Head, Information

Job Title: Reports to: Director, Group IT

Security
Department/
IT, Information Security Division: Technology & Operations
Sub-department:
Grade: Band 8 Date:

Job holder: Supervisor:

Signature: Signature:

Job Purpose Statement

The role of Head, Information Security will provide continuous assurance of NCBA
Group’s information systems around confidentiality, integrity and availability of
information, and ensure protection of these information assets by ensuring appropriate
security controls are in place to protect the Group’s technology and information assets
from information & cyber security related risks.

This role will define and execute the information security strategy and roadmap for the
Group, ensuring that governance and assurance in information security is enshrined
and practiced within the Group, appropriate technology systems and controls are
implemented, as well as ensuring that key technology projects and initiatives are
compliant with security best practices and guidelines.

Key Results Areas

%
Weighting
Perspective (to add Output
up to
100%)
Strategy and 20% • Develop and align the information security
Roadmap strategy to the Group and Information
Technology strategy, to ensure information
security supports business objectives.
• Execute an information security roadmap,
aligned to information technology roadmap
and in support of business growth.
• Define Information Security architecture in line
with the technology architecture blueprint and
best practice.
Cyber Security 25% • Setup and implement Information Security
Defence practices around patching, vulnerability,
malware management program etc. within the
Group, ensuring that vulnerability assessments

Page 1 of 5
 & penetration testing is conducted, and
patching and remediation of vulnerabilities is
done as per policy and procedure.
• Drive the implementation, administration and
support of technology control systems as per
the IS roadmap.
• Implement continuous monitoring of
technology assets for cyber incidents that
impact on confidentiality, integrity and
availability of systems, by putting in place the
appropriate people, processes and
technology.
• Implement security incident response for
effective response, containment and recovery
from security incidents or breaches.
Cyber Security 25% • Provide information security assurance to
Assurance technology systems to ensure that new
products, services, channels and other IT
changes introduced meet the security
compliance thresholds.
• Participant as a key stakeholder in the Bank’s
Change Management governance process
(Change Advisory Board) with responsibility to
approve or reject changes that do not meet
the compliance threshold.
• Participate and contribute towards developing
and supporting IT practices (e.g. agile,
DevSecOps)
Information 20% • Develop and implement Group Information
Security Security framework, strategy, policy and
Governance procedures.
• Ensure that best practice and regulatory
guidelines on Cyber Security are enshrined
within the Group’s policies and procedures.
• Develop and implement an effective
information security awareness program
covering all staff and key stakeholders of the
Bank.
• Develop and implement a robust IT Business
Continuity Management program, ensuring
that effective BCP & DR processes are setup
and executed.
• IT department risk champion, interfacing with
the compliance teams to manage technology
risk and audit engagements.

Page 2 of 5
 People 10% • Provide effective leadership to the Information
Leadership Security team, and work with peer IT heads
and other IT staff to ensure a conducive work
environment.
• Provide leadership, performance
management, talent management, training
and development programs, coaching and
mentoring for the Information Security team
• Liaise with internal and external stakeholders
(vendors, regulator and consultants) in ensuring
that the information security objectives are
met.

Job Dimensions

Reporting Relationships: jobs that report to this position directly and indirectly
• Senior Manager, Security Assurance
Direct
• Senior Manager, Security Engineering
Reports
• Senior Manager, IT Governance & Control
Indirect
• Information Security Managers/Officers in the subsidiaries.
Reports

Stakeholder Management: key stakeholders that the position holder will need to
liaise/work with to be successful in this role.
Internal External
• IT Department • External Auditors
• Enterprise Project Management • Regulators
• Group Enterprise Risk & Compliance • Partners and suppliers/vendors
Department
• Internal Audit
• Commercial Services

Decision Making Authority /Mandates/Constraints: the decisions the position holder is

empowered to make (Indicate if it is Operational, Managerial or Strategic).
• Strategic decision making.
• Budgetary planning and control
• Technology direction on acquisition of information security solutions and
systems
• Unit staffing, people planning and performance management

Work cycle and impact: time horizon and nature of impact (Planning)
(e.g. Less than 1 week, 2 weeks, 2 weeks – 1 month, 1month – 3 months, 3-6 months, 6-
12 months, above 1 year)
1 – 3 years

Page 3 of 5
 Ideal Person Specifications
• Bachelor’s Degree in Information Systems, Computer Science, Information Security
or related field required
• 7-10 years in information security or information security governance experience,
with 5 years in a managerial role within a highly digitized organization, with a proven
ability to engage with Senior Management and regulators.
• 4+ years’ experience conducting IT compliance assessments or administering IT
security controls in an organization.
• Knowledge of technical infrastructure, networks, databases and systems in relation
to IT Security and IT Risk.
• Experience with security technologies & controls including IPS/IDS, SIEM, DLP and
other security technologies.
• Relevant certifications in information security knowledge areas, such as Information
Systems Audit, Information Security Management and Ethical Hacking.
• Knowledge of: Strong Authentication, End Point Security, Internet Policy
Enforcement, Firewalls, Web Content Filtering, Database Activity Monitoring (DAM),
Public Key Infrastructure (PKI), Data Loss Prevention (DLP), Identity and Access
Management (IAM)
• Knowledge of banking or financial services fundamentals and processes (prior
experience working within a financial service organization is an added advantage)
• Excellent communication, analytical and reporting skills
• Knowledge in project management skills.

NCBA Bank Core Value Behaviours (Performance Drivers)

• Driven - We are passionate, make bold decisions and learn from our failures. We
seek new challenges and appreciate different views constantly raising the bar.
We explore our full potential.
• Open - Our interactions are candid, honest and transparent. We listen to each
other and our clients. We are inclusive and always respect each other.
• Responsive – We put our customer’s interests at the heart of all that we do. We
are proactive, act quickly and resolutely to deliver results. We keep it simple and
seek new ways to improve.
• Trusted - As a trusted partner we do what is morally right always. We keep our
word. We are accountable and believe in each other.

Page 4 of 5
Technical Competencies
• Knowledge to develop and execute Information Security
strategy
• Knowledge and experience in IT technology platforms across
the IT domains.
• Technical skills to effectively perform IS security management
activities/tasks in a manner that consistently achieves
established quality standards or benchmarks.
• Knowledge and application of modern IS security
management practices in financial services industry to
proactively define and implement security quality
improvements in line with technological and product
changes.
• Performance management to optimise personal and team
productivity.
• Knowledge and effective application of all relevant banking
policies, processes, procedures and guidelines to consistently
achieve required compliance standards or benchmarks.

Behavioural Competencies
• Interpersonal skills to effectively communicate with and
manage expectations of all team members and other
stakeholders who impact performance.
• Self-empowerment to enable development of open
communication, teamwork and trust that are needed to
support true performance and customer-service oriented
culture.
• Demonstrable integrity and ethical practices

This JD is signed-off with reference having been made to the organisation’s core values
and aligned competencies against these values.

Page 5 of 5