Director - Business Information Security - GSK - Brentford

Job description
Job Purpose

The Director ensures that business and information security goals are aligned and mutually understood in order to support GSK businesses in meeting their goals within the security risk management appetite of the corporation. S/he has end-to-end responsibility for overseeing the identification, assessment; reporting and mitigation of information security risks for her/his designated business Units(s) in a manner that meets compliance and regulatory requirements, while championing information security risk management within the business area.


The Director carries out this role globally for their designated line of business (R&D, GMS or North American Healthcare).

Key Responsibilities

Providing Risk Management Services by applying the GSK Risk Management Framework and processes for Information Security within the Business Unit (Consumer & Commercial), including its articulation and application. This includes educating the business on threats, identifying gaps in control and managing gap mitigation. E.g. by running threat and control workshops to understand the risks to business information assets and ensure the appropriate level of protection. Eliciting, creating and maintaining the business risk appetite for information security risk.
Negotiating risk management assessments and supporting the establishment of local business cases to gain funding and sponsorship for security investments and changes. Providing expert challenge to ensure significant information protection decisions are made to give the best trade-off between risk management, cost business flexibility and short/long term goals, in light of the broader context of changing threats and intelligence.
Managing governance, measurement & reporting by acting as expert challenger to ensure that significant information risk decisions are made in accordance with the agreed risk appetite/limits or are being escalated to the appropriate level of authority for agreement of any risk acceptance or tolerance, particularly where the actions of one business could introduce risk to other businesses. In conjunction with Risk & Compliance by reporting on InfoProtect programme activity and incidents, intelligence and risk trending metrics to RMCBs (IT and line of business). Reporting into the CISO on the risk coverage of project and assets, business specific security initiatives or deviation from GSK information security strategy.
Conducting Strategy Development & Communication through review and influence of the content of GSK business and risk management strategies, policies and management practices ensuring that GSK information security requirements and Group strategies are communicated and understood so they are articulated in business strategies and business unit/IT/engineering plans and support existing cross GSK infosec programmes. Influencing the Group-wide information security strategy and architectures that are maintained by the Director Information Security Strategy and Architecture in order to meet the needs of the particular business. Influence Group-wide Information Security Policy.
Promoting Security Awareness & Capability Development by tailoring global information security awareness programmes and supporting the localization of security communications and culture change activities to make them accessible within each business.
Leveraging Embedded Business Capability by maintaining awareness of security capabilities and roles embedded in the line of business/supporting IT/engineering partner and influencing the delivery of these services including monitoring/supporting capability development as directed by the CISO.
Supporting the CISO and line of business in any significant information security related crisis incidents as required, ensuring business unit crisis teams are engaged as appropriate.

Thank you for your interest in this opportunity. o University Degree plus an Information Security Certification (M.Inst.ISP, CISM, CISSP or equivalent) or risk management certification (MIRM, GRISC or equivalent) or equivalent experience.
Experience as an in-house information security leader or commercial/in-house information security risk consultant with line management experience
Risk Management - Considerable skill and expertise in Information security risk management in a regulated environment. Demonstrating the appropriate level of judgment and maturity in balanced risk decision making.
Information Security Controls & Approaches/Applications Security – Deep knowledge of the working and application of information security controls, techniques, technologies and processes particularly in applications security. Significant and current knowledge of business process mapping and how information security risks manifest themselves within a business process. The Director must be capable of conducting this review work personally, or by managing recommended service providers.
Regulatory Knowledge - Excellent understanding of the regulatory trends in relation to security the Pharmaceutical industry and more broadly. Particular experience of laws such as Federal Information Security Management Act (FISMA), Payment Card Institute – Data Security Standard (PCI-DSS), Gramm-Leach-Bliley Act (GLBA), Federal Information Processing Standard (FIPS), and data breach reporting laws), generally accepted information security principles, and accepted industry practice. Excellent understanding of security and auditing standards such as ISO 27001/2/3, Control Objectives for Information and related Technology (COBIT), and National Institute of Standards and Technology (NIST) standards.
Vendor & Supply Chain Knowledge - Experience with contract and vendor negotiations. Superior supplier management skills to help in the risk management of 3rd party suppliers and assist the business in identification, classification and remediation of business supplier risks.
Communication Techniques - Excellent written and verbal communication skills for meetings, presentations and written reports; interpersonal and collaborative skills; and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.

Enter your email address:

Refer This Job To Your Friends And Help Them To Find Jobs!