Head of Information Security Governance, Risk

**Job Title**:Head of Information Security Governance, Risk & Compliance**Location: London/Frankfurt**

DWS Group (DWS) is one of the world's leading asset managers with EUR 880bn of assets under management (as of 30 September 2021). Building on more than 60 years of experience, it has a reputation for excellence in Germany, Europe, the Americas and Asia. DWS is recognised by clients globally as a trusted source for integrated investment solutions, stability and innovation across a full spectrum of investment disciplines.

We offer individuals and institutions access to our strong investment capabilities across all major asset classes and solutions aligned to growth trends. Our diverse expertise in Active, Passive and Alternatives asset management - as well as our deep environmental, social and governance focus - complement each other when creating targeted solutions for our clients. Our expertise and on-the-ground-knowledge of our economists, research analysts and investment professionals are brought together in one consistent global CIO View, which guides our investment approach strategically.

DWS is transforming and growing its internal information and cyber security team. As the Head of Information Security Governance, Risk & Compliance (GRC) and member of the CISO leadership team you will be accountable for defining and maintaining the information security strategy, policy and standards and ensuring that technology and business units are in compliance with the policy and standards. You will provide assurance that DWS is compliant with legal, regulatory, and industry requirements as applicable by carrying out appropriate internal and external reviews of control effectiveness.

**Your key responsibilities**:

- Lead DWS’s Information Security (IS) Governance, Risk & Compliance (GRC) Team
- Define and maintain the DWS information and cyber security strategy and ensure that: it is aligned with the overall business objectives and strategy, supports the technology strategy, addresses regulatory requirements and client contractual obligations and responds to increasing cyber threat
- Provide strategic direction for DWS Group Information Security and Business Continuity Management Systems, projects and initiatives
- Define and maintain the information and cyber security policy, framework and related processes
- Govern the information and cyber security policies, standards, guidelines and procedures ensuring they reflect the current legal, regulatory and client requirements and threat landscape
- Develop and manage the information and cyber policy exceptions process
- Implement and maintain information and cyber security risk and control framework creating simple, consistent DWS committees and board reporting using key risk, control and performance indicators
- Develop maturity model and track of information and cyber security controls
- Establish an information security training and awareness programme to create and maintain a strong culture of security across DWS, including specialised awareness content for engineers, administrators, and senior management
- Ensure that security internal controls are designed and performed in a way that delivers good business and client outcomes and demonstrates effective management of cyber risk
- Define and implement the user/privileged access attestation process ensuring a robust access control capability
- Assist the business functions and regions with ongoing information & cyber security risk management by assessing and tracking risks and policy exceptions and monitoring of the security position of the business
- Align control requirements to efficiently meet regulatory compliance and resilience requirements in relation to information and cyber security
- Facilitate the information and cyber security steering committees
- Own various DWS internal and external stakeholder relations which includes business, IT, regulators, auditors, and clients

**Your skills and experience**:

- Proven experience of increasing responsibility in information, technical or cyber security roles, with experience in building and leading an information security governance, risk & compliance team
- Security professional related certification - CISSP, CISM, CCSP, SANS or equivalent desirable
- Experience of long-term cyber security strategy development and the credibility required to influence senior stakeholders
- Experience of developing and maintaining security policies, standards and guidelines
- Knowledge of risk assessment methodologies and techniques
- Track record of developing models to establish risk appetite
- Extensive experience of security awareness programme implementation and culture change techniques
- Knowledge of key information and cyber related laws, regulations and standards including (but not limited to) SOX, NYDFS, FCA, SOC, PCI, ISO 27001, HIPAA) and reporting requirements
- Proven experience in implementing of cybersecurity standards and frameworks e.g., ISO27001, NIST,