Job Purpose Summary

The incumbent will manage and lead the offensive cyber security function in the Group Information Security team. The incumbent will have the primary responsibility of ensuring that Information Technology applications and infrastructure in the Group comply with IT Security Policies and Standards, any relevant regulatory requirements as well as industry best Cyber Security practices. The incumbent is also responsible for ensuring that any identified gaps are escalated timely to the appropriate management authority. The incumbent will have primary responsibility for the execution of the vulnerability scanning programme of IT assets, and for leading the QNB Red Team that conducts simulated offensive attack exercises and for managing the relationships with penetration testing vendors.  This is a mixed role that requires a combined of team management skills and ethical hacking skillset.

Essential Duties & Responsibilities

-          Ability to manage a team of inhouse and outsourced experienced technical resources who conduct penetration testing activities.

-          Ability to create and manage a Red Team in the department. Responsible for service definition, strategy and delivery.

-          Ability to customise and use established methodologies, conduct technical reviews and penetration testing activities of business applications and infrastructure projects e.g. technical risk assessments of internet facing applications, workstation and server build platforms, databases, networking, and virtualisation technologies.

-          Ability to perform security assessments of QNB systems. Assessing the effectiveness of the systems, the security architecture design, compliance to IT security policies and relevant standards.

-          Ability to provide subject matter expertise for the enhancement of network security posture of the organization.

-          Ability to develop close relationships with IT and business teams. Understand and manage their requirements for GIS risk services.

-          Ability to assist other teams in the Group Risk division with technical IT Security reviews and provide guidance as a subject matter expert for information security.

-          Ability to provide Ad-hoc consultancy for risks of new technologies coming up with potential solutions.

-          Ability to plan and organise the work so that it is efficient and effective and allows service to be delivered promptly and reliably.

-          Ability to identify opportunities and develop new ideas that will lead to improvements. 

-          Ability to adapt/change behaviour or plans to better achieve the target/objective.

-          Ability to analyse a complex problem and identify potential solutions by exploring and analysing diverse alternatives, including, where applicable, risks and potential business impact. Ability to make the right decisions based on the necessary information and to take measures accordingly.

-          Ability to liaise with external consultants appointed from time to time to assess the adequacy and effectiveness of the Group’s information security efforts.

-          To assist customers in all their queries on Bank’s product and seek solution to their requests.

-          Maintain activities in accordance with Service Level Agreements (SLAs) with internal departments/units to achieve improvements in turn-around time.

Requirements

-          Bachelor’s/Master’s degree preferably with a Major in Marketing, Banking, Finance, Accounting, Economics, Business Administration or Information Technology (related field of study), Masters preferred.

-          At least 15 years of experience in undertaking technical security assessments of complex IT solutions including penetration testing and red team activities.

-          Professional certification such as CISSP, CISM, CISA is mandatory

-          Strong knowledge of penetration testing tools and techniques of application and infrastructure components.

-          Strong knowledge of network topologies, logical access controls and firewalls technologies.

-          Strong knowledge of operating systems (Wintel, Solaris and Linux)

-          Having an understanding or experience in identifying zero day exploits

-          Having experience in assessing and designing multi-forest Active Directory domains

-          Programming experience (ASP, PHP, C#, etc)

-          Good interpersonal and presentation skills.

-          Understanding of the relevant laws, regulations, and practices.

-          Ability to make decisions and follow through with initiatives.

-          Personal integrity and self-management.

-          Planning, organising, and analytical ability.

-          Results oriented.

-          Strong analytical skills and the ability to communicate both verbally and in writing with all levels of management.