Reports To:

Manager, Information Security

Responsible For:

Information Security Strategy, Risk Management, Compliance, Incident Response, Security Operations, Data Protection, Security Awareness and Training, Vendor Management, Business Continuity and Disaster Recovery, Application and Systems Security, Security Program and Architecture, Industrial Controls Systems Security, Information Security Management Sysstem

Overall Purpose of Job:

The Deputy Manager, Cybersecurity Manager is responsible for the development and implementation of a comprehensive information security program for Oando. This role will ensure the confidentiality, integrity, and availability of the organization's information assets, while aligning security initiatives with business objectives. The Information Security Manager will be responsible for protecting the company's critical infrastructure, industrial control systems, and sensitive data from cyber threats specific. This role will be responsible for managing the process of gathering, analyzing & assessing the current & future information security and privacy threats to the organization and its subsidiaries as well as maintain & monitor the information security best practices as they develop

Responsibilities:

Develop, review and implement IT policies and procedures to ensure operating efficiency and regulatory compliance
Recommend and coordinate the implementation of technical controls to support and enforce defined security policies
Develop and implement risk mitigation strategies for identified vulnerabilities and manage the company's cybersecurity insurance program
Ensure compliance with relevant industry standards and regulations (e.g., NDPR, ISO27001)
Develop and maintain security metrics and reporting for executive leadership
Lead the company's IT incident response team and manage the incident response process; continuous evaluation of current Information Security breach management processes and ensure that the organization can meet its mandatory data breach notification obligations should the need arise
Oversee the implementation and management of security technologies (e.g., SIEM, EDR, IDS/IPS) and management of security operations center (SOC) activities, including 24/7 monitoring and threat hunting
Work with the Head of IT and managers to build on an existing information security program and ongoing security projects that address information security risks and compliance requirements
Monitoring systems for security gaps, designing effective solutions for these gaps, and providing reports to management and executive staff
Developing wide-ranging policies, regulations, and strategies to enhance the security of the organizations
Provide expert Advise on digital and technical aspects of cyber security governance, frameworks and operating models
Review, evaluate, and recommend software and hardware products related to IT security,
Conduct vulnerability assessments to identify existing or potential electronic data and information system compromises and their sources; coordinate IT investigative matters with appropriate audit, regulatory, and certification bodies
Serve as a witness or subject matter expert for Information Technology Services in legal matters concerning IT security
Regularly interact and communicate with management to discuss the present audit results, gain acceptance and provide advice to remedy the audit issues or weaknesses discovered
Develop and maintain professional, credible relationships with key stakeholders (Business, Internal Audit & Risk) including relevant third parties and strategic suppliers.
Coordinate the periodic ISO27001, NDPR and other audit engagement activities including preparation for the annual Internal Audit assessments
Reviews, approves and directs the design and implementation of benchmarks, measurements and metrics used for measuring and improving the performance of the Information Security Management System.

Monitors related industry trends, technological developments and emerging practices in the IT industry and business in anticipation of changing investor and internal needs and best practice
Collaborate with relevant internal stakeholders to provide auditing support, security reviews and / or assist in the escalation of information breaches.
Review and recommend information security requirements for IT and operational projects and provide a risk assessment.
Manage the process of gathering, analyzing and assessing the current and future threat landscape, as well as providing the Head of Information Technology and senior managers with a realistic overview of risks and threats in the enterprise environment
Monitor and report on compliance with security policies, as well as the enforcement of policies across the enterprise
Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyse its impact on the existing environment; provide technical and managerial expertise for the administration of security tools
Develop a strong working relationship with the Service Delivery, Business Applications, and other IT teams to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements
Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk
Manage and coordinate operational components of security incident management, including detection response and reporting
Manage security projects and provide expert guidance on security matters for other IT projects
Evaluate requests for exceptions to policies, ensuring sufficient mitigating controls are in place
Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements
Stay abreast of regulatory changes including cybersecurity developments and their impact on IT requirements, including relevant data privacy requirements
Develop and maintain the company's information security strategy, policies, and procedures
Align security initiatives with business goals and industry regulations (e.g., NIST, ISO 27001, API 1164)
Collaborate with senior management to define security priorities and resource allocation
Conduct regular risk and vulnerability assessment across IT and OT environments

Key Performance Indicators:

Level of compliance with industry security standards and regulations (e.g., NIST, ISO 27001, API 1164)
% deviation of forecasted versus actual cost of security initiatives within defined tolerance limits
Effectiveness of security controls across IT and OT environments
Responsiveness to security incidents and user support requests
Uptime of key security systems (e.g., firewalls, SIEM, IDS/IPS)
Adequacy of patch management and vulnerability remediation procedures
% of system downtime due to security-related changes (planned unavailability)
Teamwork/mentoring/innovation within the security team
% of security service availability per SLA negotiated
Quality of technical advice and solutions to cybersecurity problems and issues
% reduction in security incidents within the financial year
Integrity and confidentiality of sensitive data and critical systems
Number of security awareness training sessions conducted within the year and achievement of over 80% employee participation
Successful completion of penetration tests and security audits with findings addressed within agreed timelines
Effectiveness of third-party risk management program
% of critical vulnerabilities remediated within defined SLAs
Maturity level of the organization's security posture based on industry-standard frameworks
Quality and timeliness of security reports to executive leadership and board
% of OT/ICS assets with up-to-date security controls

Person Specification:

Bachelor’s degree in computer science, Information Security, or related field; Master's degree preferred
Minimum of 15 years cognate work experience with at least 5 years in a leadership role
Minimum of 5- 7 years information security or cyber security experience
Strong knowledge of cybersecurity frameworks (e.g., NIST, ISO 27001) and regulations relevant to Oil and Gas industry
Experience with ICS/SCADA security in industrial environments
CISSP, CISM, CRISC and ISO2701 Certified
Excellent communication skills, able to articulate complex security concepts to technical and non-technical audiences
Strong leadership and project management skills
Experience in incident response and crisis management
Familiarity with cloud security, DevSecOps, and emerging technologies in the Oil and Gas sector
Familiarity with laws, regulations and industry standards pertaining to security in Nigeria and Globally
Proficiency in security assessments, audits and investigations at a large scale
Excellent leadership and management skills, with the ability to lead and motivate a diverse security team
Working knowledge of the Nigeria Data Protection Act

Required Competencies:

Oil and Gas Industry Dynamic
Excellent track record of translating an organization's goals and objectives into security requirements
Excellent communication and interpersonal skills to interact with individuals at all levels of the organization
Experience of planning, prioritizing and organizing the work of yourself and others, delivering to tight deadlines whilst ensuring the effective use of resources
Ability to communicate ideas in both technical and user-friendly language
Excellent technical architecture and technical support documentation skills
Customer Focus/Service Orientation
Knowledge of IT infrastructure and Security architecture
Experience of analyzing complex issues, innovating to resolve problems and thinking strategically
Good time management and coordination Skills
Strong Analytical and Client Relationship Management Skills
Ability to adapt to changing security threats and technologies
Demonstrable ability to work in a pressurized environment with conflicting priorities, ensuring that deadlines are met ensure high quality service