IT Governance and Security Team Lead

Purpose:

Information security governance ensures that an organization has the correct information structure, leadership, and guidance. Helps in ensuring that a company has the proper processes and administrative security controls to mitigate risk.

Job Summary:

To lead the ongoing development of the Information Security Management System (ISMS), Qatar Cybersecurity Framework (QCSF), National Information Assurance Policy (NIAP – Qatar) and the effective provisioning of information security governance. To provide leadership in embedding a positive culture of information security awareness and compliance Organization-wide. Manage and improve the organization’s security posture while ensuring compliance with industry standards and regulations.

Objectives of the Role:

• Develop, implement, and maintain a robust IT governance framework aligned with industry standards and organizational goals.
• Create and review IT policies, procedures, and standards for compliance and operational efficiency.
• Conduct regular reviews of governance practices to ensure they are up to date with regulatory changes and best practices.
• Ensure the governance framework is consistently applied across all IT operations and projects.
• Collaborate with stakeholders to ensure alignment between IT governance objectives and business strategies.
• Lead the design and implementation of security measures to prevent unauthorized access and data breaches.
• Oversee the development and execution of cybersecurity initiatives aligned with business needs.
• Implement security technologies, such as firewalls, encryption tools, and intrusion detection systems (IDS).
• Regularly assess the security posture and adapt the strategy to address emerging threats.
• Manage & Maintain Information Security Management Program & Documentation. (Policies, Procedures, Manuals & etc.)
• Manage Business Continuity program, team/s and resources.
• Ensure compliance with relevant regulations (e.g., GDPR, HIPAA, SOX, PCI-DSS) and industry standards (e.g., ISO 27001).
• Create and maintain documentation for compliance audits, regulatory reporting, and risk assessments.
• Coordinate and facilitate internal and external audits for IT governance and security processes.
• Ensure the organization adheres to data privacy and protection regulations.
• Monitor compliance with internal IT policies and procedures.
• Identify and assess IT security risks through regular risk assessments and vulnerability scans.
• Develop and implement a comprehensive risk management plan for identifying, evaluating, and mitigating risks.
• Oversee the creation of incident response plans for handling security breaches or cyberattacks.
• Lead investigations into security incidents, document findings, and initiate corrective actions.
• Coordinate with relevant teams to ensure a quick and effective response to security incidents.
• Security Incidents (Ensuring and leading security incident management and response)
• Information Security KPIs (follow up with teams to ensure ISMS performance are monitored and reported as and when required)
• Information Security Information Provision (Ensuring security related information is provided as required both internal & external to the company)
• Skills & Knowledge Development (Ensuring skill sets of assigned teams is up to date.
• Act as the primary point of contact for all IT governance and security-related matters across the organization.
• Collaborate with business units to ensure the integration of governance and security practices into business operations.
• Provide regular updates to executive leadership on the status of IT security, risk management, and compliance initiatives.
• Develop and present detailed reports on security risks, incidents, and mitigation plans for senior management and board meetings.
• Work with external stakeholders (vendors, partners) to ensure governance and security standards are upheld.
• Information Security Awareness (Ensuring that Information security awareness is promoted throughout the business)
• Evaluate and manage security risks associated with third-party vendors and partners.
• Review vendor contracts and ensure security requirements are clearly defined and included.
• Assess third-party security practices through audits, assessments, and questionnaires.
• Implement and manage third-party access controls, ensuring secure integration into the organization’s systems.
• Conduct periodic reviews of third-party vendors to ensure ongoing compliance with security and governance standards.
• Coordinate and manage regular penetration testing to assess system vulnerabilities and potential threats.
• Lead security audits, ensuring all IT systems, policies, and controls are tested for compliance and effectiveness.
• Address findings from security audits, implementing corrective actions to mitigate identified vulnerabilities.
• Monitor and report on the results of penetration testing and audits to senior management.
• Work with development and infrastructure teams to ensure that issues identified during audits are addressed in a timely manner.

Qualifications, Certificates & Skills:

• Bachelor’s/Master’s Degree in Computer Science, Information Technology, Cybersecurity, or a related field. (or) Information Security, Business Administration, or related fields is preferred but not mandatory.
• 10 + Years overall IT with 5 + years in Cyber Security & Governance.
• Certified Information Systems Security Professional (CISSP) – Demonstrates expertise in cybersecurity and IT governance.
• Certified Information Security Manager (CISM) – For individuals focusing on managing and governing an organization’s information security program.
• Certified Information Systems Auditor (CISA) – Useful for professionals involved in auditing, control, and assurance of information systems.
• Certified in Risk and Information Systems Control (CRISC) – Specialized in risk management and control within IT environments.
• ISO/IEC 27001 Lead Implementer or Lead Auditor – For those overseeing information security management systems (ISMS) and ensuring compliance.
• COBIT 5 or COBIT 2019 Certification – Useful for IT governance frameworks and managing IT risk and performance.
• NIST Cybersecurity Framework Certification – Understanding of NIST standards for managing cybersecurity risks.
• Cybersecurity Technologies: Knowledge of firewalls, IDS/IPS, endpoint protection, VPNs, encryption technologies, and vulnerability management tools.
• Risk Management Tools: Experience with risk management platforms and tools like RSA Archer, Risk Watch, or similar.
• Network Security: Familiarity with network security protocols, VPN, DNS security, and secure network architectures.
• Security Incident & Event Management (SIEM): Experience with SIEM tools for real-time monitoring and response.
• Governance, Risk & Compliance (GRC) Platforms: Familiarity with GRC tools for managing IT compliance and risks.
• Cloud Security: Expertise in securing cloud environments (AWS, Azure, GCP) and understanding shared responsibility models in cloud platforms.
• Identity and Access Management (IAM): Knowledge of IAM tools like Okta, Active Directory, or similar solutions.
• Penetration Testing & Vulnerability Scanning: Experience using tools like Kali Linux, Nessus, or OpenVAS for testing vulnerabilities in systems and applications.
• Security Architecture: Knowledge of designing secure IT infrastructures and systems based on industry standards and frameworks.