Application closing date: 1 October 2018
The United Nations Office for Project Services (UNOPS) is an operational arm of the United Nations, supporting the successful implementation of its partners’ peacebuilding, humanitarian and development projects around the world. Mandated as a central resource of the United Nations, UNOPS provides sustainable project management, procurement and infrastructure services to a wide range of governments, donors and United Nations organisations.
The Internal Audit and Investigations Group (IAIG) improves operations by providing independent and impartial assurance and advice. IAIG supports the achievement of UNOPS’ objectives by strengthening the accountability system through the provision of internal audit, investigation, and advisory services. The Director IAIG reports to the Executive Director of UNOPS.
Under the overall guidance of the Director IAIG, the CISO is the principle UNOPS advisor in the field of information and system security. The CISO will collaborate closely with key stakeholders, especially the ICT function. Ensuring appropriate standards, mechanisms and improvement plans are in place to effectively manage cyber security at UNOPS based on business risk. The CISO will be expected to:
- Implement a holistic approach for actively managing security risks associated with UNOPS global business delivery. Understand and track current and future threats and recommend how to manage them.
- Using a risk-based approach, ensure governance and related capabilities exist in order to manage information and system security. Empower business units to take ownership.
- Provide advice and recommendations on strategic as well as tactical plans for managing information security risks and emerging threats. This includes helping improve UNOPS systems, information security practices and capabilities.
- Provide independent assurance for the implementation of those plans/recommendations. This includes verifying that controls work effectively: e.g. security breaches can be detected and responded to effectively within a reasonable time frame.
- Enable awareness and alignment with cyber risk management, information and system security standards.
- Ensure skills/knowledge remains relevant through industry events, conferences and training.
Summary of functions:
- Strategic services
- Advisory services
- Assurance and governance
- Capability building and maintenance
- Knowledge management and innovation
- Advise on the management of cyber security risks by partnering with ICT and other key stakeholders to enable the alignment of business and information security strategies. Capture the value of security investments in order to identify and advise on safeguarding organizational “crown jewels” and assets driven by business need.
- Inspire key stakeholders in order to build commitment to Cyber Security Risk management.
- Communicate with senior management regarding:
- Top cyber risks and how these relate to the current business challenges
- Current security maturity level in relation to the threat landscape and industry peers
- Emerging threats, including current and future trends, which threat actors are attacking UNOPS and explain how this may impact the organization
- Providing status updates of any open audit and regulatory issues.
- Public or private partnerships, including industry group.
- Understand the implications of new or emerging threats and help identify cyber security risks that arise as the business advances new standards, processes and strategies while driving UNOPS to continuously improve its security decision-making and risk mitigation capabilities.
- Help leadership and personnel be aware of and understand cyber security risks and empowering them to make decisions based on that understanding.
- Understand and communicate cyber security risk in terms of its potential to positively affect competitive advantage, business growth, and revenue expansion.
- Define cyber security risk metrics that “tell stories” to which business leaders can relate and move away from a strictly compliance-based to a risk-driven approach to security.
- Partner with business units to generate plans and recommendations for strategic as well as tactical management of system and information security processes, risks and threats.
- In collaboration with key stakeholders, create a risk-based strategic roadmap for the maturity of cyber resilience practices and capabilities at UNOPS. Align this with business and ICT objectives, including organizational risk appetite.
Assurance and governance
- Establish and maintain a framework for information and system security governance based on threat assessment and risk management.
- Recommend appropriate governance mechanisms for monitoring information security practices, surfacing risks, reporting them and monitoring progress in mitigating against them.
- Partner with relevant policy owners to ensure compliance with information security standards, appropriate management approaches and reporting mechanisms. Propose corrective actions for non-compliance with information security policies and monitor their implementation.
- Provide independent assurance for the implementation of recommendations/improvements, including their effectiveness in addressing the information and system security threats.
- Address potential “false sense of security” by facilitating security testing to verify that countermeasures are working effectively and as expected holistically across technology, people, processes, brand and physical domains e.g. internal and external penetration testing, red teaming, purple teaming and wargaming based on business need.
- Work with relevant stakeholders to strengthen capabilities to detect and respond to cyber attacks (multi-vector across technology, process, human and physical) on the organization, including developing metrics to track the effectiveness of defensive capabilities.
- Help build cyber resilience capability amongst the relevant stakeholder groups. Ensure awareness of, and compliance with information and system security standards.
- Communicate and be an advocate for the benefits of a risk-based approach, mapping of organizational assets and threat assessment. Promote holistic security across people, processes, technology and human aspects and empower business units and employees to take ownership of their role in securing UNOPS.
- In collaboration with PCG (HR), prepare and update the employee training and awareness plan for information and system security as well as the induction training on information and system security topics for new employees with regards to the current threat landscape. Drive the implementation of “phishing” tests to verify that the awareness training is working effectively.
- Develop a security integration model by either designating cyber risk champions within business units or aligning cyber risk personnel with business units to contribute towards ensuring that cyber security is a priority for all employees.
- Propose information security objectives as well as disciplinary actions against employees involved in the information and system security breaches.
Knowledge management and innovation
- Distill knowledge, best practices, threat assessment and risk-based approaches in information and system security management for UNOPS. Make it readily available.
- Maintain, update, and share knowledge of current and best-practice developments in information security with designated focal points and networks.
- Work with stakeholders to drive continuous improvements in information and system security.
- Participate in peer industry initiatives to collaborate and share threat intelligence, knowledge about current and future threats, and how to manage them.
- Attend recognized international hacking and security conferences to keep up with the latest cyber-attacks and defensive developments.
- Create a security training plan to attend relevant training courses to keep up with the latest developments and obtain any relevant security certifications.
Impact of Results The role is critical to enabling UNOPS’ delivery against its mandate and protecting UNOPS reputation. The effective and successful achievement of results by the CISO assures efficient and effective management of cyber risk, information and system security, in support of UNOPS operational risk-appetite, objectives and overall organizational strategy.
- Advanced University degree in computer sciences or related fields. In addition, a University degree in Business Administration will be an asset. A Bachelors degree with 2 additional years of relevant experience may be accepted in lieu of a masters.
- A minimum of 7 years of progressively responsible experience in technical and/or managerial roles in information technology and/or information-security management in a large international and/or corporate organization is required.
- Within these 7 years, a minimum of 4 years’ responsibility in managing information-security systems or programs of complex organizations in diverse geographic settings is required.
- Experience in UN system organizations is desirable.
Experience with any of the following type work is an asset:
- System administrator
- Network administrator
- Penetration tester
- Risk manager
- Security consultant
- IT manager
- IT auditor
- Incident responder
The following certifications are an asset:
- CISA, CISM, CRISC (or other ISACA certs)
- CISSP (or other ISC2 certs)
- OSCP (or other Offensive Security certs)
- Full working knowledge of English.
- Knowledge of another official UN language is an asset.
Contract type, level and duration
Contract type: ICA
Contract level: I-ICA3
Contract duration: Ongoing ICA – ‘Open-ended, subject to organizational requirements, availability of funds and satisfactory performance