Group Security: Head of Information Security Risk

Location France, France
Experience level Experienced Hire
Job details sector Information Technology
Apply before 11/04/2016

Job purpose

  • Manage and monitor the implementation and execution of the information security risk management methodology and processes
  • Ensure risks related to the organization, employees, customers, data and technologies are identified, assessed and managed effectively
  • Support the establishment of the organization’s information 'risk appetite'
  • Perform complex and high profile risk assessments within the organization, acquisition and vendors, with key third parties




  • Job title: Head of Information Security Risk
  • Business unit: AXA Group Information Security

Reporting structure         

  • Reports to: Head of Information Security Assurance
  • Functional reports to: N/A
  • Direct reports: 2



  • Managed team size: 20 people


Work related relationships        

  • Internal actors: Expected to interact with Group Risk Management, Group Legal & Compliance, Business Information Security Teams & Business Communication, IT Leadership, IT Operations & Group Internal Audit
  • External actors: Expected to interact with vendors, regulators and professional organizations, peers


Hierarchical organization          

  • This position reports to the Head of Information Security Assurance and manages 2 direct reports: Information Security Risk Lead (Projects) and Information Security Risk Lead (Production)



Key responsibilities – accountabilities

**Level: necessary, important, crucial


  • Identify and analyze risks, recommend appropriate mitigation options and document all components in clear, business-intelligible language - Crucial
  • Lead risk assessment and management assignments - Crucial
  • Conduct third party assessments to ensure Group IS policies/standards are met and risks are identified and managed - Crucial
  • Perform internal reviews and assist the Information Security Practice with identifying risks and the necessary mitigation - Important
  • Perform information security risk assessments to ensure compliance with standards and industrial regulations/standards Assess, plan and/or architectIdentify, plan and direct control initiatives aligned designed to mitigate specific Line of Business (LOB) or firm-wide IS risksImportantIdentify, plan and direct initiatives designed to mitigate specific Line of Business (LOB) or firm-wide IS risks - Important



Required technical competencies

**Level: E1=Awareness, E2=Basic application, E3=Skilful application, E4=Expert


Information Security Management - E4

A1 – Governance

A2 – Policy & Standards

A3 – Information Security Strategy

A4 – Innovation & Business Improvement

A5 – Information Security Awareness and Training

A6 – Legal & Regulatory Environment

A7 – Third Party Management


Information Risk Management - E4

B1 – Risk Assessment

B2 – Risk Management


Implementing Secure Systems - E3

C1 – Security Architecture

C2 – Secure Development


Information Assurance Methodologies and Testing - E3

D1 – Information Assurance Methodologies

D2 – Security Testing


Operational Security Management - E2

E1 – Secure Operations Management

E2 – Secure Operations & Service Delivery

E3 – Vulnerability Assessment


Incident Management - E1

F1 - Incident Management

F2 - Investigation

F3 – Forensics


Audit, Assurance & Review - E3

G1 – Audit and & Review


Business Continuity Management - E3

H1 - Business Continuity Planning

H2 - Business Continuity Management


Business skills and competences - E3

J1 – Teamwork and Leadership

J2 – Delivering

J3 – Managing Customer Relationships

J4 – Corporate Behavior

J5 – Change and Innovation

J6 – Analysis and Decision Making

J7 – Communication and Knowledge Sharing



Required soft skills & Behavioral competencies

**LevelNovice, Intermediate, Mastery


Leadership (Mastery)

  • Creates an environment for developing and fostering leadership excellence
  • Effectively communicates the group vision and goals and the benefits in achieving the same
  • Recognizes potential leaders and provides them with challenging assignments/stretch goals
  • Takes calculated risks in decision-making and seeks inputs from the team / stakeholders for the same.
  • Creates mechanisms to recognize individual/group contribution and achievements
  • Can effectively mentor others to acquire this competency


Strategic Thinking (Intermediate)

  •  Articulates a vision, develops organizational goals and strategies
  • Maintains a wider perspective, aligns actions and contributes to the enhancement of the overall organizational strategy, including outputs from benchmarking activities and reviews
  • Understands and articulates the projected direction of the organization and how changes to it might impact the group
  • Is aware of trends in the external environment and key differentiators vis-a-vis competition and uses this information to anticipate how these changes would impact the organization


Problem solving (Mastery)

  • Recommends solutions relevant to the complexity, scope, risk and magnitude of the problem


Planning (Mastery)

  • Plans up to 2-5 years ahead (particularly when preparing budgets and resource requirements) in accordance with the project/program portfolio to ensure its successful delivery
  • Provides input into planning and prioritization of project activities
  • Required to analyze and critically evaluate information as well as formulate plans based on multiple sources of information
  • Forward planning required e.g. target setting and forecasting trends
  • Ability to manage action plans, review progress and make adjustments where required


Decision making (Mastery)

  • Advises on decisions regarding strategy, policy, and structures
  • Quick to assimilate and integrate new information for informed decision making
  • Monitor changes in the operating environment, quick to act upon potential opportunities.
  • Able to quickly evaluate a situation or issue and take the initiative within limits of authority.


Coaching and Mentoring (Intermediate)

  • Coaching: The process of assisting individuals to set goals then supports the execution of the goals through establishing strategy and providing feedback, insight and guidance to enable the individual to reach their fullest potential.
  • Mentoring: The process in which an experienced colleague is assigned to an inexperienced individual and assists in a training and development or general support role


Interpersonal skills (Mastery)

  • Assertiveness, empathy, active listening
  • Oral communication, persuasive skills




  • Bachelor degree in Computer Science, Engineering, or related field
  • An MSc Information Security would be desirable but is not essential
  • Information Security and /or Information Technology industry certification (CISSP, CISM, GIAC, ISO27001 Lead Auditor or equivalent) strongly preferred
  • Member of IISP or have the qualification, skills and experience to become a member
Overall work experience in the field
  • Experience in progressive Information Security field > 10years
  • Experience in technical Information Security solution design and conducting technical risk assessments > 10 years
  • Experience in articulating IS risks in business language and advising on the appropriate risk management strategy for a technical solution > 3 years
  • Experience in multinational companies is an advantage
Skills / abilities
  • Ability to function effectively in a matrix structure
  • Operate comfortably at management level
  • Strong facilitation, negotiation and conflict resolution skills
  • Strong networking skills
  • Team player
  • Apply analytical rigour to understand complex business scenarios
  • Fluent in English






Level of priority     

  • Necessary: The responsibility/objective is necessary and must be considered as medium priority
  • Important: The responsibility/objective is important and must be considered as high priority.
  • Crucial: The responsibility/objective is crucial and must be considered as top priority.


Technical competencies


  • E1 Awareness: Understands the skill and its application. Has acquired and can demonstrate basic knowledge associated with the skill. Understands how the skill should be applied but may have no practical experience of its application.
  • E2 Basic application: Understands the skill and applies it to basic tasks under some supervision. Has acquired the basic knowledge associated with the skill, for example has acquired an academic or professional qualification in the skill. Understands how the skills should be applied. Has experience of applying the skill to a variety of basic tasks. Determines when problems should be escalated to a higher level. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill.
  • E3 Skillful application: Understands the skill and applies it to complex tasks with no supervision. Has acquired a deep understanding of the knowledge associated with the skill. Understands how the skill should be applied. Has experience of applying the skill to a variety of complex tasks. Demonstrates significant personal responsibility or autonomy, with little need for escalation. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill. Contributes ideas for technical development and new areas for application of the skill.
  • E4  Expert: An authority who leads the development of the skill. Is an acknowledged expert by peers in the skill. Has experience of applying the skill in circumstances without precedence. Proposes, conducts, and/or leads innovative work to enhance the skill.


Behavioural competencies

  • Novice: Demonstrates the ability primarily under supervision and displays competence in some situations
  • Intermediate: Demonstrates the ability with some guidance and is able to leverage competency in multiple situations
  • Mastery: Demonstrates the ability independently and is able to leverage the competency in all types of situations with consistency

Company statement

With over 102 million customers in 56 countries, AXA's strong global franchises and three lines of expertise - Property & Casualty, Life & Savings and Asset Management - provide a distinctive business portfolio. As a company whose business is to protect people, we have a responsibility to leverage our skills, resources and risk expertise to build a stronger and safer society. To achieve our mission, we are committed to redefining the standards of our business so that we truly differentiate ourselves and earn the trust of our key stakeholders. AXA is setting-up a Group Information Security practice in order to reinforce its short-term risk reduction strategy, aligned with AXA strategy & culture and based on the industry standards.


Business unit statement

To support our business strategy and digital transformation, AXA is building a new Group Information Security Practice to ensure a coordinated response to the increasing cyber security threat, enable risk decisions to be made consistently across the organization and establish sustainable security capabilities that are integrated with the business. Our vision for Information Security is to ‘protect our stakeholders by securing our information assets, managing our cyber risk and enabling business strategies in an efficient and effective way, fully supported by executive leadership and underpinned by all AXA employees’