Job Description: Lead Risk & Information Protection

Role Purpose
The Lead, Risk & Information Protection is responsible for establishing, implementing, and continuously improving the organization’s cybersecurity governance, information protection practices, security awareness, and enterprise-wide cybersecurity program. The role ensures that all policies, processes, and controls align with organizational objectives, regulatory obligations, and industry best practices for both IT and OT (Operational Technology) environments. This position requires strong leadership, independent decision?making, and the ability to drive security maturity across a complex enterprise.

Key Accountabilities Governance, Risk & Compliance (GRC) Develop, implement, and maintain comprehensive cybersecurity policies, standards, and procedures aligned with leading frameworks such as NIST and ISO 27001. Ensure continuous compliance with internal policies, regulatory requirements, and audit standards. Lead and mature the organization’s information security governance framework, embedding cybersecurity requirements across all DBS programs and projects. Oversee Business Impact Analysis (BIA) and Risk Assessments (RA), ensuring alignment with the organization’s threat landscape and industry best practices. Develop and maintain detailed records of risk assessments, control evaluations, and audit findings. Provide regular updates to the enterprise risk register in collaboration with CPD and other stakeholders. Act as the primary focal point for internal and external audits, ensuring timely submission of evidence and corrective actions. Monitor emerging cybersecurity threats, trends, and technologies, evaluating their potential impact on the organization. Establish and develop robust governance arrangements to ensure cybersecurity requirements are captured in all DBS programs and projects. Identify, evaluate, protect against, and report on potential information security risks in a manner that meets compliance and regulatory requirements and supports the risk posture of the organization. Develop risk mitigation plans and recommend appropriate controls and ensure their implementation in alignment with different stakeholders. Ensure comprehensively updated and organized records of risk assessments, control assessments and audit findings. Stay updated with the latest cybersecurity threats, trends, and technologies and assess their potential impact on the organization. Provide regular updates and feed the enterprise risk register with the latest updates. Act as a focal point and collaborate with audit teams to manage the planned assessments and provide the required documents when requested. Collaborate with CPD to maintain an updated record of cybersecurity risks in the enterprise risk register Information Protection Lead the organization’s data protection strategy in collaboration with legal, HR, and business stakeholders. Provide expert guidance on information protection controls across IT and OT projects throughout the lifecycle. Drive standardization and maturity of data protection processes through collaboration with subject-matter experts. Oversee Data Loss Prevention (DLP), data classification, and data labeling activities; monitor anomalies and ensure follow-up. Develop, maintain, and test incident response plans related to data breaches and information protection. Guide the development and enhancement of Business Continuity (BC) and Disaster Recovery (DR) frameworks for critical functions. Plan and track IT disaster recovery exercises, ensuring evidence and documentation are up to date. Align BC/DR requirements with DBS and business stakeholders to ensure operational resilience. Security Awareness & Training Design, implement, and maintain a robust security awareness and training program targeting human?factor risks. Develop an annual cybersecurity awareness plan including phishing simulations, campaigns, and training events. Regularly engage employees using the organization’s communication channels, in coordination with HR and PRC. Promote a strong cybersecurity culture through continuous communication, news updates, best practices, and campaign reporting. Establish and maintain a metrics framework to measure compliance and program effectiveness. Cybersecurity Program Management Lead and manage cybersecurity programs and projects across IT and OT environments with medium to high complexity. Develop strategic roadmaps outlining initiatives, milestones, timelines, and expected impact on security posture. Provide periodic status reports, risk updates, and performance insights to management and key stakeholders. Allocate and manage resources—budget, personnel, tools—to support program initiatives effectively. Continuously evaluate the cybersecurity program to identify opportunities for enhancement. Lead, develop, and mentor team members, fostering a collaborative, inclusive, and high-performance culture aligned with organizational values. Additional Responsibilities Support organizational initiatives related to employee wellbeing and corporate commitments (e.g., GHG commitments). Comply with all HSE, Code of Ethics, and Acceptable Use policies. Maintain and update security policies and standards in alignment with CMS recommendations and entity plans.
Context & Environment
With aging assets (up to 25 years old) and continuous expansion through new capital projects, the environment is heavily dependent on advanced telecom, operational control systems, and digital technologies.
The organization seeks to sustain and extend operations beyond 2042, requiring strong cybersecurity, resilience, and governance frameworks across both new and legacy systems.

Qualifications & Experience
Education Bachelor’s or Master’s degree in Computer Science, Information Technology, Cybersecurity, or a related field. Experience Minimum 10 years in similar information security leadership roles within large enterprises (1,000+ users) across multiple geographies. Experience in oil & gas or manufacturing environments preferred. Proven experience in risk management, BIA/RA, compliance, and vulnerability assessment. Professional Certifications Mandatory: CISSP and/or CISM Preferred: Industrial Cybersecurity certifications (e.g., GICSP) Additional security or risk management certifications Technical Skills Strong knowledge of IT/OT security technologies, systems, and processes Proficiency with: SIEM, XDR, IDS/IPS, Antivirus/Antimalware, proxies, firewalls Patch & vulnerability management Information protection and classification solutions Strong understanding of: NIST Cybersecurity Framework ISO 27001 Incident Response frameworks Disaster Recovery & Business Continuity requirements Vendor management, SLA/KPI definition, and performance evaluation Solid grasp of enterprise architecture and digital product integration
Soft Skills Strong analytical mindset and problem-solving capability Excellent communication written, verbal, and presentation Fluent in English Ability to work cross-functionally, influence stakeholders, and manage change.