Local Chief Information Security Officer

Location France, France
Experience level Experienced Hire
Job details sector Information Technology
Apply before Permanent offer



Level of priority     


Necessary: The responsibility/objective is necessary and must be considered as medium priority

Important: The responsibility/objective is important and must be considered as high priority.

Crucial: The responsibility/objective is crucial and must be considered as top priority.



Technical competencies


E1 Awareness: Understands the skill and its application. Has acquired and can demonstrate basic knowledge associated with the skill. Understands how the skill should be applied but may have no practical experience of its application.


E2 Basic application: Understands the skill and applies it to basic tasks under some supervision. Has acquired the basic knowledge associated with the skill, for example has acquired an academic or professional qualification in the skill. Understands how the skills should be applied. Has experience of applying the skill to a variety of basic tasks. Determines when problems should be escalated to a higher level. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill.


E3 Skillful application: Understands the skill and applies it to complex tasks with no supervision. Has acquired a deep understanding of the knowledge associated with the skill. Understands how the skill should be applied. Has experience of applying the skill to a variety of complex tasks. Demonstrates significant personal responsibility or autonomy, with little need for escalation. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill. Contributes ideas for technical development and new areas for application of the skill.


E4  Expert: An authority who leads the development of the skill. Is an acknowledged expert by peers in the skill. Has experience of applying the skill in circumstances without precedence. Proposes, conducts, and/or leads innovative work to enhance the skill.



Behavioural competencies


Novice: Demonstrates the ability primarily under supervision and displays competence in some situations

Intermediate: Demonstrates the ability with some guidance and is able to leverage competency in multiple situations

Mastery: Demonstrates the ability independently and is able to leverage the competency in all types of situations with consistency




Required technical competencies


**Level: E1=Awareness, E2=Basic application, E3=Skilful application, E4=Expert




Information Security Management (E3/E4)


A1 – Governance

A2 – Policy & Standards

A3 – Information Security Strategy

A4 – Innovation & Business Improvement

A5 – Information Security Awareness and Training

A6 – Legal & Regulatory Environment

A7 – Third Party Management



Information Risk Management (E3/E4)


B1 – Risk Assessment

B2 – Risk Management



Implementing Secure Systems (E2/E3)


C1 – Security Architecture

C2 – Secure Development



Information Assurance Methodologies and Testing (E2/E3)


D1 – Information Assurance Methodologies

D2 – Security Testing



Operational Security Management (E3 - Expertise)


E1 – Secure Operations Management

E2 – Secure Operations & Service Delivery

E3 – Vulnerability Assessment



Incident Management (E2 - Experience)


F1 - Incident Management

F2 - Investigation

F3 – Forensics



Audit, Assurance & Review (E2/E3)


G1 – Audit and & Review



Business Continuity Management (E2 - Experience)


H1 - Business Continuity Planning

H2 - Business Continuity Management



Business skills and competences (E3/E4)


J1 – Teamwork and Leadership

J2 – Delivering

J3 – Managing Customer Relationships

J4 – Corporate Behavior

J5 – Change and Innovation

J6 – Analysis and Decision Making

J7 – Communication and Knowledge Sharing



Required soft skills & Behavioral competencies

**Level: Novice, Intermediate, Mastery



Leadership (Mastery)


  • Creates an environment for developing & fostering leadership excellence
  • Effectively communicates the group vision & goals & the benefits in achieving the same
  • Recognizes potential leaders & provides them with challenging assignments/stretch goals
  • Takes calculated risks in decision-making & seeks inputs from the team / stakeholders for the same
  • Creates mechanisms to recognize individual/group contribution & achievements
  • Can effectively mentor others to acquire this competency


Strategic Thinking (Mastery)


  •  Articulates a Vision, develops organizational goals and strategies
  • Maintains the perspective of a large scale and aligns actions and contributes to overall organizational strategy enhancement including learning’s from benchmarking activities and reviews
  • Understands and articulates the projected direction of the organization and how changes might impact the group
  • Is aware of the projected directions of the external environment and key differentiators vis-a-vis competition and uses this information to anticipate how these changes would impact the organization



Problem solving (Intermediate)


Recommends solutions relevant to the complexity, scope, risk and magnitude of the problems impacting the service level



Planning (Intermediate)


  • Think and plan up to 2-5 years ahead, depending on the projected project/programme duration to ensure the successful delivery of outputs, particularly when preparing budgets and resource requirements
  • Provides input into planning of the direction of the on-project change implementation team
  • Required to analyse and critically evaluate information as well as formulate plans based on multiple sources of information
  • Forward planning required e.g. target setting and forecasting trends
  • Ability to manage action plans, review progress and make adjustments where required



Decision making (Intermediate)


  • Advises on decisions regarding strategy, policy, and structures
  • Quick to assimilate and integrate new information for informed decision making
  • Monitor changes in the operating environment, quick to act upon potential opportunities.
  • Able to weigh things up quickly and take the initiative within limits of authority.



Coaching and Mentoring (Intermediate)


  • Coaching: The process of assisting individuals to set goals then supports the execution of the goals through establishing strategy and providing feedback, insight and guidance to enable the individual to reach their fullest potential.
  • Mentoring: The process in which an experienced colleague is assigned to an inexperienced individual and assists in a training and development or general support role



Interpersonal skills (Mastery)


  • Assertiveness, empathy, active listening
  • Oral communication, persuasive skills








  • A degree in information security, computer science, information management systems, Business, Accounting or related field
  • A post-graduate degree in information security or general management (such as an MBA) is an advantage but not essential





  • Information Security and /or Information Technology industry certification (CISSP-ISSAP, CISM, ISO 27001 Lead Auditor, GIAC or equivalent) strongly preferred
  • Member of Institute of Information Security Professionals (M.IISP)



Overall work experience in the field


  • Experience in information security, IT audit or related area > 10 years
  • Leadership/ management experience > 7 years
  • Previous experience managing a remote/international team preferred
  • Previous experience as interim or acting Chief Information Security Officer, or extensive experience reporting to a CIO, Chief Audit Officer, Chief Risk Officer or other senior executive in an  international organization.s



Skills / abilities


  • Strong networking skills
  • Team player
  • Ability to apply analytical rigour to understand complex business scenarios
  • Fluent in English



Job Purpose


  • Lead the local implementation of the Target Operating Model, agreed between Group CSO and Local CIO, in line with the Regional CISO
  • Act as a key advisor to local entity senior management (CEO, CIO, CRO, Regional CISO) on information security matters (e.g. information risk management, cybersecurity, information security control, monitoring, information privacy, operations, identity access management, security architecture, forensics)
  • Act as a leader at the local entity to drive information security in terms of assessment, risk appetite, report and promotion in an entity to advise and challenge businesses
  • Drive cultural and organizational change throughout the local entity and implement a sustainable information security  practice
  • Lead, develop and deploy a portfolio of information security services for the local entity
  • Contribute to the development of the security shared services and ensure implementation of the shared services within the local entity 







  • Job title : Local Chief Information Security Officer (LCISO)
  • Business unit: AXA Group Information Security



Reporting structure


  • Reports to: Local CIO
  • Functionnal reports to : Regional CISO



Work related relationships 


  • Internal actors: Expected to interact with Risk Management, Legal, Compliance, Group Information Security, Entity Business Management, Local Internal Audit, Local Risk Management, Local IT Managers, IST Program Managers & Teams, Local CISOs peers, Business Continuity Management
  • External actors: Expected to interact with regulators and professional organizations, external audit, peers



Hierarchical organization


This position reports to the Local CIO and functionally reports to the Regional CISO.



Key responsibilities – accountabilities


**Level: necessary, important, crucial



  • Collaborate with and support the Group Information Security Practice, Regional CISOs and other stakeholders as necessary to ensure that information security within the local entity is relevant, cost-effective and is delivered in accordance with the Group Information Security Strategy 
  • Serve as an expert advisor to senior management of the local entity in the implementation and maintenance of information security
  • Implement information security strategy, policies, shared security services and action plans based on the Group Information Security Strategy
  • Lead the development, implementation and successful execution of information security operations not offered by security shared services (including vulnerability management and identity and access management) at the local entity
  • Identify and analyze risks, recommend appropriate mitigation options and document all components in clear, business-intelligible language
  • Maintain an understanding of emerging technology, risks and industry trends.  Assess the impact on the business environment and recommend appropriate mitigation actions or the prioritization of projects and investments
  • Escalate the need to redirect investment or change practices to mitigate critical risks and ensure legal, regulatory or commercial compliance
  • Implement continuous improvement processes and activities (e.g. good practices, reporting, problem resolution) to ensure quality and relevance of information security services
  • Monitor and maintain system confidentiality, integrity and availability and manage information security incidents
  • Promote a culture of information security and raise awareness
  • Oversee the execution of information security projects
  • Ensure development and maintenance of auditable processes to enforce consistency within the local entity
  • Identify and implement coordinated responses to information security audit and compliance issues



  • Develop, track and control the information security budget for purchasing, staffing and operations



Company Statement


With over 102 million customers in 56 countries, AXA's strong global franchises and three lines of expertise - Property & Casualty, Life & Savings and Asset Management - provide a distinctive business portfolio. As a company whose business is to protect people, we have a responsibility to leverage our skills, resources and risk expertise to build a stronger and safer society. To achieve our mission, we are committed to redefining the standards of our business so that we truly differentiate ourselves and earn the trust of our key stakeholders.  AXA is setting-up a Group Information Security practice in order to reinforce its short-term risk reduction strategy, aligned with AXA strategy & culture and based on the industry standards.



Business Unit Statement


To support our business strategy and digital transformation, AXA is building a new Group Information Security Practice to ensure a coordinated response to the increasing cyber security threat, enable risk decisions to be made consistently across the organization and establish sustainable security capabilities that are integrated with the business.  Our vision for Information Security is to ‘protect our stakeholders by securing our information assets, managing our cyber risk and enabling business strategies in an efficient and effective way, fully supported by executive leadership and underpinned by all AXA employees’