At EY youll have the chance to build a career as unique as you are with the global scale support inclusive culture and technology to become the best version of you. And were counting on your unique voice and perspective to help EY become even better too. Join us and build an exceptional experience for yourself and a better working world for all.

Role Title: Associate Director-Regional Client Security Assurance Lead Sub Function: Client Security Assurance

Objectives of the role

The Regional Client Security Assurance Lead Associate Director plays a pivotal role in leading a team responding to security risk assessments and due diligence exercises from clients in the IN/MENA region. This position requires extensive collaboration with various global and local functional teams such as Data Protection Risk Management Compliance Counsel Procurement Information Security Technology and EY service lines. This role is responsible for leading and supporting client and regulatory inquiries about EYs Global Information Security program. It assists EY client engagement teams by addressing client requests regarding how EY secures our client information using comprehensive technical controls and governance processes in line with EY Global Information Security requirements. This position involves managing multiple requests and responsibilities while supporting complex security assessments throughout various stages of the engagement life cycle. Additionally it requires staying current with updates in EYs Information Security posture and technology offerings thereby contributing to business growth and the development of new business opportunities.

Key Responsibilities

The Regional Client Security Assurance Lead serves as a dependable client security relationship manager for key EY clients throughout the client engagement lifecycle aiming to sustain and expand business operations. Furthermore this position involves leading a team projects performing data analytics and management of operational processes within IN/MENA Client Security Assurance.

• Team Lead: Lead team members to foster career growth and help them become knowledgeable about the EY Information Security Program and facilitate client security assessments. Implement operating model for the IN/MENA Client Security Assurance team in alignment with our business objectives.
• Drive the Evolution of Client Security Assurance: Actively participate in the development implementation and ongoing enhancement of the Client Security Assurance function in alignment with industry best practices.
• Facilitate Security Assessments: Act as a key resource for client and engagement teams by providing expert guidance on inbound security assessments related to EYs Global Information Security Program fostering trust and confidence in the EY Global Information Security Program and the controls in place to protect data along with safeguarding the confidentiality of our security controls. This also helps build EYs reputation and brand in the market. Clearly communicate with clients and their appointed auditors pertinent and appropriate details of the EY Global Information Security Program.
  • Provide critical support to EYs approach to winning new business and sustaining existing business relationships.
  • Provide consulting services to account teams related to client security assessments and their Supplier Risk Management framework.
• Meet with Clients: Participate in client meetings as an Information Security representative supporting EY account teams by addressing client inquiries related to the EY Global Information Security Program.
• Support Request for Proposal (RFP) process: Partner with client engagement teams to support the RFP process by addressing information security questions to help secure more business for EY.
• Engage with Regulators: Support inquiries and assessments from select local regulators highlighting EYs commitment to transparency and compliance in governance processes technologies and information security controls.
• Support Contractual Compliance: Review and provide strategic commentary on information security requirements in client contracts aligning with EYs Information Security Program. Assist EY Legal Counsel and Client Account Teams in negotiating terms that protect both EY and client interests.

Qualifications

• Minimum 15-19 years of recent progressive IT security compliance risk management or related IT security experience with a large IT organization; preferably within a professional service firm software product cloud-based solutions or other companies serving clients that are highly regulated entities.
• Bachelors degree from an accredited college or university is preferred.
• A good understanding of cloud infrastructure networking modern software development and technical security controls is required.
• Strong executive presence negotiation presentation and communication skills are required.
• Excellent analytical and problem-solving skills to assess and solve complex security issues.
• Ability to work and navigate through EYs Global firm understanding diverse perspectives and global client requirements.
• Ability to maintain calm during client assessments and respond to questions consistently and confirming internally the accuracy of responses before presenting them.
• Proven experience in client-facing roles particularly in handling security assessments ideally from client inquiries but can also be the result of experience performing security assessment of suppliers.
• Demonstrated ability to adopt and strive for continuous process improvement particularly in resulting from the innovation and integration of new technologies.
• Excellent collaboration skills with the ability to engage effectively with cross-functional teams and stakeholders.
• Knowledge of various information security frameworks such as ISO27001/2 AICPA System and Organization Controls (SOC) Reports (SOC1 SOC2 and SOC3) NIST COBIT and relevant regulatory requirements such as GDPR.
• Certifications such as CISSP CISM CISA ISO 27001 Auditor CRISC CIPP are preferred.
• Keep up to date with industry trends emerging technologies and best practices.

Good understanding in the following concepts and domains:

• Governance Risk and Compliance: A system that ensures that organizations enforce governance implement risk management strategies and ensure regulatory compliance.
• Multitier Network Architecture: A design separating resources between the Internet and the internal infrastructure incorporating multiple network layers. For on-premise solutions this includes a DMZ (Demilitarized Zone) architecture. In cloud environments it involves a combination of Network Security Groups (NSG) Virtual Networks (VNETs) IP-based restrictions on connections between resources and Web Application Firewalls (WAF).
• Cloud security architecture: Cloud security architectures purpose is to provide a structured framework for securing data applications and infrastructure in cloud environments. It includes the definition of security principles and a governance framework for all cloud services and applications from development through production.
• Distinction of Cloud Service Models such as IaaS PaaS and SaaS and shared responsibility matrix:
• Infrastructure as a Service (IaaS): IaaS provides on-demand access to virtualized computing infrastructure including servers storage and networking allowing subscribers to build and manage their own applications operating systems and data while the cloud provider manages the underlying infrastructure.
• Platform as a Service (PaaS): PaaS offers a platform for developers to build deploy and manage applications without the need to manage the underlying operating systems and infrastructure.
• Software as a Service (SaaS): SaaS delivers software applications to users over the internet allowing them to access and use the software without installing or managing it on their own devices. We will be dependent on the SaaS providers for the security controls to protect EY and client information.
• Application security: Measures taken to protect software applications from threats and vulnerabilities that can compromise the confidentiality integrity or availability of the data.
• Identity and access management: Includes use of authentication mechanisms authorization measures and privileged account management.
• Encryption standards: Standards for cryptography used to protect data-at-rest and data-in-transit as well as provide a means of validating the authenticity non-repudiation and integrity of data.
• Endpoint security capabilities: Standards to protect endpoints such as laptops desktops smartphones and tablets against cyberattacks.
• Incident response Plan: The documentation of a predetermined set of instructions or procedures to detect respond to and limit consequences of malicious cyber-attacks against an organizations information systems(s).
• Business impact analysis: Predicts the consequences of a disruption to your business and gathers information needed to develop recovery strategies.
• Disaster recovery: Understand the disaster recovery plan for the applications used to support our clients.

Stakeholder management

This role is a combination of technical and business acumen capable of communicating and advocating EYs brand as it relates to the Information Security Program across a wide range of stakeholders. This requires communication skills adaptable to the appropriate audiences that address different perspectives goals and levels of technical knowledge. It also requires the ability to gain trust and act as a trusted consultant and liaison between clients account teams and EY internal security functions.

Stakeholders include:

• Product/Application owners responsible for the full lifecycle of a technology solution that fulfills a business need or objective. Client Security Assurance provide useful feedback from clients to further enhance their products/applications.
• Architects and Engineers EY technology leaders who design and build solutions based on business requirements.
• Information Security Leadership Team responsible for all matters for security related to the security program.
• Extended Security Team responsible for specific domains such as Security Consulting Application Security Compliance Supplier Risk Assessment Cyber Defense Business Impact Analysis Information Security Policies related to the security program.
• EY Partners and Account teams: Ultimately responsible for the relationship with EY clients and the selection and usage of the technology leveraged for their services and deliverables.
• EY Clients and Client Security Auditors The ultimate customer for EYs technology or service delivery who expect EYs technology solutions to adequately protect their data and maintain appropriate service levels. The Client Security Assurance Senior Consultant will participate in number of client meetings with the engagement team to answer questions and provide clarification on how EY secure client information.

EY Building a better working world

EY exists to build a better working world helping to create long-term value for clients people and society and build trust in the capital markets.

Enabled by data and technology diverse EY teams in over 150 countries provide trust through assurance and help clients grow transform and operate.

Working across assurance consulting law strategy tax and transactions EY teams ask better questions to find new answers for the complex issues facing our world today.