My Clinic KSA تعلن عن وظيفة مدير أمن المعلومات في مكة

Join My Clinic, the leading multispecialty outpatient care provider in Saudi Arabia, where our mission to help people live longer, healthier, and happier lives drives everything we do. Since 2017, we've been at the forefront of healthcare, combining innovation with a deep commitment to care, collaboration, ambition, and responsibility. As we continue to grow and reach new heights, we're looking for passionate individuals who share our vision and values

Job Summary:

The Information Security Manager leads My Clinic’s information and cybersecurity program, with a key focus on Governance, Risk, and Compliance (GRC) to ensure the protection of sensitive patient data and adherence to cybersecurity regulations, including CIS, NIST, and National Cybersecurity Authority (NCA) controls and standards. This role is responsible for developing and executing comprehensive security and risk management strategies, managing the information security team, and collaborating with IT and business leadership to safeguard sensitive data while maintaining operational integrity

Primary Responsibilitie

• Governance and Policy Development: Develop, implement, and maintain comprehensive information security and data protection policies, procedures, and guidelines to ensure alignment with industry standards (e.g., CIS, NIST, NCA) and regulatory requirements, including KSA’s Personal Data Protection Law (PDPL).
• Risk Management: Lead enterprise-wide risk assessments to identify, analyze, and prioritize cybersecurity and data protection risks. Develop and maintain a risk register, implement risk mitigation strategies, and monitor risk treatment plans to safeguard sensitive data and critical systems.
• Security Operations Center (SOC) Oversight: Oversee the outsourced SOC operations from My Clinic’s perspective, ensuring the third-party SOC provider effectively monitors, detects, and responds to cybersecurity threats. Review and enforce key performance indicators (KPIs) for the SOC, evaluate incident handling processes, and collaborate with the provider to align SOC activities with My Clinic’s security objectives and compliance requirements.
• Compliance Oversight: Ensure organizational compliance with relevant cybersecurity frameworks (CIS, NIST, NCA) and data protection regulations, including PDPL. Conduct regular compliance reviews to align with the requirements of regulatory bodies such as the Saudi Data and Artificial Intelligence Authority (SDAIA) and National Cybersecurity Authority (NCA) when necessary.
• Data Protection Impact Assessments (DPIAs): Perform DPIAs to evaluate and mitigate risks associated with processing personal and sensitive data, ensuring adherence to data protection principles and regulatory obligations.
• Incident Response and Management: Oversee the development and execution of incident response plans for cybersecurity and data breach incidents. Ensure timely investigation, mitigation, and reporting to relevant authorities within regulatory timeframes, incorporating lessons learned into risk management processes and coordinating with the outsourced SOC provider.
• Training and Awareness Programs: Design and deliver organization-wide training and awareness programs to foster a culture of cybersecurity, risk management, and data protection compliance among employees and stakeholders.
• Third-Party Risk Management: Evaluate and monitor contracts with third-party vendors, data processors, and partners, including the outsourced providers, to ensure compliance with cybersecurity and data protection requirements, including PDPL and other relevant standards.
• Auditing and Monitoring: Conduct regular audits of cybersecurity practices, data processing activities, and GRC controls to ensure ongoing compliance with internal policies and external regulations. Provide actionable recommendations to address identified gaps.
• Advisory and Collaboration: Serve as a focal point for IT and business senior management, the risk committee, and IT leadership on cybersecurity risks, data protection strategies, and GRC initiatives. Maintain and update the risk register, providing regular reports on risk status, mitigation progress, and emerging threats to the relevant risk committee and IT leadership to support informed decision-making.
• Overall IT Security Operations Handling and Execution: Oversee and coordinate the execution of IT security operations, working closely with IT and business senior management to ensure robust protection of My Clinic’s assets through proactive monitoring, threat detection, and response strategies. Integrate operational insights into risk management and security frameworks to enhance organizational resilience.
• Team Leadership and Development: Lead and mentor the internal information security team, fostering professional growth and ensuring effective execution of security and risk management responsibilities while coordinating with the outsourced SOC team.

Education / Professional Qualifications:

1. Education Degree: Bachelor’s degree in Information Technology, Cybersecurity, Computer Science, Information Systems, Business Administration, or a related field. A master’s degree in Cybersecurity, Information Security, or Risk Management is highly desirable.
2. Years of Experience: Minimum of 7 years of experience in information security or cybersecurity operations, with at least 3 years in a managerial, supervisory, or advisory role focused on Governance, Risk, and Compliance (GRC) or risk management. Experience overseeing or collaborating with outsourced Security Operations Centers (SOCs) is preferred.

Knowledge:

1. In-depth understanding of cybersecurity frameworks such as CIS, NIST, ISO 27001, and National Cybersecurity Authority (NCA) controls.
2. Comprehensive knowledge of data protection and privacy laws, including KSA’s Personal Data Protection Law (PDPL) and international regulations (e.g., GDPR, HIPAA).
3. Familiarity with KSA’s regulatory environments, including the Saudi Data and Artificial Intelligence Authority (SDAIA) and National Cybersecurity Authority (NCA).
4. Strong understanding of risk management methodologies, including risk assessment, mitigation, and reporting processes.
5. Knowledge of IT service management (ITSM) frameworks, such as ITIL, and their application to security operations.

Technical Skills:

1. Proficiency in IT operations, service management, and cybersecurity practices, including incident response, threat detection, and vulnerability management.
2. Expertise in risk assessment tools and methodologies.
3. Familiarity with security information and event management (SIEM) systems, intrusion detection/prevention systems (IDPS), and other security monitoring tools.
4. Ability to evaluate and oversee third-party security providers, including SOC performance metrics and key performance indicators (KPIs).
5. Strong analytical skills to interpret security data and integrate operational insights into risk management frameworks.

Professional Certifications:

1. CompTIA Security+ and ISC2 Certified in Cybersecurity (CC) certifications are required, with Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) certifications preferred
2. Highly Desirable: ISO 27001 Lead Auditor (LA) or Lead Implementer (LI), Certified in Risk and Information Systems Control (CRISC), ITIL Foundation, Certified Ethical Hacker (CEH), or CompTIA Security+ for technical expertise.