Chief, Cyber Security

Position description

The United Nations Development Programme is the global development network of the United Nations system that is on the ground in 177 countries, with its Headquarters in New York, USA. The Bureau for Management Services (BMS) is a central Bureau tasked with the development of corporate strategies, policies, tools and systems in key cross-cutting management areas. Drawing on sound analytics and a risk-management approach, BMS supports the achievement of development results through management advice, innovative business solutions, and other corporate services in line with international best practices and evolving needs and expectations of development partners. BMS also ensures policy adherence in operations management within UN Rules & Regulations, safeguarding UNDP’s accountability vis-à-vis Member States and other stakeholders. 

UNDP is an operational backbone to the UN system: providing payroll, financial transactions, common premises, treasury investment, procurement, legal services to UN agencies. UNDP provides IT support for 13 UN entities with 40,000 United Nations and external users of the UNDP’s ERP system, as well as information and communication technology (ICT) and application solutions for the United Nations field presence. To support the UNDP Digital Strategy and enable the digital transformation of the organization, the Office of Information & Technology Management (ITM) is tasked with developing and operating the enabling corporate technology platforms and providing related services that power the digital transformation including: (1) advice, administration and acceleration services to promote delivery of maximum business value of each platform; (2) a global service desk operation; (3) and outreach services to promote knowledge sharing and effective, agile planning and governance of technology development and utilization. 
Duties and Responsibilities 
Under the overall guidance of the Chief Information Officer (CIO) of the office of Information and Technology Management (ITM), and as part of the management team of the ITM, the Chief – Cyber security is responsible for managing UNDP`s information security risks, IT business continuity and IT disaster recovery plans . As organizations face increasingly sophisticated cyberattacks, the unit enables UNDP’s cybersecurity protection, both in terms of human resources and systems. This involves scanning systems for potential risks, adopting innovative solutions to protect IT applications and data as well as training employees to adopt safe cybersecurity practices. In addition, the unit is responsible to assess and test business continuity and disaster recovery plans. 

UNDP adopts a portfolio approach to accommodate changing business needs and leverage linkages across interventions to achieve its strategic goals. Therefore, UNDP personnel are expected to work across units, functions, teams, and projects in multidisciplinary teams in order to enhance and enable horizontal collaboration.

1) Ensure effective management of the Cyber Security Services unit:

• Lead and supervise the Cyber Security Services unit, fostering team motivation, recruitment, performance evaluation, and training plan development.
• Develop, manage, and report on key performance indicators (KPIs) to ensure operational excellence, to maintain program efficiency, facilitate resource allocation, and elevate security program maturity.
• Drive continuous improvement in incident management processes, integrating with IT operations for seamless functionality.
• Coordinate the development of knowledge management sessions and processes to optimize IT platform utilization across the organization.
• Strategically design and oversee enterprise information security program to safeguard data integrity, confidentiality, and availability while ensuring compliance with regulations and policies to mitigate risks and audit findings effectively.
• Effectively communicate cyber security risks and mitigation strategies to senior management, providing expert guidance for IT projects, evaluating and recommending technical controls.

2) Ensure implementation of Risk Management strategies and ICT standards: 

• Create and facilitate the information security risk assessment process, including reporting and oversight of remediation efforts to address negative findings.
• Work directly with the business units to facilitate IT risk analysis and risk management processes, identify acceptable levels of risk, and establish roles and responsibilities with regards to information classification and protection.
• Coordinate information security and risk management projects with staff from the IT organization and business unit teams.
• Develop, communicate and ensure compliance with organizational cyber security policies and standards.
• Create and manage information security and risk management awareness training programs and fraud awareness programme for all employees, contractors and approved system users.
• Provide subject matter expertise to executive management on a broad range of cyber security standards and best practices, such as ISO 27000, CobiT and ITIL.

3) Ensure implementation of Incident Prevention measures:

• Manage security incidents and events to protect corporate IT assets, including intellectual property, data, operability of corporate systems, fixed assets and the company’s reputation.
• In case of an Incident, the unit will be responsible for coordinating efforts within the organization to restore critical systems and provide facilities needed by the organization to function.
• Ensure security incidents and related ethical issues are referred to OAI for review and resolution without further disrupting operations, and are conducted in a fair, objective manner in alignment with UNDP values and code of business conduct and in full consultation with OAI and LSO as the situation might warrant.

4) Ensure Business Continuity, Disaster Recovery and Organization Preparedness:

• Develop effective disaster recovery policies and standards; coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a declared disaster and provide direction and in-house consulting in these areas.
• Coordinate with internal and external resources to ensure provisions for business continuity and recovery from potential incidents have been addressed.
• Manage cyber security incidents and events to protect corporate IT assets, including data, operability of corporate systems, Intellectual property, fixed assets and the company’s reputation.
• In case of an incident of cyber-attack or catastrophe, the unit will be responsible for coordinating efforts within the organization to restore critical systems and provide facilities needed by the organization to function.

5) Ensure Corporate Compliance and Relations Coordination:

• Liaise between the cyber security team and corporate compliance, audit, legal and HR management teams as required.
• Coordinate the use of external resources involved in the cyber security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.
• Facilitate business alignment and communications by forming an information security steering committee or advisory board.
• Steer the enterprise architecture team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.

The incumbent performs other duties within their functional profile as deemed necessary for the efficient functioning of the Office and the Organization

Supervisory/Managerial Responsibilities: Manage and supervise two direct reports

Competencies 
Core: Full list of UNDP Core Competencies can be found here

• Achieve Results – LEVEL 4: Prioritize team workflow, mobilize resources, drive scalable results/strategic impact
• Think Innovatively – LEVEL 4: Easily navigate complexity, encourage/enable radical innovation, has foresight
• Learn Continuously – LEVEL 4: Create systems and processes that enable learning and development for all
• Adapt with Agility -LEVEL 4: Proactively initiate/lead organizational change, champion new systems/processes
• Act with Determination – LEVEL 4: Able to make difficult decisions in challenging situations, inspire confidence
• Engage and Partner – LEVEL 4: Construct strategic multi-partner alliances in high stake situations, foster co-creation
• Enable Diversity and Inclusion – LEVEL 4: Create ethical culture, identify/address barriers to inclusion

People Management 

UNDP People Management Competencies can be found in the dedicated site. 

Cross-Functional & Technical competencies

Information Management & Technology -IT Security Management 

• Knowledge of Cyber Security technologies,
  processes, techniques and tools. Apply practical
  innovations to solve cybersecurity problems.
  Capability to keep UNDP systems and data safe.
  Knowledge of ISO 27001 principles. CSSIP, CSIM,
  CISA or equivalent certification desirable

Digital & Innovation – Digital thought leadership 

• Ongoing research into emerging technologies and digital trends and the applications, risks, and opportunities associated with digital adoption, combined with the ability to communicate this synthesis with a broad audience.

Information Management & Technology – Information and Technology Strategy – Portfolio management and governance 

• Knowledge of developing and implementing ICT strategy, portfolio and project management services, governance, and policies. Knowledge of project management principle. PMP or PRINCE2 certification of equivalent desirable.

Security Services – Security risk management 

• Ability to assess threats and risks, identify and oversee implementation of mitigation measures, including ability to design and test security plans

Digital & Innovation – Data privacy and digital ethics 

• Knowledge of ethical usage of digital technology (e.g. AI, robotics, automation) and data. Ability to assess ethical implications when using, combining or sharing data, when building or implementing AI systems, and when advising on robotization and automation etc.
• Ability to design privacy protocols to ensure data is protected and used for legitimate purposes without unnecessary privacy risks.

Business Direction and Strategy – System Thinking 

• Ability to use objective problem analysis and judgement to understand how interrelated elements coexist within an overall process or system, and to consider how altering one element can impact on other parts of the system

Business Management – Portfolio Management 

• Ability to select, prioritise and control the organizations programmes and projects, in line with its strategic objectives and capacity; ability to balance the implementation of change initiatives and the maintenance of business-as-usual, while optimising return on investment

Required Skills and Experience 
Education: 

• Advanced university degree (Master’s degree or equivalent) in Information Systems, Computer Science, Law, Business Administration, Accounting and Finance, Security Management, Information Systems Management, Criminal Justice or related field is required; OR
• A first-level university degree (Bachelor’s degree) in the above-mentioned fields of study, in combination with an additional two years of qualifying experience will be given due consideration in lieu of the advanced university degree.

Experience: 

• Minimum 10 years (with Master’s degree) or 12 years (with Bachelor’s degree) of professional work experience in private sector corporate Cyber security or a related public sector organization with increasing levels of management responsibility is required.
• Additional professional qualification(s) in information security, such as CISSP, CISA, CISM certification, along with strong technical (ICT) security skills and demonstrable experience in the design/Implementation of secure IT environments are a must.
• Experienced in implementing and/or auditing information security programmes based on ISO 27000 or other IT security standards is highly desirable.
• At least 7 years of direct experience in a significant leadership role is desired.
• Demonstrated experience and exposure in the international IT security arena dealing with security-related issues is desired.
• Experience in COBIT and ITIL will be considered as an asset.

Language: 

• Fluency in English is required.
• Fluency in other UN official language is desired.

Application instructions

Please be sure to indicate you saw this position on tendersglobal.net