By continuing to browse this site, you agree to our use of cookies. Read our privacy policy

Chief Information Security Officer

Geneva

  • Organization: Gavi, Vaccine Alliance
  • Location: Geneva
  • Grade: Level not specified - Level not specified
  • Occupational Groups:
    • Information Technology and Computer Science
    • Security and Safety
    • Managerial positions
  • Closing Date: Closed

Position title: Chief Information Security Officer
Location: Geneva
Purpose of the position: The Chief Information Security Officer (CISO) is a leader in the Knowledge Management & Technology Solutions (KMTS) team who is responsible for implementing and running the secretariat information security program. That will involve identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing secretariat objectives.
Department: Digital Transformation
Team: Knowledge Management & Technology Solutions (KMTS)
Reports to: Chief Technology & Knowledge Officer
N° of positions supervised (if applicable): ~2 (~10 consultants)
Career step level: 5

Gavi, the Vaccine Alliance is a public-private partnership committed to saving children's lives and protecting
people's health by increasing equitable use of vaccines in lower-income countries. The Vaccine Alliance brings together implementing country and donor governments, the World Health Organization, UNICEF, the World Bank, the vaccine industry, technical agencies, civil society, the Bill & Melinda Gates Foundation and other private sector partners. Gavi uses innovative finance mechanisms, including co-financing by recipient countries, to secure sustainable funding and adequate supply of quality vaccines. Since 2000, Gavi has contributed to the immunisation of more than 888 million children and the prevention of more than 15 million future deaths.
THE ROLE
This position requires a visionary leader with sound knowledge of business management and a working
knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. A key element of the role is working with the Senior Management Team to determine acceptable levels of risk for the organization. He or she will proactively work with departments and teams to implement practices that meet agreed-on policies and standards for information security. The CISO should understand and articulate the impact of cybersecurity on (digital) business, and be able to communicate this to the Audit & Finance Committee and other senior stakeholders.

The CISO must be knowledgeable about both internal and external business environments, and ensure that
information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations. He or she serves as the process owner of the appropriate second line assurance activities not only related to confidentiality, integrity and availability, but also to the safety, privacy and recovery of information owned or processed by the secretariat in compliance with regulatory requirements. The CISO understands that securing information assets and associated technology, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter.

MAIN DUTIES/RESPONSIBILITIES
  • Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate.
  • Develops, implements and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.
  • Assists with the identification of non-KMTS managed IT services in use ("citizen IT") and facilitates a corporate IT onboarding program to bring these services into the scope of the KMTS function, and apply standard controls and rigor to these services; where this is not possible, ensures that risk is reduced to the appropriate levels and ownership of this information security risk is clear.
  • Works effectively with departments and teams to facilitate information security risk assessment and risk management processes, and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite.
  • Leads the information security function across the secretariat to ensure consistent and high-quality information security management and operations in support of the secretariat goals.
  • Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of risk areas.
  • Facilitates an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
  • Provides regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
  • Develops, socializes and coordinates approval and implementation of security policies and provides input for the KMTS section of the Secretariat code of conduct.
  • Works with the Procurement team to ensure that information security requirements are included in contracts.
  • Directs the creation of a targeted information security awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences.
  • Understands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
  • Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.
  • Develops and enhances an up-to-date information security management framework based on International Organization for Standardization (ISO) 27001 and National Institute of Standards and Technology (NIST) Cybersecurity Framework.
  • Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from applicable global laws, standards and regulations.
  • Develops and maintains a document framework of continuously up-to-date information security policies, standards and guidelines. Oversees the approval and publication of these information security policies and practices.
  • Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
  • Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the information security, and reviews it with stakeholders.
  • Creates the necessary internal networks among the information security team and audit & investigations, finance & Operations (including physical security), legal and HR management teams to ensure alignment as required.
  • Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
  • Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
  • Liaises with the enterprise architecture team members to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design.
  • Creates a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties.
  • Ensures that data privacy requirements are included where applicable and works with the departments and teams to ensure that all information owned, collected or controlled by or on behalf of the secretariat is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy.
  • Defines and facilitates the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.
  • Ensures that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines. Manages and contains information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation.
  • Monitors the external threat environment for emerging threats and advises relevant stakeholders on the appropriate courses of action. Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the Gavi secretariat perimeter.
  • Coordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas.
Note: The essential functions listed in this section are not exhaustive of the job responsibilities; other duties may be assigned consistently with the department needs.
QUALIFICATIONS
ACADEMIC
  • Degree in business administration or a technology-related field, or equivalent work- or education-related experience.
  • Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials.
WORK EXPERIENCE
  • 15 or more years in IT and business/industry with a minimum of five to seven years of leadership responsibilities.
  • Demonstrated experience and success in leadership roles in risk management, information security, and IT security.
  • Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework.
  • Up-to-date knowledge of methodologies and trends in both business and IT.
SKILLS
  • Expertise in budget planning, financial management, process excellence, and workforce management.
  • Boad knowledge of current and emerging technologies, technology directions, and strategic application to business needs, including the ability to differentiate between a relevant trend and hype.
  • Ability to improve operational efficiency, service delivery and information management across the IT organization.
  • Excellent oral and written communication skills, including the ability to explain technology solutions in business terms, establish rapport and persuade others.
COMPETENCIES
  • Poise & Self-Motivation - Ability to act calmly and competently in high-pressure, high-stress situations with self-motivation and possession of a high sense of urgency.
  • Persuasive & Influencing - able to influence change even without having direct authority over it with the ability to accomplish objectives through influence rather than direct management.
  • Strategic & Pragmatic — business-minded with strategic thinking, being able to see and articulate the big picture while finding solutions rather than add complexity while operating in the spirit of continuous improvement.
  • Insightful & Decisive — thinking clearly to uncover the root causes of barriers to execution while having the seniority and willingness to make the tough decisions as a critical thinker, with strong problem-solving skills.
  • Proactive & Results Oriented — behaving as self-starter who spots issues that need to be addressed, and then taking action with execution and delivery focus.
  • Good Judgement & integrity - High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity while using good judgment, a sense of urgency and has demonstrated commitment to high standards of ethics, regulatory compliance, customer service and business integrity.
  • Adaptable & Innovative— learn continuously, with openness to new perspectives that could lead to a better result, thinking creatively to find new ways of addressing key issues and opportunities.
LANGUAGES
  • Fluent in English;
  • Other languages desirable, particularly French.
CONTACTS
  • The CTKO
  • KMTS leadership team and staff
  • Gavi Leadership Team (including Senior Management Team and Executive Team)
  • Gavi Audit and Risk teams
  • Gavi Secretariat;
  • Suppliers and partners security leads
Please send your application to responseCISO@spencerstuart.com before October 11th, 2024.
Please note that as a vaccine organisation and in order to provide duty of care towards its employees, Gavi is requiring its new employees to confirm that they are fully vaccinated against Covid-19 as a condition for pursuing employment with us. You can find out more by visiting this link.
Become part of our community and join us on Facebook and Twitter for updates about our mission to save children’s lives! You can also follow our hashtag #vaccineswork.
Gavi brings together the public and private sectors to save lives and protect people’s health by increasing equitable and sustainable use of vaccines against 18 infectious diseases. You will be joining an organisation at the centre of the international COVID-19 response, at the most critical time in global health in a lifetime. You will work in a culturally diverse environment with over 70 nationalities. You will collaborate with partners such as WHO, UNICEF, the Bill & Melinda Gates Foundation, the World Bank – and from business, civil society and government.
And you will work in the first global health organisation to receive equal gender salary certification. Your unique experience, skills and talents can help us achieve our vision of leaving no one behind without the life-saving power of vaccines.
In support of Gavi’s commitment to diversity, equality and inclusion, we hire globally and welcome applications regardless of age, disability, ethnicity, national origin, family status, sex, gender identity or expression, physical characteristics, race, religion, spirituality or sexual orientation.
This vacancy is now closed.