The Role

The mission of the firm's Information Security and Risk team is to establish a risk managed environment that enables the firm to adequately and reasonably protect the confidentiality, integrity and availability of information used by the business and on behalf of clients. The successful candidate will be part of the team that focuses on the management of risk and assurance for Information Security and IT, and will work with stakeholders across the global business to develop and maintain the risk management and control frameworks, identify and measure the levels of associated Information Security and IT risks, help to identify and oversee the implementation of appropriate remediation strategies where necessary including the implementation of appropriate controls, work alongside the technical teams and other areas of the business to help bring the levels of risk into appetite; periodically monitor the risk levels and the maturity of related controls, conduct reviews and control assurance exercises, develop
and maintain the associated policies, processes, standards to ensure that the people,
processes and technology within the enterprise are appropriately risk-managed, adding value to the business consistent with assigned information security scope and risk appetite.

Key Responsibilities

• Ensure an in-depth knowledge and understanding of the Information Security and IT risk management requirements and practices.
• Lead the development and maintenance of the risk management framework for
  Information Security and IT, in accordance with company policy and in line with the enterprise risk management framework. Periodically review and maintain the
  Information Security and IT risk management policies as appropriate.
• Work closely and build relationships with stakeholders in Information Security, IT, the global Risk department and across the wider business, to encourage and develop the processes required for the determination of appropriate risk appetite, identification and assessment of risk, the implementation of appropriate mitigation strategies and ongoing management, in accordance with the risk management policy.
• Develop and manage the Information Security and IT risk register, ensuring that all identified risks are clearly recorded together with assigned owners, measured
  inherent and residual risk levels, and details of compensating controls and/or
  mitigation strategies with their respective owners. Ensure that the recording and
  management of risk remains consistent and in accordance with the policy and
  underlying agreed standards/processes.
• Ensure that all risks are periodically reviewed and re-assessed to determine whether the inherent/residual levels are still appropriate. For risks still not in appetite, determine the most likely scenarios that could lead to crystallization of the risk, and whether current mitigation strategies and/or controls would be optimal/effective.
• Perform risk assessment activities as are appropriate for larger projects or for where there may be significant transformation or change within the business affecting Information Security or IT. Identify and assess on an ongoing basis, risks that could materially impact the ability for IT to deliver its commitments to the business, together with periodic reporting to the Senior Leadership Team, and the tracking of any mitigation actions required.
• Provide education where required to develop the skills within Information Security, IT and other business areas to identify, assess, measure and record risks.
• Stay abreast of developments in the risk management area and cyber and information security trends as they relate to the legal industry, information management, technological standards, emerging and current threats employing appropriate horizon scanning.
• Build and maintain relationship with the global Risk department to share best practice and to ensure that the risk management and control frameworks for Information Security and IT fully aligns with the enterprise risk management framework.
• Develop and implement a risk reporting framework that informs effective risk-based decision making within IT and tracks progress of risk mitigation while recognizing the different audiences within Clyde & Co e.g. risk or service owners, to management within Information Security and IT, the Audit and Risk Committee and where appropriate to other levels of management in the company. Maintain a reporting environment capable of historical reporting, trends, key triggers, performance and risk indicators, management information etc.

Essential Skills and Experience

• Proven experience of working in an Information Security and IT Risk Management role within a fast-paced environment. Experience within the legal industry is ideal, but not essential.
• Operational knowledge of risk management and international information security
  standards, practices, risk management and control frameworks e.g. ISO31000,
  IRAM2, NIST 800-53 and cybersecurity framework. ISO27001/2, COBIT, ISF SOGP, CPS-234 etc.
• Strong organisational skills and the ability to handle multiple conflicting priorities.
• Able to work to very tight deadlines under pressure and to assimilate information
  quickly.
• Strong interpersonal skills including confidence, positivity, diplomacy and the ability to gain credibility quickly.
• Excellent verbal and written communication skills, with the ability to explain risk concepts and technical terms in a way that non-technical people would understand.
• Demonstrates attention to detail with a high level of accuracy.
• Positive and tenacious with the ability to pro-actively drive initiatives forward and
  motivate resources within and outside their team to perform. within and outside their team to perform.

Business Services Competencies

Clyde & Co is committed to providing extensive, personal and professional development opportunities for our people enabling them to be highly effective in their current role as well as assisting them to fulfil their career aspirations.

The competencies are used to inform all aspects of Business Services career development.

They vary across levels and different business areas and fall under the following areas:

This is the job description as constituted at present; however the Firm reserves the right to reasonably amend it in accordance with the changing needs of the business.