Cyber Security Risk Manager

**Cyber Security Risk Manager - Contract 6 Months (with potential to extend to 2 years) - Barcelona**

**Why this role might be of interest**

The role has come about because the company, a highly successful and rapidly expanding international pharmaceutical business, is putting in place a brand new internal team to manage cyber security threats.

Because of this whoever takes on this role will work with a lot of autonomy, and have a lot of influence on how cybersecurity operations are developed. It's a high profile role where you will be able to make a real difference in how this company manages and develops it's internet security strategy.

Whilst you'll be part of the initial start up team, there are plans to grow it further, so there is the potential for career progression.

**Working practice**

**95% of your work will be done remotely, with occasional meetings in Barcelona, so if you live in another part of Spain and can travel to Barcelona on an occasional basis, then this role may also suit you.**

We are actually looking to fill two roles:
**Governance and Risk Management Expert**:Strong background in governance and risk management.Experienced in writing and designing policies and procedures.Has implemented GRC systems.

**Security Risk Assessment Specialist**:Proficient in conducting Security Business Impact Assessments, Threat and Vulnerability Assessments, and security controls assessments.Capable of assisting with policy and procedure design, with a focus on conducting assessments post-approval of Security BIA and Risk Management SOPs.

Interested in finding out more?

Full spec below:
The Role

We’re looking for a contractor to join our Cyber Security Team as an Information Security Risk Manager. You will be responsible for assessing, reporting and managing information security risks identified in the copmpany's systems and data, business processes and third party service providers.

You will work closely with IT colleagues, business stakeholders based at multiple locations in Europe, USA and Japan. The minimum duration of the contract is six months, with potential for extension.

We Need a “Pragmatic” and “Driven By Results” Information Security Risk Manager who can:

- Support the design and improvement of the information security framework (ISF): policies, controls, procedures using the NIST Cyber Security Framework; including third party risk management.
- Assess new and existing systems, data flows, business processes, and third party providers engagements and services to implement and verify compliance to the ISF reporting identified risks and issues to systems, processes and third party providers owners.
- Perform information security risk assessments such as but not limited to: security business impact analysis (BIA) and business dependency analysis; security controls plans; controls maturity assessments; third party provider risk profiling, risk assessments and audits.
- Maintains the information security risks and issues registers, deliver high quality reports and run information security committees meetings with business and IT management to manage risks.
- Support the design and improvement of the third party informatin risk management policies, controls and procedures. Assist or lead assessment of information security risks arising from engagement with third party providers and drive remediation efforts.
- Drive the design and implementation of a GRC platform including functional requirements, reviewing process designs, rolling out the new processes to the business and IT teams. Also, support in the administration and maintenance of the GRC tool.
- Design, improve and periodically report security key risk indicators and metrics to IT and business management to support continuous improvements and increase security maturity in our business processes.
- Designs, and delivers the security education training awareness program (SETA) across all business functions at the company. Manage external resources supporting the security awareness activities.

**What we are looking for in terms of experience**
- Desirable: Experience in implementing controls and managing compliance risks in regards to GXP regulated systems, data protection regulations such as EU and UK GDPR, CCPA, and cyber security regulations such as the EU NIS2, and the USA SEC Disclosure Requirements.

The Education, Certifications and Skill You Should Have:

- Significant of professional experience in information technology, ideally at least 3 years as an information security risk manager, preferably in a pharmaceutical, biotechnology or in other manufacturing organizations.
- Bachelor’s or Master’s degree in information security, or in Information Technology.
- Relevant information security professional certifications e.g. CISSP, CISM, CRISC, CISA, GSEC-GIAC, ISO 27001 auditor / practitioner.
- Desirable: Training and or certifications in GRC platforms such as ServiceNow GRC, Archer, Metricstream; and the NIST