SN Mgr Business Protection & Cloud Compliance

Role purpose:

The SN Manager Business Protection & Cloud Compliance provides leadership and direction through senior onshore, offshore and external professionals to reduce and avoid the risk of internal/external cyber-attacks by keeping VF infrastructure and services compliant to security requirements. This rote is fully accountable from a security and compliance point of view for all the activities private and public cloud related such as the VCI managed cloud assets (OCI and DRCC), the XaaS service environments (AWS, Azure and GCP) incl. the compliance and regulatory related work for CSB and SOX, such as UAM features on cloud. Furthermore, this role is accountable for the Group central vulnerability management, incl. scanning, detecting, and triggering remediation of vulnerabilities inside Group DC locations and Cloud. 
The role is accountable to support and coordinate any actions related to S0 /S1 security incidents inside Group Datacenters and Public Cloud Service as well as managing and coordinating Cyber Security Action Notifications (CSAN) in scope of Group DC locations and private and public cloud. 

Frequent interaction with Group Cyber Security (CSOC/CDIM) and VCI technology and E2E teams is required.  The overall goal is to reduce and avoid the impact of internal / external cyber-attacks by keeping Vodafone cloud infrastructure and services compliant to security requirements to protect Vodafone customers, data, services, and brand.

The accountability of the this role  includes and fully covers:

• Management, tracking and coordination for all critical security incidents with impact on the cloud environment and on-premise DC locations (S0, S1)
• Accountability for the security activities assigned to VCI in the Crisis & Emergency procedure with particular focus on ransomware attacks for cloud assets
• Develops, adapts and executes strategies on the technology and business needs with specific focus on security and risk reduction in order to protect VF infrastructure, products and services from internal/external cyber-attacks
• Security prevention: manage Cyber Security Action Notice (CSAN) and announcements inside the cloud perimeter and on-premise DC locations
• Ensure by management and coordination full cloud compliance with regards to Patching, VN Management, Hardening and endpoint protection
• Collaboration with VCI Public Cloud Services, technical / End-to-End teams, and Local Markets / Group Entities to implement security incident related actions 
• Supervisor of UAM best practices in cloud environments and related compliance
• Definition, implementation, enhancement, and maintenance of a VCI “private & public cloud security governance framework” which fulfils the requirement of the applicable Cyber Security baseline controls for patching, hardening, vulnerability mgmt., UAM
• Management of private and public cloud security related improvements to close any compliance gaps affecting VCI
• Rollout to 100% coverage, maintain and manage the central Vulnerability Management function (on-premises and Cloud perimeter).
• Decisions are guided by major operational segment strategies and priorities (e.g P0 items of the Tech2025 strategy, Group Cyber goal framework )
 

Close interaction with supporting Group functions and alignment with key stakeholders inside Local Market /Group Functions is mandatory to successfully delivery on the role.

This includes:
• Functional management of and collaboration with the international VCI teams that carry out tasks related to security incidents on cloud infrastructure (overall governance).
• Acting as coordinator and/or focal point / single point of contact for “Security Incident Response” within the VCI organisation (S0/S1)

Key accountabilities and decision ownership:

• Manage S0, S1 security incidents with impact on VCI cloud perimeter

• Private & Public Cloud Security Compliance 

• Response to security incidents and security notifications

• Accountable for SOX & CSB compliance inside Cloud 

• Accountable for the central Vulnerability Management function

Key performance indicators:

• 98+%  S0 / S1 incident support & CSANs managed within the timeline defined in the Group Cyber Security polices

• 95+% compliance of VCI private and public cloud services with the Cyber Security Baseline controls.

• 98% coverage and fulfilment of SLAs for central Vulnerability Management
 

Core competencies, knowledge, and experience:

• 10-12 years proven IT Service experience with knowledge of IT platforms, operating system, or application services

• Working experience in IT security, with a strong focus on incidents management and cloud security

• Strong read/write capabilities in English

• Structured, organized, and conscientious 

• Very good coordination and communication abilities on complex and scaled contexts
 

Must have technical / professional qualifications:

• Bachelor’s / Master’s degree in IT engineering, business management or proof of comparable working experience

• Strong understanding of IT security

• Solid understanding of private & public cloud architecture

• General background of IT service management

• Experience with the ISO 27000 norms family; general understanding of risk management concepts, SOX, PCI-DSS, GDPR, ITIL and agile/SAFe methodologies

Experience in coordination and management of functional work within international teams. 

Reports:

Direct reports:  5
Dotted reports: > 30 (VOIS TSSI, TSSR)

Location: Italy - Milan

Who we are

You may have already heard of Vodafone - We're a leading Telecommunications company in Europe and Africa. But what you might not know is that we are continuously investing in new technologies to improve the lives of millions of customers, businesses and people around the world, creating a better future for everyone.

As part of our global family, whether that's Vodafone, Vodacom or _VOIS, you'll feel a sense of pride and purpose as you contribute to our culture of innovation. We pursue equality of opportunity and inclusion for all candidates through our employment policies and practices. We recognise and celebrate the importance of diversity and inclusivity in our workspace and we do not tolerate any form of discrimination especially related to but not limited to race, colour, age, veteran status, gender identification, sexual orientation, pregnancy, ethnicity, disability, religion, political affiliation, trade union membership, nationality, indigenous status, medical condition, HIV status, social origin, cultural background, social, or marital status.

Together we can.