Cybersecurity Risk and Compliance Lead

ContourGlobal develops, acquires, and operates power generation facilities with proven and cutting-edge energy technologies. We are an international high-growth company, founded in 2005, that has grown exponentially to own and operate a fleet of renewable and thermal assets, located in 20 countries across 4 continents. Wherever we operate, we are committed to the highest standards of health and safety, environmental, social responsibility, our people’s well-being. Our longstanding ESG pledge includes becoming net-zero carbon by 2050.

Acquisition of ContourGlobal by the US private-equity fund KKR will enable us greatly to further expand our portfolio, increase investment in the energy transition, and take advantage of new opportunities in our core markets. Our multinational, integrated team of almost 1500 people prides itself on our culture and values, and welcomes entrepreneurial, innovative, ambitious, and collaborative professionals to come join us.

JOB SUMMARY: 

We are currently seeking Cybersecurity Risk and Compliance Lead to join our team. The Cybersecurity Risk and Compliance Lead reports to Deputy Chief Information Security Officer and has the responsibility to develop an enterprise cyber risk strategy and approach to identify and classify risks, define appropriate tolerances, prioritize mitigation activities and track remediation status in alignment with CG’s Enterprise Risk Management policies, procedures and taxonomy. This position also has a key role in Security Compliance and Third Party Management.

K                      KEY RESPONSIBILITIES:

Cybersecurity Risk

• Develop an enterprise cyber risk strategy and approach to identify and classify risks, define appropriate tolerances, prioritize mitigation activities and track remediation status in alignment with CG’s Enterprise Risk Management policies, procedures and taxonomy
• Oversee process to prioritize and track risk response/resolution; serve as a point of escalation for remediation/mitigation efforts
• Conduct or coordinate cybersecurity risk assessments and ensure development of cybersecurity requirements in support of business and technology activities, e.g., M&A, technology deployments, supplier and service provider procurement, business process change, etc.
• Conduct or coordinate periodic cybersecurity risk assessments for critical IT and OT assets
• Develop cybersecurity risk reporting for incorporation with Enterprise Risk Management’s reporting to executive management and the Board
• Define and report Key Risk Indicators (KRIs) to measure enterprise-wide cybersecurity risk management effectiveness and risk levels In alignment with the Enterprise Risk Management organization

Security Compliance and Third Party Management

• Develop an enterprise cybersecurity compliance strategy and approach in concert with corporate legal and compliance organizations
• Identify regulatory, legislative, and industry specific cybersecurity compliance requirements (e.g., NERC CIP), and define controls that can be used to meet those requirements
• Oversee supplier and 3rd party evaluation and contractual language standards; Support Procurement organization and Business stakeholders in overseeing 3rd party compliance with contractual cybersecurity requirements

Security Policies & Standards

• Establish an enterprise-wide cybersecurity policy framework, and develop a set of enterprise policies and minimum standards in line with business objectives, laws, and regulations
• Define and oversee an exception management process for cybersecurity policies, tools, and architecture
• Work with cybersecurity leadership team to set continuous improvement priorities and monitor progress
• Define and manage an enterprise-wide cyber security awareness training program to drive desired security behaviors across the ContourGlobal employee population, and create or acquire core program content

COMMIT TO LEAD WITH OUR VALUES:

• Commit to CG values as expressed in the Essential Information. Model the values in any interaction internally and externally.
• Put Health and Safety First.
• Embrace Timely Transparency.
• Model the 3Cs – Communication, Collaboration and Coordination.
• Embrace Failure analysis and continuous improvement including Five Whys.
• Seek out ways to incorporate technology and Artificial Intelligence into the company’s legal practice.

QUALIFICATION and SKILLS:

• Strong executive presence with proven ability to influence peers and senior leadership
• Experience leading Cybersecurity GRC in organizations with complex IT/OT environments
• Knowledge of current and emerging cybersecurity risks, and innovative risk management methods
• Ability to collaboratively develop a cyber risk strategy in conjunction with numerous and diverse stakeholders
• Experience with security policy, standards, and controls definition
• Prior experience developing and conducting cybersecurity compliance regimens in collaboration with corporate Legal and Compliance functions
• Ability to design an effective security awareness program, and to manage stakeholders across business areas and functions to ensure execution
• Strong analytical and critical thinking skills, and excellent written and oral communication & presentation skills
• Certified Information System Security Professional (CISSP) or Certified Information Security Manager (CISM) certification
• SANS courses: Cybersecurity Risk Management curriculum
• NERC CIP training
• A degree in computer science, IT, systems engineering, or related qualification

ContourGlobal provides equal employment opportunities and maintains a diverse workforce that reflects the rich environment of the society we live in and markets we operate.