Head, Enterprise Security Branch

1. SUMMARY

The NATO Chief Information Officer (CIO) function brings Information and Communications Technology (ICT) coherence across NATO Enterprise’s 41 civil and military bodies and more than 25,000 users. The NATO CIO is empowered to realize the Allies’ vision for the NATO Enterprise is accountable to the Secretary General and is responsible for the development of Enterprise directives and advice on the acquisition and use of information technologies and services. The NATO CIO provides Enterprise oversight on cybersecurity issues, and, in close coordination with all relevant NATO civil and military bodies, works towards the continual improvement of the cyber hygiene and cybersecurity posture in the NATO Enterprise.

The Office of the NATO CIO (OCIO) is an integrated staff organization comprised of International Staff (IS) and International Military Staff (IMS) members.

The Enterprise Security Branch (ESB) maintains Enterprise oversight on cybersecurity and enables awareness on specific risks, processes and incidents. It supports the NATO CIO in managing cybersecurity risks and incidents at Enterprise level, advises and supports the decision-making process for identifying the Enterprise risk appetite and risk acceptance for CIS Security. The Branch executes functions deriving from the NATO CIO Enterprise risk owner and top-level incident manager roles for cybersecurity, coordinating incident response, business impact analysis, risk mitigation, mid- to long- term mitigation measures and lessons-identified definition. The Branch also maintains relations with key Enterprise military and civilian stakeholders at strategic, operational, tactical and technical levels.

The incumbent will be responsible for leading the Enterprise Security Branch and supporting the NATO CIO in exercising her/his role of Single Point of Authority for cybersecurity at Enterprise level. S/He will advise the NATO CIO on risk management matters related to NATO systems, support the determination of the cybersecurity risk appetite for the Enterprise, and advise on overall efforts for communications security, including cryptographic assets. S/He will also be supporting the identification, proposal and consolidation of policy changes related to the Branch responsibilities, in close coordination with other NATO policy-making bodies.

The successful candidate will be part of developing and shaping a new function for NATO. Key challenges and deliverables include:

#1 Delivering and implementing an Enterprise Risk Management Framework

The Head of ESB will need to work collaboratively across the NATO Enterprise to support the Chief Information Officer in planning and implementing a new comprehensive and coherent framework for risk management. This will cover Enterprise ICT capabilities and services addressing requirements in the political, military and technical domains. How can this task be approached? What are the main steps and key milestones to create, socialize, implement and monitor the framework implementation?

#2 Establishing the CIO Cybersecurity strategic oversight role

The Head of ESB will pioneer and lead an approach to allow the NATO CIO to exercise strategic oversight for cybersecurity across Enterprise Entities. This includes the development and implementation of coherent, efficient and effective Enterprise processes and tools to support and enable a secure, agile and connected Alliance. What are the best-of-breed tools available on the market for cybersecurity? How could they be assembled into a coherent cybersecurity infrastructure?

In addition to the application form, candidates are expected to submit a Word or pdf document, maximum of two A4 pages, summarising their views on the above-listed key (and possible other) challenges, and how they would address them if selected for the position.

2. QUALIFICATION AND EXPERIENCE

ESSENTIAL

The incumbent must possess:

• a University degree, or an equivalent level of qualification, in information and communications technology or in a cyber-security related discipline;
• 10 years’ experience in a large international organization, in cybersecurity and/or information assurance roles, out of which at least 5 years in managing diverse teams;
• in-depth experience in cryptographic security, dealing with interoperability issues and capability development, including definition of long-term strategies and roadmaps for cryptographic capabilities, as well as risk management;
• 5 years’ experience in auditing and assessing the security of IT systems in civilian and/or military environments, with a focus on security accreditation processes following security frameworks and policies;
• experience in business analysis and cybersecurity business impact analysis;
• strong experience in chairing, supporting and interacting with executive/senior-level boards and committees in large organizations;
• experience in ICT project and programme management, with a strong focus on cybersecurity;
• a thorough understanding of cybersecurity in international environments, commercial and civilian standards, best practices and cutting-edge technology for cybersecurity;
• a capacity for independent conceptual analysis and intellectual leadership on issues affecting the Alliance’s ICT capabilities, services and cybersecurity;
• the ability to prepare and deliver convincing presentations, and to present complex information technology issues to non-technical audiences in order to facilitate consensus building and decision-making; and
• the following minimum levels of NATO’s official languages (English/French): V (“Advanced”) in one; I (“Beginner”) in the other.

DESIRABLE

The following will be considered an advantage:

• Master’s Degree in a discipline relevant for this role;
• market leading technology certifications, such as COBIT, ISO2700x, MSP, PRINCE2, ITIL;
• experience with NATO security accreditation processes, including dealing with the NATO Security Accreditation Board and NATO Security Authorities;
• be familiar with the NATO civilian and military structure and be conversant with the challenges, tasks and new missions of the Alliance in the changing strategic and politico-military environment;
• experience in impact assessment for Military Operations and Missions and development of Military/Operational-oriented contingency and mitigation plans on behalf of a CIS Operational Authority;
• experience with systems security, security architectures, network security engineering, security governance and risk management;
• experience working with large international organisations and a good knowledge of their methods of work and practices with regards to their CIS security;
• experience supporting the work of CIS Operational Authority (local or strategic);
• deep understanding of current and emerging cybersecurity technologies and how enterprises are employing them to drive digital business.

3. MAIN ACCOUNTABILITIES

Vision and Direction

Support the Chief Information Officer in developing, planning and implementing a new comprehensive and coherent Enterprise-wide Risk Management Framework. Lead and facilitate the establishment of the CIO Cybersecurity strategic oversight role. Ensure that the OCIO overall vision guides the work plans of the branch.

Policy Development

In accordance with the NATO security policies, advise the NATO CIO on security related matters regarding NATO CIS at Enterprise level. Support and contribute to policy development for matters related to CIS security management, in coordination with Security Accreditation Authorities (SAAs) and CIS Providers (CISP). Develop high-level strategic documents and suggestions to improve policies related to cybersecurity, in close coordination with all stakeholders across the NATO Enterprise.

Expertise Development

Provide cybersecurity advice and guidance to NATO Nations, NATO civil and military bodies and partner nations and international organizations. Develops high-level Operational Impact Assessments (OIA) in support of the CIO’s decision-making role for Enterprise’s cybersecurity. Write comprehensive reports for use by the responsible national and/or security authorities regarding the status of cybersecurity at Enterprise level. Direct and coordinate relevant activities while maintaining situational awareness and horizon scanning over the status of the Enterprise cryptographic infrastructure.

Representation of the Organization

Represent and speak on behalf of the OCIO and the Enterprise Security Branch in NATO committees, panels or working groups, and with industry and academia on matters pertaining to the branch domain of expertise. Act as the focal point on those matters.

Project Management

Ensure oversight at Enterprise level on cybersecurity by promoting situational awareness, improving NATO Enterprise’s Strategic risk management processes and initiatives at large, in close coordination with all relevant NATO civil and military bodies. Support cybersecurity incident management at Enterprise level, advice on options for risk management. Lead cryptographic initiatives at Enterprise level.

Planning and Execution

Determine input to the OCIO work plans and manage the implementation of the branch tasks to achieve branch objectives.

People Management

Lead, plan, direct and supervise the work of the section personnel. Cultivate a motivating, inclusive and effective workplace. Provide mentoring, coaching and training opportunities and be available to offer guidance at critical moments. Promote transparency in decision-making, equal access to opportunities for all staff and an inclusive management culture. Ensure that all staff under her/his responsibility is clear on organizational, office and branch objectives. Provide regular and fair feedback on performance, informally as appropriate, and via the HQ Performance Review and Development (PRD) system. Participate in recruitment procedures for vacant posts in the Organisation in accordance with NATO recruitment guidelines. Identify possible development and mobility opportunities for individuals.

Stakeholder Management

Engage and coordinate with all relevant NATO Enterprise stakeholders, ensuring a broad collaboration during the development of policies, directives, guidance, implementation plans, standards and best practices. Closely coordinate with NATO staff working on the lifecycle of Enterprise capabilities and services (requirements, investments, operations, maintenance and disposal). Engage with industry and academia in the post’s domain of expertise, as required. Develop close cooperation and working relationships with stakeholders, including the Consultation, Command and Control (C3) Board, the Agencies Supervisory Boards, the Cyber Defence Committee, the Military Committee, the Resource Planning and Policy Board, and other relevant senior policy committees and boards, in accordance with OCIO responsibilities and available resources.

Financial Management

Provide inputs to the OCIO budget / Programme of Work and maintain an overview of assigned budgets, and their execution and reporting.

Organizational Efficiencies

Identify, plan and propose initiatives aimed at improving the cybersecurity posture of the NATO Enterprise and the efficiency and effectiveness across all areas of C3 capabilities, services delivery and operations.

Knowledge Management

Assess the security programs in place in NATO nations, NATO civil and military bodies, and non-NATO nations / international organizations. Develop and maintain a record of accredited and non-accredited systems and assess the status of the accreditation process at Enterprise level, possibly making suggestions and plans to improve it. Draft background briefs, progress reports, prepare presentations, and other items for high-level meetings.

Perform any other related duty as assigned.

4. INTERRELATIONSHIPS

The incumbent reports to the NATO CIO. S/He works closely with the Deputy NATO CIO for Cybersecurity and deputises for her/him as appropriate. S/He will interact with senior government and military personnel in NATO and partner nations, NATO civil and military bodies, and in non-NATO entities.

S/He will liaise with leadership in relevant international organisations, industry and academia, as required.

Direct reports: 2

Indirect reports: 9

5. COMPETENCIES

The incumbent must demonstrate:

• Achievement: Sets and works to meet challenging goals.
• Change Leadership: Personally leads change.
• Conceptual Thinking: Clarifies complex data or situations.
• Developing Others: Provides in-depth mentoring, coaching and training.
• Impact and Influence: Uses indirect influence.
• Initiative: Plans and acts for the long-term.
• Leadership: Positions self as the leader.
• Organizational Awareness: Understands organisational politics.
• Self-Control: Stays composed and positive even under extreme pressure.