.
• Excellent in the ability to understand how and why processes and solutions are designed to deliver specific outcomes.
• Is self-aware, anticipates problems, adapts and meets them head on.
• Role model, promotion of a culture of good conduct and contribution to maintaining such a culture
• Proactivity, transparency and clear accountability for the determination and management of behavior risks
• Excellent skills in problem solving, presentation and consultation
• Teamwork with peers and management
• Strong project management skills, pragmatism and level of report
Exceptional communication skills, both written and oral.
• Experienced cloud security technologist with hands on experience in a cloud-first environment.
• Must be able to articulate and document design and implementation approaches for secure cloud architectures.
• Detailed knowledge of sustainable and risk based security cloud controls required for a financial institution.
• Detailed knowledge of cloud delivery, security and deployment models for IaaS offering including understanding of IBM Bluemix, Amazon Web Services (AWS) and Microsoft Azure platforms.
• Working knowledge of cloud security standards including NIST, CIS, NCSC and ISO.
• Experience with Software Defined Data Centre (SDDC) and Software Defined WAN (SD-WAN).
• Experience in creating cloud solutions in Security Technologies including like Security Information and Event Management (SIEM), Public Key Infrastructure (PKI), Network Security, Cloud Security, Firewalls, Intrusion Detection / Prevention, Anti Malware, Email Security, Web Content Filtering, DDoS Protection, Industrial Control Security, Mobile Device Security, Endpoint Detection & Response, Patch Management, Deceptive Technologies, Data Loss Protection, Application Security and Identity and Access Management.
• An understanding of Cloud Access Security Broker (CASB) into SaaS services and integration of CASB to SOC/SIEM services.
• Good understanding of financial applications including interdependencies, conflict of interest and organisational responsibilities.
• Strong risk mindset with understanding of applicable Technology Risk and Business Continuity regulatory requirements in financial services sector.
• Knowledge of risk analysis methodology especially in relation to Cloud Security.
• Must be able to interface and coordinate work efficiently and effectively with business and technology partners.
• Excellent communication and influencing skills, including ability to articulate complex issues and incorporate feedback.
• Good team player, strong stakeholder management, relationship building, influencing, facilitating and presenting skills.
• Good listening and analytical skills including:
o Being able to come to a thoughtful and business focused conclusion quickly.
o Ability to co-operate and work well with others adopting an approachable style.
o Important as we work closely with a large and diverse set of suppliers and customers.
o Ability to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits.
o Demonstrating a calm professional approach, with a good understanding of delivery within time constraints and the need to escalate/inform departmental management as appropriate.
o Adapting personal approach to suit situations, individuals, groups and cultures.
o Is flexible in relation to getting the job done.
o Taking accountability for their actions and be open and honest when things have gone wrong, and celebrating successes when things have gone well.
o Being rigorous and thorough – especially when logging and tracking issues through to conclusion.
o Ability to manage their workload as to meet the realistic targets and priorities set in conjunction with management.
o Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business.
• Ability to express views clearly and fluently, both orally and in writing.
• Considers the audience, avoiding technical jargon wherever necessary and appropriate.
• Works iteratively, delivering quickly and frequently to produce high quality documents and outputs which require little to no rework