Security and Compliance Officer

We supply the sustainable and innovative paints and coatings that our customers, communities – and the environment – are increasingly relying on. Our world class portfolio of brands – including Dulux, International, Sikkens and Interpon – is trusted by customers around the globe. We’re active in more than 150 countries and have set our sights on becoming the global industry leader. It’s what you’d expect from a pioneering paints company that’s committed to science-based targets and is taking genuine action to address globally relevant challenges and protect future generations.

For more information please visit www.akzonobel.com.

© 2023 Akzo Nobel N.V. All rights reserved.

Job Description - Cyber Risk and Compliance officer

1. Purpose of the job

Cyber security is a top priority for AkzoNobel as for any global organization operating in the cyberspace. Our objective is to protect our information and digital assets (IT and OT) by reducing our cyber risk exposure to pursue our business objectives.

As part of the new cyber security strategy, supported by the ExCo, we have recently redefined our security governance in line with the evolution of threat landscape and modern best practices. In this regard the new Cyber Security and Compliance function, under responsibility of the CISO and part of the IM (Information Management), is responsible for Information and cyber security for the entire organization covering Cyber Risk Management & Compliance, Security Readiness, Security Operations and Cyber Security Awareness and Training.

Cyber Risk and Compliance officer is part of the Cyber Risk and Compliance department and reports to the Cyber Risk Manager.

She/He provides support for assessing and monitoring the evolution of the information and cyber security risks in AkzoNobel measuring the level of maturity and compliance against the established security framework (ISMS) and applicable security controls. She/He contributes to define and monitoring KRIs (Key Risk Indicators), maintain the Cyber Risk Register and define Cyber Security reports which are shared with the CISO and Executive Management for informing about the cyber risk exposure and the effectiveness of security into the company. In addition, supports the Security Policies lifecycle management by managing the content of existing policies and defining new one in line with the evolution of the risk landscape. She/he supports Internal control department, internal and external Auditors in performing Control Assessment and Audit activities and Legal department in conducting investigations.

2. Key responsibilities

In this role, you will:

• Perform information and cyber risk assessment (e.g., third-party risk assessment, M&A, risk assessment for the compliance with cyber security laws, regulations, and contractual obligations), identify gaps and provide recommendations for their resolution.
• Perform Compliance assessment to monitor the execution and the effectiveness of the security controls implemented by First Linde of Defense (e.g., IT/IM, ISC/Manufacturing, Finance. Legal, HR)
• Discuss and agree with Internal Control department about the Security Controls to add into the Risk and Control framework.
• Provide your support to the Cyber Risk Manager and the CISO for reviewing and maintaining Information and Cyber Security Policy and Standards in AkzoNobel following the evolution of the risks
• Support the definition and analysis of Security Key Risk Indicators (KRI) .
• Provide your support to Internal and External Auditor in performing IT and Security audit campaigns
• Provide your support to Legal department to internal investigation involving Digital information and IT assets.

3. Examples

• You execute and manage security control assessment campaigns on Information, IT and OT assets domains to assess their level of maturity of the defined controls. Part of those activities are in collaboration with Risk and Control department and the external Auditor.
• You perform third-party organization (e.g., suppliers and M&A) security assessment by assessing their level of security and identifying the actions to take for their resolution.
• Following the outcome of the risk assessment process you identify the changes to make into the Security Policies framework and bring it to the attention of the Cyber Risk Manager and CISO. You write new Security Policies and Standards or amend existing and start the approval process before their publications.
• You define Key Risk Indicator for the entire organization, monitor it and report it to CISO and executive management. You contribute to managing the Cyber Risk Registers.
• Together with Legal department you support investigation activities on Information of IT assets in case of laws infringements, issue with contractual obligations or litigation.

4. Job requirements

Experience / Education

• At least 3 years of experience in similar role
• Experience with GRC and cyber risk management methodologies and tools
• Experience with SAP security monitoring
• Experience in designing and managing Cyber Security Compliance and Controls testing activities
• Knowledge of Security Standard and Recommendations (e.g., ISO27001, NIST CSF, CIS, Cyber Essentials, ISO/IEC 62433, NIST 800-82 R2, ISO31000 SOC reports frameworks and related controls
• Experience in developing and maintaining Security Policies, Procedures, and guidelines
• Experience in defining and reporting KRIs (Key Risk Indicators)
• Knowledge common IT and Network technologies and solutions
• Degree or master’s degree in, cyber security, computer science or equivalent work experience

At AkzoNobel we are highly committed to ensuring an inclusive and respectful workplace where all employees can be their best self. We strive to embrace diversity in a context of tolerance. Our talent acquisition process plays an integral part in this journey, as setting the foundations for a diverse environment. For this reason we train and educate on the implications of our Unconscious Bias in order for our TA and hiring managers to be mindful of them and take corrective actions when applicable. In our organization, all qualified applicants receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age or disability.