InfoSec RiskManagement 120319 by 4780Gy


									Information Security Director of Risk Reporting and Management
Location any                                                                              Grade 80/90
Type of Function Full-Time                                                     Travel Percentage 15%

Job title: Information Security Director of Risk Reporting & Management
Department: Philips Information Security Office (Office of the CIO)

    1. Organization Description
The Information Security Office, under CISO leadership, ensures that Philips information assets are
adequately protected in support of Philips business objectives and in conformity with the Philips
Security Risk Management Framework. The Information Security Office (also known as CISO Office)
operates as a semi-independent risk assurance office under the direction of the Information Security
Steering Committee (proposed) composed of the Chief Information Security Officer, Chief Finance
Officer, and Chief Legal and Compliance Officer. The CISO has a direct reporting relationship into the
CIO and is closely aligned with IT (Platforms, Delivery, and IT Infrastructure/Operations).

Main purpose of the Function
The Information Security Director of Risk Reporting and Management (a.k.a. Security Risk Manager)
focuses on ensuring that the information security risks of Philips are identified, assessed, reported,
and analyzed in a manner that permits clear statements of assurance and risk understanding. This
includes elements of risk management strategy, identification of metrics and evaluation methodology
as well as diverse reporting tools to monitor information security, risk control effectiveness, and
residual risks.

    2. Position in the organization
The Information Security Director of Risk Reporting and Management reports directly to the
corporate Chief Information Security Officer.

    3. Organizational context of role
The Information Security Director of Risk Reporting and Management
        functions at a global level and communicates and coordinates with the global virtual team
         including core team members, senior security officers in the businesses, markets, and
        defines reporting requirements for suppliers and collects, analyzes, and reports their risk
        interacts with support staff as necessary to fulfill the purposes of the function.

4. Key areas of accountability
    a.   Maintenance of a clear and articulated understanding of the current information security risk
         environment of the enterprise and the corporation's risk profile.
    b.   Defining and deploying the Philips information security risk management framework to
         include risk management nomenclature, reporting requirements, assessment methodology
         and multi-level reporting framework. Deployment includes effective embedding of
         information security risk management into all appropriate operations.
    c.   Defining and embedding operations and support procedures to ensure adoption of the
         information security risk management framework.
    d.   Develop the Philips information risk map in cooperation with key business stakeholders as
         input to the information security strategy.
    e.   Ensure information security policy and governance is correctly formulated to counter current
         and emerging threats based on insight into Philips information security risk profile.
    f.   Produce high-quality papers, presentations, findings and recommendations.

5. Responsibilities
    a.   Identify, assess and monitor Philips current and emerging information security risks.

Page 1 of 3
Information Security Director of Risk Reporting and Management
Location any                                                                             Grade 80/90
Type of Function Full-Time                                                     Travel Percentage 15%
    b. In close alignment with the business sectors, refine the information security risk framework
         to ensure the control framework is fit for purpose and actions are defined to evolve and
         mature the risk management process. Align with other risk control frameworks.
    c. Establish strong relationships with the IT functional areas and sectors in order to evaluate,
         understand and articulate Philips information security risk profile.
    d. Preparation and presentation of risk reports and analysis to senior management and key
         business stakeholders.
    e. Lead high profile risk assessments and arbitrate complex risk formulation to bring clear and
         concise decision criteria for executive risk acceptance.
    f. Lead and contribute to the development and ongoing evaluation and enhancement of the
         information risk management framework and assessment methodology including the longer
         term information risk management strategy.
    g. Work with the Director of Threat Management to define the global threat management
         reporting environment.

6. Competencies
    a.   Ability to manage through influence across a multinational and complex organization –
         achieve results (i.e., virtual team leadership).
    b.   Ability to focus on the business needs and changing IT/consumerization landscape with
         regard to connected devices while maintaining a level of acceptable risk.
    c.   Ability to shape, maintain and administer the corporate-wide information security risk
         reporting and management program through multi-functional/multi-disciplinary teamwork
         (“Teaming to Excel”).
    d.   Ability to operate under pressure while establishing and maintaining risk-sensitive priorities
         and maintaining time effectiveness for the global 24x7 environment.
    e.   Ability to lead effectively and interact with business, market, and functional managers,
         privacy and legal staff around the world.
    f.   Ability to understand, simplify and teach others security threat-related concepts reflecting
         national and state laws, ethical standards of practice and policy.
    g.   Ability to organize and coordinate enterprise-wide projects.
    h.   In-depth knowledge and experience in information security practices, laws, and control
         technologies for protecting all classes of information.
    i.   Demonstrated leadership through exemplary organization, facilitation, communication, and
         presentation skills. Able to work effectively at executive, senior management, and
         operational business levels.
    j.   Superior analytic skills brought to bear on timely and effective information collection,
         analysis, and reporting. Able to motivate and inform clear decision making through audience-
         appropriate reporting.

    a.   A minimum of ten years experience in a multinational enterprise environment with at least 3
         years spent in risk management in a large enterprise.
    b.   Demonstrable change management in the context of an organization with the size and scope
         of Philips.
    c.   Ability to lead collaborative authorship of policies, procedures, and guidance around risk
    d.   In-depth knowledge and understanding of cyber risk.
    e.    Expertise in Information Security.
    f.   GIAC, CISSP, CISM, GSEC, CCNP or similar certification desirable.

Educational Level
Bachelor/Master degree in Information Technology, Electrical Engineering or Business Administration
or equivalent relevant experience.

Page 2 of 3
Information Security Director of Risk Reporting and Management
Location any                                                                              Grade 80/90
Type of Function Full-Time                                                      Travel Percentage 15%
Knowledge (areas)
    a.   Extensive knowledge and experience of IT and complex computing environments including
         applications, systems & networks.
    b.   Risk management including national and international standards and practices.
    c.   IT-processes (e.g., ITIL) and standards (e.g., ISO20000/27001/2).
    d.   Formal risk and control assessment methodologies.
    e.   Policy, procedure, and guidance development.
    f.   Familiarity with applicable legal and regulatory requirements, including, but not limited to,
         SOX, PCI, HIPAA, FDA, Privacy Data Protection regulations.
    g.   Use of collaborative technologies relevant to the reporting, aggregation, analysis and
         reporting of data.
    h.   Statistical methods of data analysis for decision making (desirable).

Interested candidates should contact:
Julie Magliozzi
Philips Talent Acquisition

Page 3 of 3

To top