Translating the central CISO strategy into practical and pragmatic solutions within a major SAP system renewal program, which will eventually replace a number of OnPrem SAP solutions with S/4HANA PCE and a number of SAP SaaS satellites. This includes collecting and processing information from SAP or SI contracts, (IT) processes, risk analyses, and proposing and implementing mitigating actions (with IT suppliers and SAP or non-SAP teams within the IT department) to adequately secure the company's assets (physical and electronic information, data, and IT assets). This includes, among other things, compliance with the GDPR and NIS2 standards.
Main Activities:
• Information Security Management: - Serves as the point of contact for and assists the CISO with maintaining a central Information Security Management System (ISMS) in line with international (mandated) standards for everything related to the SAP transformation program and existing and new SAP solutions; - Actively monitors and supplements the various CISO dashboards and other information sources within the CISO community regarding existing and new SAP solutions; - Monitors the defined actions of internal and external audits for the ERP organization and provides monthly feedback to department management and maintains operational contact with the Internal Audit department;
• Information Risk Management: - Monitors the CISO processes, policies, and standards (and helps improve them) for defining, developing, and applying \"information risk analysis, risk treatment and risk monitoring\" to the business and IT processes that have been or will be implemented with the new SAP solutions; - Assists the ERP delivery teams with incorporating information risk management processes into the business and IT processes supported by existing or new SAP solutions; - Pragmatically conducts information risk analyses and monitors them together with the CISO for projects in the transformation process, as well as for operational existing situations; - Responsible for maintaining the section of the central CISO information risk register related to SAP solutions and projects; - Ensures that the risks and associated mitigating actions are clearly reported to the business owners, together with the CISO;
• CISO Solutions & Services: - Defines any requirements for cybersecurity solutions and services within the ERP organization, in close consultation with the central CISO team; - Collaborates with the CISO organization on controls for the cybersecurity services of the (IT) sourcing partners within the ERP organization; - Collaborates with the SAP Basis and central CISO teams to establish, maintain, and execute CSIRT (computer security incident response team) activities; - Guides the SAP Authorization team in setting up Identity & Access Management solutions and governance in line with central CISO guidelines;
• Governance, Policies & Awareness: - Supports the central CISO organization in developing and communicating within the ERP department policies, standards, procedures, and guidelines regarding information security and data protection; - Implements compliance and necessary controls within the ERP department according to central CISO agreements, legal regulations, and the agreed-upon review cycle; - Contributes to company-wide long-term information security awareness, in close collaboration with the HR team, internal communication, and existing training initiatives to raise awareness among internal and external employees about information security and privacy risks and teach them best practices; - Serves as the point of contact for security liaisons in the various departments for implementing policy, applying policies, and resolving security incidents with SAP solutions;
• Reporting: - Supports the central CISO team with quarterly reports to the executive committee; - Is responsible for drafting, preparing, and following up on status reports (progress, budget, resources, planning, project templates) on cybersecurity-related initiatives within the ERP organization; - Is responsible for drafting, preparing, and following up on reports on security findings from the CISO dashboards;
• IT Compliance Monitoring: - Supports the central CISO organization with establishing and maintaining an IT audit and IT compliance framework, in line with legal requirements or strategic IT objectives, and is responsible for the administrative follow-up of outstanding (audit) improvement proposals within the ERP organization and SAP solutions;- Establishes close collaboration with the Data Protection Officer and the Information
Risk Manager (risk identification) to exchange audit findings and compliance violations within the SAP applications or ERP organization; - Supports the execution of IT audits and IT compliance assignments based on information security and data protection policies and Information Risk Management processes, identifying deficiencies or violations within the (existing or new) SAP applications and the (existing or new) IT processes within the ERP organization;
- Facilitates the writing up of findings, both at a high-level (executive summary) and technical level (architects/engineers/developers), including proposing mitigation scenarios;
• Knowledge Development: - Stays informed of new developments in SAP and CISO domains and makes proposals for how these can be applied within the ERP organization; - Stays informed about security threats, market developments, technologies, relevant legislation, IT technical and other security developments; - Continuously attends training courses, seminars, webinars, etc., and helps disseminate this knowledge within the ERP organization; Minimum knowledge and experience (conformity criteria)
• Minimum 5 years of experience as a CISO officer in a large enterprise;
• Minimum 3 years of experience with IT Security & Risk Management within an SAP context;
• Minimum 3 years of experience with the implementation and operations of CISO solutions & services within a modern SAP cloud-based context;
• Minimum 3 years of experience with IT Audits & Compliance within an SAP context;
• Minimum 2 project lifecycles in a leading role to achieve/maintain ISO 2700x and GDPR certifications in an SAP context;
• Minimum 5 years of experience as an SAP Project or Program Manager with at least 3 years of experience with SAP cloud-based solutions;
• Minimum C1-level knowledge of Dutch, French, and English;
• Certifications: PMP, CISSP, CISM, or CISA are a plus;
Comments: 1 - Only missions longer than 9 months will be accepted for the years of experience. Shorter missions may be relevant for knowledge development, but are not counted towards the number of years of experience; 2 - We are NOT looking for an SAP authorization consultant, but an SAP project manager who is familiar with all CISO areas;
• Responsibility Scope
• Information Security Management;
Information Risk Management;
• CISO Security Solutions & Services;
• Governance, Policies & Awareness regarding information security and data protection;
• Coordination and management of one or more projects and initiatives within the ERP organization, in collaboration with the central Information Security department;
• Reporting on the CISO domains and security findings;
• Monitoring IT Compliance;
• Keeping your own knowledge up-to-date and expanding; Possible consequences of incorrect decisions and/or incorrectly executed activities: - Late or inadequate security policies, procedures, and guidelines;
- Late identification and treatment of information security risks;
- Lack of awareness among internal and external employees regarding information security & privacy risks and best practices;
- Delivery of information security projects not in accordance with predefined project plans; - Late and/or incomplete reporting on the CISO domains to management and senior management;
- Potential system infections with far-reaching consequences for the operations of YPTO and the client;
- Potential breaches of applicable laws and regulations;
Problem solving
• The ability to execute multiple projects in parallel and coordinate work across multiple people; • Ability to implement established frameworks, procedures, policies, standards, and awareness programs;
• Making accurate risk assessments, analysing security incidents, and proposing solutions and mitigations;
• Giving and preparing presentations to senior management and directors;
• Keeping up-to-date knowledge in rapidly evolving domains (trends, technology, SAP, etc.);
• Is bound by the policy and vision regarding Information Security, the strategic CISO plan, ISO 2700x, applicable legislation (GDPR, NKI, NIS, etc.), and international standards;
• Refers to the manager in case of escalations, to discuss incidents, to validate project plans, budgets, resources, and (interim) reporting;
• Communication
• Speak and write fluently in Dutch, French, and English;
• Explain a technical issue in a structured manner that is understandable to laypeople;
• Speak and write fluently in Dutch, French, and English;
• Explain a technical issue in a structured manner that is understandable to laypeople;
• Speaks and writes fluently in Dutch, French, and English;
• Explains a technical issue in a structured manner that is understandable to laypeople; Internal Contacts
• Daily to weekly contact with fellow CISO officers regarding policy, projects, and incidents;
• Daily contact with the various ERP teams and IT departments regarding the coordination and management of information security projects;
• Weekly contact with Heads of CISO, ERP, IT PMO, etc.