Senior Information Security Engineer

Our client is one of the most significant players in the global insurance and

financial products market. The Group is leader in Italy and, founded in 1831 in

Trieste, is the Group's Parent and principal operating Company.

Characterised from the very outset by a strong international outlook and now

present in more than 50 Countries, the company has consolidated its position

among the world's leading insurance operators, with significant market shares in

western Europe - its main area of activity - and particularly in Germany, France,

Austria, Spain, Switzerland and Central and Eastern Europe.

The Group has - over the last decade - set up offices in the main markets of the Far

East, among which India and China; in particular, in China, just after few years of

operation, it has become the leader among the insurance companies with foreign

equity interests.

Currently they are looking for an
Information Security Engineer (GRC)
to join the

company.

Tasks and responsibilities

The Cybersecurity Risk and Governance Analyst fulfils the following tasks:

● Understanding how different cyber risks can affect the organisation's

operations, prioritises efforts to secure the most vital aspects of the business

and minimise potential disruptions, data breaches, noncompliance, financial

penalties or reputation.

● Assesses the potential impact of cybersecurity risks on critical business

processes and functions.

● Aligns cybersecurity risk management with overall business objectives.

Understand the organisation's strategic goals and ensure that cybersecurity

measures are integrated seamlessly.

● Collaborates with department stakeholders to balance security

requirements and the need for business agility, innovation, and growth.

● Understands the financial implications of cyber risk and leverages

insurance as a tool to manage residual risks effectively.

● Ensures that cybersecurity-enabled products or other compensating

security control technologies reduce identified risk to an acceptable level.

● Performs cyber risk trend analysis and reporting.

● Performs security reviews and identifies security gaps in security

architecture, resulting in recommendations for inclusion in the risk

mitigation strategy.

● Works with stakeholders to communicate business risk and risk

mediation in accordance with agreed protection levels.

● Plans and conducts security authorisation reviews and assurance case

development for initial installation of systems and networks.

● Reviews authorization and assurance documents to confirm that the

level of risk is within acceptable limits for each software application, system,

and network.

● Verifies that application software/network/system security postures are

implemented as stated, document deviations, and recommend required

actions to correct those deviations.

● Performs risk analysis (e.g., business impact, and probability of

occurrence) whenever an application or system undergoes a major change.

● Builds remediation plans for business risks identified during risk

assessments, audits, inspections, etc.

● Assures successful implementation and functionality of security

requirements and appropriate IT policies and procedures that are consistent

with the Generali Hellas mission and goals.

● Responsible for confidentiality of client information and compliance

with department standards and procedures

● Provides knowledge and expertise in government regulatory processes

and documentation, including but not limited to Risk Management Approach

(RMA), National Institute of Standards and Technology (NIST) standards,

and policies and procedures.

Requirements

● BS or MA in computer science, cybersecurity or a related field

● 3+ years of experience in an IT audit, enterprise risk management (ERM)

role or cyber risk management role

● 3+ years of experience with regulatory compliance, risk management

frameworks and information security management frameworks (e.g. ISO

27000, NIST CSF, NIST Risk Management Framework, ISO 27005, etc.)

Desired, but not required:

● Certified in Risk and Information Systems Control (CRISC), Certified

Information Systems Security Professional (CISSP), Certified Information

Systems Auditor (CISA), Certified Information Security Manager (CISM)

Technical and Business Experience

● Experience communicating complex technical concepts to non-technical

audiences.

● Experience with cybersecurity principles and practices, including risk

management, security controls, and incident response.

● Experience with cybersecurity frameworks and standards, such as the

NIST CSF and ISO/IEC 27001.

● Strong background in conducting Business Impact Analysis (BIA) to

evaluate the potential impact of cybersecurity risk on critical business

processes and functions.

● Proven track record in performing Cost-Benefit Analysis of Security

Measures, including assessing the cost-effectiveness of cybersecurity

measures in relation to potential business losses.

● Expertise in identifying and assessing risks to the organization's

business, focusing on prioritizing efforts to protect vital aspects and

minimise disruptions.

● In-depth knowledge of cybersecurity principles and practices,

encompassing risk management, security controls, and incident response.

● Experience with relevant security standards and applicable regulations,

such as PCI DSS, EU DORA and NIST framework