|Information Technology Department
|Cybersecurity and Compliance Unit, ITD
|Asian Development Bank Headquarters
|Thursday, November 9, 2023
|Thursday, November 23, 2023 11:59 p.m. (2359 Manila Time, 0800 GMT)
This is a fixed term appointment or assignment for senior staff, for a period of three (3) years. This opening is open to internal and external applicants.
If you are selected as an external candidate, the appointment may be extended for a period of up to 3 years per extension, or not renewed. In case of extension, staff may continue in the position for another term of up to 3 years.
The appointment may be extended for a period of up to 3 years per extension, or not renewed. In case of extension, staff may continue in the position for another term of up to 3 years. Also, if the staff selected has a regular appointment, staff will retain the regular appointment and their selection will be considered an assignment for an initial fixed period of up to 3 years. If the staff selected has a fixed term appointment, their previous appointment will cease, and they will be given a new fixed term appointment for an initial term of 3 years.
At the end of the initial period, ADB, as its discretion may: (a) renew a fixed term appointment or assignment, or (b) not renew a fixed term appointment.
Fixed-term appointments or assignments for senior staff are subject to terms and conditions determined by ADB as indicated in all relevant policies.
Asian Development Bank (ADB) is an international development finance institution headquartered in Manila, Philippines and is composed of 68 members, 49 of which are from the Asia and Pacific region. ADB is committed to achieving a prosperous, inclusive, resilient, and sustainable Asia and the Pacific, while sustaining its efforts to eradicate extreme poverty. ADB combines finance, knowledge, and partnerships to fulfill its expanded vision under its Strategy 2030.
ADB only hires nationals of its 68 members.
The position will be head of the Cybersecurity and Compliance Unit (ITOD-CS) within the Information Technology Department (ITD). ITD manages the information systems and technology services required for ADB’s Headquarters and Field Offices. ITOD-CS sets the Information Security standards, policies, incident management and Business Continuity approaches for Technology within ADB. The team also monitors compliance with the standards and policies within ITD.
To view ADB Organizational Chart, please click here.
The Advisor, ITD and Head, Cybersecurity and Compliance Unit develops, implements, drives, and monitors the enterprise vision, charter, strategy, and program for information security and IT risk management for ADB.
S/he acts as the authority for the development and enforcement of organization security strategy, standards, and policies, and has ultimate responsibility for ensuring the protection of corporate information. S/he guides the design and continuous improvement of the IT security architecture and Cyber Risk Maturity Model that balances business needs with security risks. S/he advises the board and top executives on all security matters and sets directions for complying with regulatory inquiries, legal and compliance regulations, inspections, and audits. S/he is an expert in cyber security compliance standards, protocols, and frameworks, as well as the Cyber Security Risk Management Framework.
S/he keeps abreast of cyber-related applications and hardware technologies and services and is constantly on the look-out for new technologies that may be leveraged to enhance work processes, or which may pose potential threats. S/he is an inspirational and influential leader, who displays sound judgement and decisiveness in ensuring that corporate information is well protected and secured. S/he is strategic in his/her approach toward resource management and capability development among her/his teams.
S/he directs and manages an independent assurance program for cybersecurity to assess, monitor and report on the operating effectiveness of security controls. Proactively and effectively reports on information security priorities, top risks, and action plans.
S/he is responsible to formulate, implement, and manage institutional information security strategies and programs designed to protect ADB’s information technology (IT) systems and information from illegitimate access and reduce/mitigate information security risks across the organization. S/he leads programs and processes to monitor the emergence of new threats and vulnerabilities, assessing impacts, and driving responses, as appropriate (incident response policies and standards). S/he leads the development and maintenance of a security and risk management functional capability and framework that defines and manages ITD’s overall approach to information risk and control that aligns with ADB’s risk management strategy.
S/he ensures that clear and timely business advice is provided to management on key information security and assurance issues and that information security and risk is adequately represented on relevant business/governance forums and is known, well-integrated, and addressed across the organization. Maintain and implement business continuity and disaster recovery strategies and solutions to ensure organizational resiliency for ADB. Facilitate information security governance through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board. Lead and manage the information security team.
S/he will report to Director General, ITD and may supervise International, National, and Administrative staff.
a. Information Security Strategy, Policies, and Standards
- Provide Enterprise vision, leadership, and direction on information and cybersecurity and IT risk for ADB. Collaboratively engage with all ITD teams and business units to facilitate a standardized approach and structure to information security and risk.
- Identify, develop, implement, and maintain an effective information security architectural approach, incident response policies and standards, and an Information Security Management System for ADB, ensuring its alignment with the appropriate international standards and best practices (such as, but not limited to, International Organization for Standardization (ISO) 2700X, 900X, ITIL, COSO Framework, COBIT/Risk IT, BS 65000, etc.).
- Liaise with the different ITD teams to ensure that information security architecture standards, polices, and procedures are available and enacted consistently across application development projects and programs.
- Collaborate with enterprise architecture to define physical, virtual, and logical information security architecture specifications.
- Oversee the development and maintenance of an information security policy set, including standards and processes that fit the organization at all levels. Ensure consistent application of security standards across ADB’s (in HQ and field offices) technical infrastructure.
- Establish an effective information security governance capability that includes business leaders and resource owners in the security decision making and oversight.
b. Incident Response Management
- Manage incident response process from the monitoring and detection of IT security incidents to its remediation. Establish processes to detect, respond, and recover in a timely and proactive manner from information security breaches and incidents (virus, hackers, data theft, etc.).
- Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong security posture.
- Implement preventive, detective, and corrective technical security controls and solutions to support information security policies, standards, and procedures.
- Respond appropriately to investigations and forensic requests, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody.
- Liaise with other IT specialists and relevant external parties to proactively review and address technical security vulnerabilities, threats, and risks and ensure that appropriate controls are implemented to prevent recurrence of information security incidents.
c. Information Risk Management
- Strengthen sustainability of internal control reviews and ensure ongoing analysis of information security threats, vulnerabilities, and market trends. Determine potential impact on the organization’s risk posture.
- Oversee the annual IT risk assessment and attestation activities in ITD related to the Assertion exercise for ADB.
- Implement and maintain a mechanism to monitor risk response activities in ITD, report to management regularly.
- Collaborate with application owners to understand and address (as appropriate) the risk position around key business applications.
- Ensure appropriate risk assessment is performed during IT application, product or service acquisitions.
- Liaise with the different ITD teams and other departments to ensure that IT audit findings are tracked, analyzed for impact, prioritized, and implemented in a systematic manner; ensure that all significant audit findings are closed in a reasonable amount of time; work closely with other ITD teams in implementing the IT policies and procedures required for addressing the audit findings.
- Contribute to the change control process, including review of changes made to production.
d. Business Continuity Management
- Create, administer, evaluate, update, and maintain ITD’s Business Continuity plans and disaster recovery policies and standards to align with ADB’s business continuity management program.
- Act as ITD Disaster Recovery Team Leader and coordinate the development and actual implementation/execution of ITD’s disaster recovery plans and procedures to ensure that business-critical services are recovered in the event of a security incident.
- Conduct annual disaster recovery exercise and commissioning activities, in coordination with other departments and ITD teams.
- Collaborate with business units in the assessment of potential business impacts, definition of critical, time-sensitive processes and analyses of required components as defined within the Business Impact Analysis (BIA) standard.
- Coordinate with Corporate Services Department (CSD), other departments, and different ITD teams to ensure readiness of ITD in the adoption of organizational resilience throughout the organization.
e. Business Relationship Management and Communications
- Build sound business relationships across ADB to enable a strong understanding and close alignment with business needs, direction, and risk appetite.
- Manage the creation and production of timely, accurate, and informative business and IT metrics relating to information risk initiatives. Utilize the metrics to prioritize key initiatives and respond to negative trends.
- Develop and promote information security awareness training and education for all levels of staff and service providers. Regularly review and ensure its effectiveness.
- Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.
f. Cyber Security Advisory
- Provide advisory to our ADB’s operation for development on cyber security policies, guidelines, and methodologies.
- Recommend cyber security control and measurement, governance, and policy compliance for development operations.
- Liaises with external entities, such as cybersecurity advisory bodies, cyber threat intelligence entities, law enforcement agencies (in coordination with Legal Department), etc. as necessary, to ensure that the organization maintains a strong security posture and is kept well abreast of the relevant threats identified by these external entities.
Relevant Experience & Requirements
- Master’s Degree, or equivalent, in Information Technology, Management Information System, Engineering, Computer Science or related fields; or University degree and at least 10 years specialized experience relevant to the positions can be considered.
- Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials.
- At least 15 years of experience in a combination of risk management, information security and IT jobs, six (6) years of which must be in a senior leadership role. International experience working in several countries.
- Experience in handling audits, attestations, and internal control procedures are highly desirable.
- Experience in managing teams of more than 15 with multiple management levels.
- Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment.
- Knowledge and understanding of relevant regulatory requirements and common information security management frameworks, such as COSO, SOX, COBIT, ISO17799, ISO/IEC 27001, ITIL, the ones from NIST, etc.
- Program and project management skills: financial/budget management, scheduling, and resource management.
- Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
- Experience with contract and vendor negotiations.
- Critical thinker, with strong problem-solving skills and strong attributes in conflict resolution.
- High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.
- Ability to foster and maintain relationships with senior business leaders.
- Ability to communicate security and risk-related concepts to technical and nontechnical audiences.
- Ability to understand the technical and business aspects of IT risk and to communicate those risks in a language the business understands so that it can make educated and informed decisions regarding appropriate levels of control.
- Excellent oral and written communication skills in English.
- Please refer to the link for the ADB Competency Framework for IS7.
The selected candidate, if new to ADB, is appointed for an initial term of 3 years.
ADB offers competitive remuneration and a comprehensive benefits package. Actual appointment salary will be based on ADB’s standards and computation, taking into account the selected individual’s qualifications and experience.
ADB seeks to ensure that everyone is trea