Chief Information Security Officer

1\. Role Purpose

The Group Chief Information Security Officer (CISO) is responsible for providing independent oversight of cybersecurity, technology risk, and data protection governance across the Bank. The role oversees the establishment and maintenance of effective cybersecurity and technology risk management programmes to safeguard the Bank’s information assets and technology environment, while also overseeing the Data Protection Officer (DPO) function for KAF Digital Bank (KDB). The Group CISO works closely with Senior Management, regulators, and key stakeholders to ensure alignment with regulatory requirements, industry best practices, and the Bank’s strategic objectives.

2\. Key Responsibilities

a) Governance, Framework \& Compliance

• Lead the development, implementation, maintenance, and continuous enhancement of the Technology Risk Management Framework (TRMF) and Cyber Resilience Framework (CRF).
• Establish and maintain cybersecurity, technology risk, and data protection policies, standards, procedures, and governance practices across the organisation.
• Oversee compliance with internal policies, regulatory requirements, and industry standards relating to technology risk, cybersecurity, cyber resilience, and data protection.
• Provide independent assurance and oversight on the effectiveness of technology risk and cybersecurity controls across the organisation.
• Oversee the implementation and maintenance of privacy and data protection governance frameworks in compliance with PDPA and related regulatory requirements.

b) Risk Management \& Advisory

• Oversee technology and cybersecurity risk assessments for digital initiatives, strategic projects, and critical systems, including tracking remediation actions to closure.
• Provide strategic risk and control guidance to ensure alignment with the Bank’s risk appetite and regulatory expectations.
• Monitor emerging cyber threats, threat intelligence, and regulatory developments, and advise Senior Management on material risk exposures and mitigation strategies.
• Oversee privacy impact assessments and provide advisory support relating to personal data protection and privacy risks.

c) Cybersecurity Operations \& Incident Management

• Oversee and coordinate cybersecurity operations, incident response, and cyber crisis management activities.
• Ensure timely escalation and regulatory reporting of material cybersecurity and technology-related incidents.
• Oversee investigation outcomes, root cause analysis, corrective actions, and lessons learned processes.
• Coordinate data breach assessment, escalation, reporting, and response activities in accordance with regulatory and internal requirements.

d) Third-Party \& Vendor Risk Management

• Oversee the management of third-party technology, cybersecurity, and data protection risks, including vendor risk assessments and implementation of appropriate controls.
• Ensure critical vendors and service providers comply with the Bank’s cybersecurity and data protection requirements.

e) Reporting \& Stakeholder Engagement

• Provide regular reporting on cybersecurity posture, technology risk exposures, incidents, Key Risk Indicators (KRIs), compliance status, and data protection matters to Senior Management, Management Committees, and the Board.
• Engage with regulators, auditors, industry peers, and external stakeholders on cybersecurity, technology risk, cyber resilience, and data protection matters.
• Support regulatory inspections, audits, and supervisory engagements relating to cybersecurity and technology risk management.

f) Awareness, Training \& Audit Coordination

• Promote cybersecurity, cyber resilience, and data protection awareness across the organisation.
• Support organisation-wide cybersecurity and data protection awareness and training programmes.
• Oversee responses to internal and external audit queries relating to technology risk, cybersecurity, and information security matters.
• Ensure timely remediation and tracking of audit findings and regulatory issues.

g) Strategic Initiatives \& Industry Collaboration

• Support and drive strategic cybersecurity and technology risk initiatives aligned with organisational objectives.
• Participate in industry cyber threat intelligence sharing initiatives and regulatory-led programmes to strengthen collective cyber resilience.
• Drive continuous improvement initiatives to enhance the organisation’s cybersecurity maturity, operational resilience, and data protection capabilities.

3\. Job Requirements

a) Education \& Professional Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related field.
• Professional certifications are preferred, such as CISSP, CISM, CRISC, CISA, or relevant privacy and risk management certifications.

b) Experience

• Minimum 10 years of experience in cybersecurity, technology risk, information security, or related roles, with at least 5 years in a leadership or managerial capacity.
• Experience within the financial services or banking industry is preferred.
• Strong exposure to BNM RMiT, PDPA, cyber resilience practices, and regulatory compliance requirements.

c) Technical \& Functional Skills

• Strong understanding of cybersecurity domains, including network security, cloud security, application security, identity and access management (IAM), data protection, vulnerability management, and security operations.
• Sound knowledge of technology risk management principles, governance practices, and control frameworks.
• Experience in cybersecurity incident response, cyber crisis management, regulatory engagement, and audit coordination.
• Familiarity with data protection and privacy governance practices, including personal data handling and breach management requirements.

d) Soft Skills

• Strong leadership, strategic thinking, and decision-making capabilities.
• Excellent communication, stakeholder engagement, and presentation skills.
• Strong analytical and problem-solving abilities.
• Ability to engage effectively with Senior Management, regulators, auditors, and cross-functional stakeholders.