Chief Information Security Officer- Faulu
Job Type Full Time
Qualification BA/BSc/HND
Experience 6 years
Location Nairobi
Job Field ICT / Computer

The Central Bank of Kenya’s Cybersecurity Guidelines to Payment Service Providers (PSPs) requires all PSPs to have a Chief Information Security Officer (CISO). This is also one of the globally accepted modern cybersecurity strategic measures. The role should be fitted within the structure that allows it to have enough independence while empowering it to perform its roles effectively.

Reporting to the Head of Risk & Compliance, the holder’s role will be to implement Faulu’s Cyber security strategies, program and policy. He / she shall oversee cybersecurity and information security matters of the Bank.

Minimum Requirements

  • Bachelor’s degree in IT
  • Professional qualification such as CISA, CISM or CISSP
  • Knowledgeable in IT operations
  • Proficient in IS Security
  • At least 6 years’ experience in a large Payment Service Provider or financial institution professional services firm;
  • 4 of which should be in either of the following functions: IS Auditor, IS Security, or IT Risk.
  • Must be able to work independently with good interpersonal and project management skills.
  • Masters Degree is desirable
    Job Specification


  • Developing and implementing Faulu’s cybersecurity program and enforcing the cybersecurity policy. This includes the development of a cyber risk management plan.
  • Ensuring that Faulu maintains a current and comprehensive cyber asset and user register
  • Ensuring that Faulu’s cybersecurity strategy addresses its needs, considering its overall business strategies, risk appetite and ICT risk management policies.
  • Design cybersecurity controls with the consideration of users at all levels of the organization, including internal (i.e. management and staff) and external users (i.e. contractors/consultants, business partners and service providers).
  • Organizing professional cyber related trainings to improve technical proficiency of staff and user awareness trainings for improved cyber hygiene.
  • Ensure that adequate processes are in place for monitoring IT systems to detect cybersecurity events and incidents in a timely manner.
  • Reporting to the CEO, at least quarterly, on the following:
  • Assessment of the confidentiality, integrity and availability of the information systems in Faulu.
  • Detailed exceptions to the approved cybersecurity policies and procedures.
  • Assessment of the effectiveness of the approved cybersecurity program.
  • All material cybersecurity events that affected the Bank during the period.
  • Reporting to the Board, at least quarterly, on Faulu’s capability to manage cybersecurity and progress in implementation of the cybersecurity strategy and goals.
  • Ensure timely update of the incident response mechanism and Business Continuity Plan (BCP) based on the latest cyber threat intelligence gathered.
  • Incorporate the utilization of scenario analysis to consider a material cyber-attack, mitigating actions, and identify potential control gaps.
  • Ensure adequate backups of critical IT systems and data in line with predetermined recovery objectives (e.g. real time back up of changes made to critical data) are carried out to a site that is unlikely to be affected by a disaster event at the main processing site.
  • Ensure the roles and responsibilities of managing cyber risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff.
  • Put in place BCP and disaster recovery test plans to ensure that the Bank can continue to function and meet its regulatory obligations in the event of an unforeseen attack through cyber-crime.
  • Assessing the overall effectiveness of Faulu’s cybersecurity program.
  • Quarterly reporting on the organization’s cybersecurity posture to senior management, Board Risk Management Committee, Audit committee and the board.
  • Conduct oversight over and provide directions to any third-party service provider contracted to perform operational security functions such as information security monitoring, testing and threat intelligence.
  • Submitting the required cybersecurity regulatory returns to the Central Bank of Kenya.
  • Facilitate the following training:
  • User awareness trainings for all staff
  • Professional cyber related trainings for technical staff
  • Cybersecurity training and updates for Board Members
  • Cybersecurity awareness for customers, suppliers, partners, outsourced service providers and other third parties.
  • Submit the required cybersecurity regulatory returns to the Central Bank of Kenya, as per the prescribed timelines.
  • Ensure timely and comprehensive reports to the CEO, Senior Management, Board Risk Management Committee,
  • Audit Committee and the Board. These reports should be submitted at least quarterly.
  • Design and periodically review the Bank’s cybersecurity program
  • Support the submission of the following to the Board for approval, at least annually:
  • Cybersecurity strategy / risk management plan.
  • Cyber security policy and framework, or revisions thereof
  • Cybersecurity risk assessments and risk appetite
  • Cybersecurity budget
  • Design cybersecurity controls with the consideration of users at all levels of the organization and advise the
  • Business. Follow up with the responsible functions for implementation.
  • Ensure that business develops a cyber asset register that classifies its cybersecurity assets. Critical assets should be identified.
  • Manage the Security Operations Centre of the Bank to perform operational information security monitoring, testing and threat intelligence. Where this function is outsourced, conduct oversight over and provide directions to any third-party service provider to whom this is outsourced.
  • As the cybersecurity co-ordinator, perform the following roles:
  • Regularly review the Bank’s incident response plan. This should include a data breach response plan.
  • Regularly review the composition of the CSIRT
  • Train CSIRT members on their roles and responsibilities
  • Conduct regular tests and report test results to senior management, Board Risk Management Committee and Board Audit Committee.
  • Liaise with the Business Continuity Co-ordinator and the ICT function to ensure that adequate disaster recovery measures are in place i.e. functioning Disaster recovery site and adequate backups of critical IT systems and data in line with the required Recovery Time and Recovery Point objectives.


Click “APPLY FOR JOB”button above to apply for this job.

About Old Mutual Group

Old Mutual Kenya is based in Nairobi and is part of a larger group that offers solutions in long-term savings, asset management and investment. We offer solutions to individuals and corporates underpinned by our core values which are: Respect, Integrity, Accountability and Pushing beyond boundaries.