The Regional Information Security Manager (RISM) is part of the Group CIO Office team and reports functionally to the Group CISO and hierarchically to the Regional Chief Digital & Information Officer (CDIO). He or she assumes responsibilities that actively contribute to reducing information security risks. The role contributes directly to reducing information security risks by implementing, monitoring, and continuously improving the application of the Group鈥檚 information security framework across multiple entities and jurisdictions.
Key Missions
Implement and monitor the application of the Group鈥檚 information security policy across the assigned scope.
Proactively identify risks, vulnerabilities, and improvement opportunities, and report them to the Group CISO.
Contribute to the continuous evolution of the Group鈥檚 information security strategy by providing field insights, lessons learned, and feedback.
Collaborate with peer security managers to harmonize practices and coordinate responses to cross-entity or cross-border threats.
Act within delegated authority from the Group CISO and escalate major risks, incidents, or policy exceptions as required.
Areas of Responsibility
Information Security Policy Enforcement
Implement and monitor compliance with the Group鈥檚 information security policy.
Identify local specificities and propose adaptations to global guidelines to address regulatory, organizational, or cultural constraints.
Contribute to the definition, update, and deployment of security procedures and instructions.
Promote the nomination and engagement of security correspondents within entities and encourage participation in audits, awareness campaigns, and cross-functional initiatives.
Risk Assessment & Management
Assess risks, threats, and vulnerabilities related to local projects, infrastructure, and operations.
Define and implement prevention and remediation plans adapted to identified risks.
Monitor emerging threats and escalate all major or critical risks immediately to the Group CISO.
Security Awareness & Communication
Deploy security awareness and communication programs tailored to local contexts.
Adapt awareness materials (translations, examples, scenarios) to maximize impact.
Measure campaign effectiveness and propose improvement actions, reporting outcomes to the Group CISO.
Audit & Compliance
Monitor compliance with Group security policies and applicable local and international regulations.
Identify deviations, propose corrective action plans, and alert the Group CISO when required.
Coordinate internal audits and oversee corrective actions with local stakeholders.
Act as the point of contact for external audits, regulators, and security-related disputes, escalating exceptions as necessary.
Validate corrective action plans for major deviations prior to Group CISO approval.
Security Incident Management & Business Continuity
Serve as the primary point of contact for security incidents within the assigned scope.
Coordinate incident response in line with global procedures and provide real-time reporting on major or critical incidents.
Implement immediate protective measures during crises.
Work closely with the SOC to detect, manage, and respond to incidents.
Coordinate internal and external communications during major incidents in alignment with the Group CISO.
Ensure incidents are documented in the Group incident management system.
Contribute to the adaptation and testing of Business Continuity Plans and report results for Group consolidation.
Identity & Access Management
Approve or reject privileged access requests based on the principle of least privilege.
Escalate exceptions requiring strategic arbitration.
Oversee the proper functioning of identity and access management processes across entities.
Architecture & IT Projects
Validate compliance of IT projects with Group security requirements before submission for approval.
Provide security expertise for cross-entity and cross-border initiatives.
Participate in project governance forums to represent security considerations.
Ensure security requirements are embedded throughout project lifecycles.
Third-Party & Vendor Security
Ensure security requirements are incorporated into contracts with service providers in collaboration with procurement and legal teams.
Monitor service provider compliance with Group standards while accounting for local legal or technical constraints.
Require and review security assessments for service providers and report residual risks.
Continuous Improvement & Security Watch
Monitor regulatory, technological, and threat landscape developments.
Identify opportunities to enhance tools, processes, and controls.
Share feedback, incidents, and best practices with Group security leadership and peers.
Propose and pilot security improvement initiatives where appropriate.
Reporting & Coordination
Provide regular reporting on security posture, compliance, incidents, and emerging risks.
Contribute to Group security governance forums and cross-functional initiatives.
Supply required indicators and KPIs for Group reporting.
Work closely with Data Protection, IT, and business teams to integrate security into operational processes.
Act as the primary security point of contact for entities within scope.
Mergers & Acquisitions
Support security risk assessments for potential acquisitions upon request.
Contribute to system integration activities and oversee alignment with Group security standards during transition phases.
Budget & Resources
Contribute to prioritization of security investments based on risk.
Support budget planning and monitor the use of allocated security budgets.
Coordinate and guide local security correspondents where applicable.