PASHA Insurance is currently seeking for a Head of Information Security Department.

Job description

• Develop and execute the long-term cybersecurity strategy, roadmap, and policies in alignment with business goals.
• Lead, mentor, and manage a multi-division Information Security department responsible for cyber security engineering, security operations, governance risk & compliance, and application security.
• Direct the Security Operations Center (SOC), overseeing all threat management, incident response, and vulnerability management functions.
• Guide the cybersecurity engineering function in designing, implementing, and maintaining a resilient and secure enterprise architecture.
• Oversee the Governance, Risk, and Compliance (GRC) program, ensuring adherence to CBAR regulatory requirements and industry standards like NIST.
• Lead the DevSecOps program to embed security throughout the entire software development lifecycle.
• Report on the corporate cyber risk posture, key risk indicators (KRIs), and program maturity to executive management and the Supervisory Board.

Education & Specialization

• Bachelor’s degree in Computer Science, Information Security, or a related field.
• 5+ years of progressive experience in information security, with a proven track record in leadership role managing technical teams.

Certificates

• A minimum of one of the following professional security certifications is required. Possession of multiple or other related certifications is highly advantageous.

• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• CGEIT (Certified in the Governance of Enterprise IT)
• ISO 27001 Lead Implementer / Auditor
• COBIT 2019 with NIST Implementation
• CompTIA CASP+ (Advanced Security Practitioner)
• CEH (Certified Ethical Hacker)

Knowledge and Skills

• Strategic Leadership: Proven ability to develop and execute a long-term, enterprise-wide cybersecurity strategy, roadmap, and vision.
• Team Management: Experience providing executive leadership to a multi-division Information Security department, managing functions including Cybersecurity Engineering, Security Operations (SOC/IR), GRC, and Application Security.
• Risk Management: Deep expertise in enhancing and managing Information Security Risk Management programs , including the synchronization of technical vulnerability data with corporate risk management frameworks.
• Information Security Governance: Experience reviewing IS strategy, budgeting effectiveness, and staff competency to ensure alignment with business requirements.
• Security Awareness: Experience developing and managing corporate-wide security awareness programs, including targeted training for different employee groups and simulated phishing attacks to measure effectiveness.

• Industry Standards: Expert-level knowledge and implementation experience with major security frameworks including ISO27001, NIST CSF 2.0 , and hardening standards like DISA and CIS. As well as knowledge and experience with CBAR regulatory Information Security requirements.
• Application Security Methodologies: Deep familiarity with OWASP, Application Security Verification Standard (ASVS), and Mobile Security Testing Guide (MSTG) for conducting comprehensive application assessments.

• Security Architecture & Engineering: Experience in modernizing and building secure enterprise architecture, with the ability to lead engineering functions in designing robust security solutions.
• Data Security & Loss Prevention: Expertise in establishing data security programs, including developing data classification registers and deploying enterprise-wide Data Loss Prevention (DLP) solutions.
• Security Operations & Incident Response (SOC/IR): Proven ability to manage a Security Operations Center, including threat intelligence processing, incident response, and cyber defense operations.
• DevSecOps & Container Security: Expertise in managing a full Secure Development Lifecycle (SDLC) , integrating automated SAST & DAST tools into CI/CD pipelines , and securing containerized environments with Docker and Kubernetes.
• Vulnerability Management & Penetration Testing: Full oversight of vulnerability assessment, patch management, and penetration testing processes for internal, external and infrastructures.
• Endpoint & Server Security: Expertise in implementing and managing advanced endpoint security (EDR/XDR, NGAV) across diverse operating systems including Windows Endpoints, Servers, Linux (CentOS, RedHat, Kali), and macOS.
• Database & Data Security: In-depth knowledge of database security compliance, including firewall implementation, administrator and user activity auditing, environment segregation policies, data classification and masking.
• Identity & Access Management (IAM): Experience building Access Matrix and Role-Based Access Control (RBAC) models for different systems as well as managing Privileged Access Management (PAM) systems.
• Cloud & Mobile Security: Deep knowledge of securing cloud environments like Microsoft Azure and mobile platforms like Android, iOS including the management of MDM and MAM solutions.