Job Summary

The Head Cyber Security Management is responsible for developing, implementing, and managing the organization’s information security strategy to protect digital assets, data, and technology infrastructure against internal and external threats. This role ensures confidentiality, integrity, and availability of information systems while aligning security initiatives with business objectives and regulatory requirements.
The Head Cyber Security Management provides strategic leadership in risk management, cybersecurity governance, and compliance, fostering a culture of security awareness across the organization. They oversee the design and execution of security policies, incident response plans, and disaster recovery strategies, ensuring resilience against evolving cyber threats. Additionally, the Head Cyber Security Management collaborates with technology team, group Security Officer Team (CSO) and executive leadership to integrate security into enterprise architecture for securing business growth, digital transformation projects, third-party engagements to foster a culture of security awareness across the organization to ensure Absa Bank Tanzania is prepared to mitigate Cyber threats effectively.

Job Description

Main accountabilities and approximate time split

To provide the leadership and provision of expert advice on, the selection, design, justification, implementation and operation of information and cyber security controls and management strategies to maintain confidentiality, integrity, availability, accountability, and relevant compliance of information systems.

Strategic Leadership

• Develop, implement and execute an enterprise-wide information security strategy aligned with business objectives.
• Advise executive leadership and board on emerging security threats, trends, and compliance requirements.

Risk Management

• Identify, assess, and mitigate cyber and technology risks across all business units.
• Establish and maintain a risk management framework and ensure regular risk assessments.

Policy & Governance

• Define and enforce security policies, standards, and procedures.
• Ensure compliance with relevant regulatory and industry standards (e.g., ISO 27001, GDPR, NIST).

Incident Response & Recovery

• Lead the organization’s incident response program, including detection, containment, and remediation.
• Develop and maintain disaster recovery and business continuity plans.

Security Architecture & Operations

• Oversee the design and implementation of secure systems, networks, and applications.
• Manage security operations center (SOC) collaboratively with Absa Group Team and ensure continuous monitoring of threats.

Awareness & Training

• Promote a culture of security awareness through training and communication programs.
• Educate employees and stakeholders on cybersecurity best practices.

Vendor & Third-Party Risk

• Assess and manage security risks associated with vendors, partners, and third-party services.
• Ensure contractual obligations include adequate security measures.

Budget & Resource Management

• Develop and manage the information security budget.
• Allocate resources effectively to support security initiatives.

Reporting & Metrics

• Provide regular reports to executive leadership and the board on security posture, incidents, and risk.
• Define and track key performance indicators (KPIs) for security programs.

Cyber Security

• Conduct Technical security risk assessments for defined business applications or IT installations in defined areas and provides advice and guidance on the application and operation of elementary physical, procedural, and technical security controls.
• Continuously assesses threats and vulnerabilities regarding information assets and recommends the appropriate technical security controls and measures.
• Define, recommend, and manage cyber security controls for business initiatives and projects.
• Threat Vulnerability Assessments and Remediation Management
• Evaluate business requirements and assist with the secure design and solutioning of these requirements into system design and operation.
• Provides reports to key stakeholders regarding the effectiveness of cyber security posture and makes recommendations for the adoption of new policies and procedures.
• Act as a subject matter expert (SME) in conducting vendor cyber risk assessments to improve overall vendor risk program.
• Oversee cyber security intelligence, incident response and cyber resilience management.
• Initiate and conduct cyber and information security readiness exercises as follows: a) at least quarterly, an exercise shall be staged to assess the ability of one or more business entities to deal with a cyber-attack; and b) once a year, an exercise shall be undertaken to assess the preparedness of the entire business to withstand cyber-attacks.
• Validate baseline security configurations for operating systems, applications, databases, networking, and communications equipment in line with Group standards.
• Engage with third-party vendors to evaluate new security products or as part of a security due diligence process.
• Promote cyber and information security awareness and train employees, suppliers, business partners and customers.

Methodology and Governance

• Formulate an organizational methodology for managing cyber and information security risks.
• Develop and update specific and general work procedures for realizing the organization’s cyber and information security policy.
• Integrate and coordinate all business cyber and information security efforts, including oversight and control of all business units participating in these efforts.
•  Create a framework for receiving ongoing and ad-hoc reports from various business units.
• Coordinate cyber and information security activities, including joint exercises with business partners and service providers.

Management

• Ensure assessment all cyber and information security risk within the relevant business units are undertaken, in order to analyze, assess and report same to Senior Management:

the risk levels are integral to the business's technological and business activities. The controls required to ensure the system’s integrity. The level of residual risk and exposure to cyber and information security threats the business is willing to accept in implementing these activities.

• Ensure preparation of reports on major cyber and information security incidents to the relevant parties.
• Draw up annual and multiannual work plans, including budgeting, prioritization, and timetables for implementing the assessment processes.

• Prepare and submit annual reports to the Senior Management and Board, detailing the business cyber and information security defense level, weaknesses and vulnerabilities, available countermeasures, and the activities and budgets required to enhance its defenses.
• Deliver high quality report to the respective sub board committees.

• Develop a high performing team by embedding formal performance development and informal coaching. Encourage frequent knowledge sharing between team members.

Additional Responsibilities

• Continuously learn and monitor cyber and information security issues by identifying trends, methods and advanced developments in the field while gathering information about emerging attack techniques and ways of dealing with them.
• Form a Cyber-Incident Response Team.
• Analyze cyber and information security incidents that have occurred in Ghana and worldwide, and assess their potential impact on the business, as well as implement the relevant measures proposed.
• Develop metrics and indicators to assess the effectiveness of cyber and information security systems and procedures.
• Assess regular and ad-hoc business cyber and information security controls.
• Be responsible for collaborating with relevant institutions involved in cyber and information security issues.

Knowledge Management:

• Improve technical knowledge through self-learning or training including mandatory continuous Professional Education requirements.
• Share knowledge in area of responsibility with the team to ensure that audit activities are planned effectively and completed in line with quality standards and audit methodology.
• Present effectively at stakeholder meetings and forums (eg: Risk and Governance Forums etc.) by sharing knowledge and information, including methodology, standards, changes and new developments, with business stakeholders on an ongoing basis.
• Perform all other duties as reasonably assigned.

 Risk and Control responsibilities:

• Understand and adhere to the appropriate Absa Policies and Standards applicable to the role.
• Understand and manage risks and risk events (incidents) in the role thereby contributing to the adherence to the Absa Risk and Control Framework.

 Complete all mandatory training as required.

Technical skills / Competencies

Competencies:

• Education: Bachelor’s degree in computer science, Information Technology, Cybersecurity, or related field; master’s degree preferred.
• Experience: Minimum 10+ years in information security roles, with at least 5 years in a leadership position.
• Certifications: CISSP, CISM, CISA, or equivalent.
• Technical Expertise: Strong knowledge of cybersecurity frameworks, risk management, compliance standards as well as round technology skills such as cloud platforms (AWS, Azure), DevSecOps, and Zero Trust Architecture.
• Leadership Skills: Proven ability to lead cross-functional teams and influence executive decision-making.
• Communication: Excellent verbal and written communication skills; ability to present complex security concepts to non-technical stakeholders, stakeholder influence and crisis communication.

KPIs and other requirements

Key Performance Indicators (KPIs)

• Reduction in security incidents and breaches year-over-year.
• Compliance with regulatory and industry standards.
• Time to detect and respond to security incidents.
• Employee security awareness training completion rates.
• Vendor risk assessment completion and remediation timelines.

Other requirements specific to the role:

• Able to deal professionally, confidently, and effectively with staff at all levels, internally and externally
• Ability to work autonomously
• Ability to keep abreast of industry changes in both the business and marketing environments

Additional details of exceptional aspects of the demands of the role:

• Able to work under pressure and adhere to strict and tight deadlines on a wide range of tasks
• Able to keep abreast of developments in the business and financial services environment
• Appreciate changes in technology and delivery channels and their impact on the financial services environment
• Occasional Business travel locally and regionally.
• Deciding and initiating action
• Entrepreneurial and commercial thinking
• Persuading and influencing
• Creating and innovating

Communication and Interaction required:

• Staff in own area (manager, subordinates, colleagues)

• [30%]

• Staff outside own area 

• [25%]

• Internal customers (other than staff in own area) 

• [30%]

• External Customers

• [5%]

• Regulators/Government Agencies

• [10%]

Absa Values

Absa’s  Values and Behaviours represent the set of standards which governs the actions of all of us who work for the bank and against which the performance of every one of us in Absa are being assessed and rewarded:

• Trust
• Resourceful
• Inclusion
• Courage
• Stewardship

Education

Bachelor's Degree: Computer and Information Science

• Develop, implement and execute an enterprise-wide information security strategy aligned with business objectives.
• Advise executive leadership and board on emerging security threats, trends, and compliance requirements.
• Identify, assess, and mitigate cyber and technology risks across all business units.
• Establish and maintain a risk management framework and ensure regular risk assessments.
• Define and enforce security policies, standards, and procedures.
• Ensure compliance with relevant regulatory and industry standards (e.g., ISO 27001, GDPR, NIST).
• Lead the organization’s incident response program, including detection, containment, and remediation.
• Develop and maintain disaster recovery and business continuity plans.
• Oversee the design and implementation of secure systems, networks, and applications.
• Manage security operations center (SOC) collaboratively with Absa Group Team and ensure continuous monitoring of threats.
• Promote a culture of security awareness through training and communication programs.
• Educate employees and stakeholders on cybersecurity best practices.
• Assess and manage security risks associated with vendors, partners, and third-party services.
• Ensure contractual obligations include adequate security measures.
• Develop and manage the information security budget.
• Allocate resources effectively to support security initiatives.
• Provide regular reports to executive leadership and the board on security posture, incidents, and risk.
• Define and track key performance indicators (KPIs) for security programs.
• Conduct Technical security risk assessments for defined business applications or IT installations in defined areas and provides advice and guidance on the application and operation of elementary physical, procedural, and technical security controls.
• Continuously assesses threats and vulnerabilities regarding information assets and recommends the appropriate technical security controls and measures.
• Define, recommend, and manage cyber security controls for business initiatives and projects.
• Evaluate business requirements and assist with the secure design and solutioning of these requirements into system design and operation.
• Provides reports to key stakeholders regarding the effectiveness of cyber security posture and makes recommendations for the adoption of new policies and procedures.
• Act as a subject matter expert (SME) in conducting vendor cyber risk assessments to improve overall vendor risk program.
• Oversee cyber security intelligence, incident response and cyber resilience management.
• Initiate and conduct cyber and information security readiness exercises as follows: a) at least quarterly, an exercise shall be staged to assess the ability of one or more business entities to deal with a cyber-attack; and b) once a year, an exercise shall be undertaken to assess the preparedness of the entire business to withstand cyber-attacks.
• Validate baseline security configurations for operating systems, applications, databases, networking, and communications equipment in line with Group standards.

• Cybersecurity strategy development and implementation
• Risk management and assessment
• Cybersecurity governance and compliance
• Incident response planning and execution
• Disaster recovery and business continuity planning
• Security architecture design and implementation
• Security operations management
• Security awareness training and communication
• Vendor risk management
• Budget and resource management
• Reporting and metrics definition
• Technical security risk assessment
• Threat and vulnerability assessment
• Cybersecurity intelligence analysis
• Cyber resilience management
• Security readiness exercise planning and execution
• Baseline security configuration validation

• Expertise in information security strategy, risk management, governance, and compliance.
• Proven experience in leading incident response and disaster recovery programs.
• Strong understanding of security architecture, operations, and threat intelligence.
• Experience in developing and managing security awareness programs.
• Proficiency in assessing and managing vendor and third-party risks.
• Experience in budget and resource management for information security.
• Ability to provide regular reports and define KPIs for security programs.
• Knowledge of relevant regulatory and industry standards (e.g., ISO 27001, GDPR, NIST).
• Subject matter expert (SME) in conducting vendor cyber risk assessments.
• Experience in conducting cyber and information security readiness exercises.
• Familiarity with validating baseline security configurations.