This is a permanent / staff position based in Doha, Qatar. Competitive base plus comprehensive package with family benefits is on offer for the right candidate.
This role will be situated in the Information Solutions (IS) Department and will report to the IS Manager. The Head of Information Security is responsible for managing information security risks within North Oil Company, for both Enterprise and Industrial Control Systems.
10+ years’ experience in a similar role, in large enterprise environments (>
1000 users), with multiple geographic locations. Oil and Gas experience (or manufacturing industries) is preferred
At least 5 years’ experience in a leadership role with budget responsibility
Graduate and / or Master’s Degree qualifications in either Computer Science, Information Technology or a related discipline.
Professional certifications in Information Security and / or Information technology CISSP and / or CISM at minimum is required
Strong communication skills, including written, oral and presentation skills. Must be fluent in English.
Knowledge and experience in Enterprise IT security (and Industrial Control Systems) security technologies, services and processes :
Information Security models and frameworks (ISF, ISO 27001) and best practices
Architecture : Operating Systems (Windows, Linux), Network technologies and protocols
Security Architectures and controls : including Antivirus, Antimalware, proxies, web filtering and firewalls
Security Event monitoring tools and processes including Security Operations Centre.
Incident response processes and tools
Patch and Vulnerability management processes and tools
Risk Assessment, Change Management Processes
Disaster Recovery, Business Continuity
Professional certification in Industrial Cybersecurity (e.g. GICSP or similar) is desirable
Knowledge of Industrial Cybersecurity standards (IEC 62443) is desirable
Exposure to project management is desirable
Scope of Work
Main accountabilities include :
Team and budget management
Governance of the Cybersecurity Program Audit, Risk and Change Management
Development of Information Security Policies and Standards supporting the Cybersecurity program
Risk Management and remediation activities
Information Security Monitoring and Incident Response including Security Operations Centre
Definition and execution of information security projects
Stakeholder Management (internal and external)
Job Dimensions :
The role reporting directly to the IS Manager, has budget responsibility and manages a team of subordinates
The role is accountable for establishing, maintaining and executing a risk-based information security program for both Enterprise and Industrial Control System (ICS) Information Security environments within NOC.
Role is based on-shore, with a requirement for periodic offshore visits to facilities within the Al-Shaheen field.
Participate in, and comply with related HSE activities (onshore and offshore)
Ensure Information security activities do not compromise health and safety intentionally
Define and execute risk-based Information Security strategy and program aligned to NOC business requirements
Report on the status and maturity of the program and cybersecurity within NOC, using appropriate metrics
Defines and executes the Information Security Risk Management framework.
Define and implement an incident response plan and establishes an Computer Incident Response Team (CIRT) to respond to computer security incidents and coordinate with the Emergency Management team
Leads Cybersecurity Incident Response cases, in conjunction with Emergency Management processes
Development of Disaster Recovery Plans aligned to business continuity requirements
Provides subject matter expertise to executive management on a broad range of information security standards and best practices, such as ISO 27000, CobiT, ITIL and as well IEC 62443 and NIST SP800 for industrial cyber security.
Coordinates and participates in regular audits through internal and external resources to assess information & cyber security performance and compliance with applicable laws, regulations and policies.
Develops Information Security awareness through targeted change and training campaigns.
Interface with relevant stakeholders (including shareholders and governmental bodies to ensure cyber security laws, regulations and decrees are understood, complied with and breaches are reported on.
All staff must be willing to participate in crisis response training and to assist during emergency response situations if required.
On rare occasions work may occur out of hours (including weekends and public holidays)
Context & Environment :
The Information Security environment is complex and covers both Enterprise IT and Industrial Control Systems (ICS). Much of this role is focused on Enterprise IT systems, with some interaction with ICS.