IT Jobs Openings

Alteo is looking for a Chief Information Security, Risk and Compliance for a permanent position based in Montreal.

Your main role will be to support the maturation of the IT risk management and compliance system in order to address the organization's key challenges: implementing a security management system in accordance with international standards; measuring, managing, and controlling operational risks; ensuring platform compliance with payment market requirements; implementing and testing platform and service resilience mechanisms; responding to customer requirements in terms of security, business continuity, compliance, and data protection; managing operational risks and ongoing controls; contributing to the organization's cross-functional initiatives and activities.

Based on the group's strategy, you will be required to strengthen the measures deployed, implement operational risk management, deploy the permanent control system, promote and oversee its implementation, ensure that the IT continuity plan remains operational, and implement data governance.
 

Responsibilities:

> Setting up the organization and governance of the business for North America

• Establish an organizational and governance framework for the business linked to its management, with regular monitoring and reporting.
• Develop lasting relationships with all stakeholders involved in the exercise of its mission.
• Contribute, as needed, to studies and discussions on risk, security, compliance, and data governance.
• Promote the “added value” of risk management, business continuity, compliance (including data protection), and ongoing control, and ensure smooth communication.

> Information system security and resilience

• Implement information security governance and organization for North America.
• Define and obtain management approval for information system security guidelines and objectives for all activities within its scope.
• Define and implement the general information system security policy. Implement procedures related to information system security.
• Identify, analyze, and assess risks, threats, and consequences (risk mapping).
• Study the system for controlling risks related to information system security, taking into account regulatory and legal requirements, as well as customer requirements.
• Define and deploy plans for dealing with information system security risks.
• Raise awareness and provide training on data security and protection issues: promote the IT security charter to all users.
• Manage IT security incidents: activate crisis units in the event of a disaster and ensure the necessary coordination with the departments involved.
• Ensure that audits and intrusion tests are carried out in accordance with the strategy, management needs, and regulatory and contractual requirements.
• Lead initiatives to strengthen the security culture within the Canadian business and ensure that all stakeholders are involved in risk management, so that everyone fully embraces their role, the cost-benefit/risk ratio is favorable, and the accepted level of residual risk is aligned with the risk appetite defined by management.
• Define and oversee the IT security management system (standards, tools, incident tracking, audits, etc.).
• Monitor regulatory and technical developments to ensure that the information systems security policy is in line with these developments.
• Support the pre-sales team in due diligence exercises conducted by customers in the North American region. Contribute to related projects and ensure compliance with contractual requirements.
• Establish the framework and ensure the resilience of the provisions put in place for clients.
• Ensure that annual tests are carried out, in coordination with clients and teams.
• Ensure that existing certifications are maintained and that areas not covered (ISO 27001) are certified.
• Ensure the production of SOC2 Type II reports at the required frequency.

> Permanent control

• Define, based on the guidelines of the governing bodies, the organization and governance of the permanent control system.
• Assist managers/service managers in the deployment of the operational risk management and permanent control system at level 1, within their scope of responsibility. Ensure follow-up.
• Using a holistic approach, ensure that operational risks are identified and qualified (e.g., self-assessment of risks and controls) and that the operational risk management system is deployed (e.g., management of outsourced services, implementation and monitoring of key risk indicators).

> Compliance and personal data protection

Ensure legal, regulatory, and contractual compliance with regard to information system security and personal data protection at the regional level:

• Recommend a compliance framework: identify non-compliance risks and ensure that appropriate prevention measures are implemented in accordance with the group's key compliance principles and legal, regulatory, and contractual provisions.
• Ensure the compliance of contracts (customers, suppliers, employees) and contractual clauses to meet security, confidentiality, and personal data protection requirements.
• Develop and implement all compliance-related instructions and procedures.
• Ensure transparency and accountability in risk and compliance-related decision-making (reports and record-keeping, etc.).
• Ensure compliance with applicable legal and regulatory obligations by drawing on the expertise of cross-functional group functions in this area.
• Raise awareness and encourage employees to report violations of the code of conduct or compliance issues (through reporting channels and investigations, etc.).

> Team management

• Build and supervise the team of controllers under your hierarchical responsibility.
• Ensure the development, expertise, and skills advancement of employees in the respective risks to be covered.
• Ensure the setting of annual objectives and employee evaluations.

Profile:

• Bachelor's/Master's Degree in IT or equivalent
• 10+ years of experience in information systems auditing/control.
• Proficiency in the banking and financial regulatory environment (business knowledge, operational risks, controls).
• Experience in the electronic banking industry (an asset).
• ISO27001, ITIL, COBIT, CEH, CISSP, CISA, CRISC, PMP certification (an asset).
• Experience as a team manager.
• Solid knowledge of IT, IT architecture, and related tools.
• Solid knowledge of IT risk management, norms and standards, and cybersecurity.
• Solid knowledge of process modeling and internal control frameworks (e.g., IIA, ISACA, etc.).
• Proficiency in communication and facilitation tools and project management.
• Excellent ability to analyze situations and operations, ability to synthesize information.
• Managerial skills, good interpersonal skills, and ability to work with multicultural teams.
• Proactive, ability to persuade.
• Listening and negotiation skills, communication and diplomacy.
• Leadership, initiative.
• Rigorous, pragmatic, and methodical.