The Distribution Nordic & Baltic Chief Information Security Officer (CISO) is responsible for the security (availability, integrity and confidentiality) of all systems and data in use on his/her reporting scope at Saint-Gobain Distribution Nordic & Baltic, and accountable for the one managed by another team (e.g. GDI, web agency, etc.). CISO works with appropriate levels of management, both at company- and Nordic & Baltic level, and at Region level with Regional CISO, to ensure the implementation of Saint-Gobain cybersecurity standards and the monitoring of cybersecurity risks. He/she reports to the Group CDIO in Saint-Gobain Distribution Nordic & Baltic.

CISO’s scope of responsibility includes:

• The security of Applications (including web applications) used by businesses in the cluster.
• The security of Industrial systems for central warehouses locations of businesses in the cluster.
• The security of Data and assets used by businesses in the cluster.
• The security of Infrastructure for IT solutions used by all Businesses of the Group in the Region (both Cluster/Country and global Businesses)

 On this scope, the activities of the CISO must cover the following areas:

• Strategy, Risk & Governance
• Policies, Compliance & Controls
• Security Architecture, Design & Projects
• Operational Security
• Incident Management, Crisis Management
• Business Continuity & Disaster Recovery
• Cyber Communication & Awareness
• Acquisitions & Divestitures

MAIN TASKS AND DUTIES

1. Strategy, Risk & Governance

The CISO is responsible for evaluating risks, defining strategy and setting up an appropriate governance model on his/her Cluster and Business perimeter, in line with strategy defined by the Region CISO, to:

• Identify threats, security-related laws and regulations, vulnerabilities, and security trends relevant to the geographical scope and business sectors.
• Evaluate cybersecurity risks on the Cluster and Business perimeter.
• Design and implement a cybersecurity roadmap, based on the Group cybersecurity roadmap, Cluster/Country and Business specific cybersecurity risks and legal/regulatory local requirements, validation with Region / Business the roadmap, and appropriate reporting.
• Manage security governance on the Cluster/Country and Business perimeter, by defining and setting up the necessary follow-up meetings and communication channels with all Business and IT stakeholders.
• Define and organize reporting through KPI and KRI dashboards and ensure regular distribution of reporting and KPI to Region CISO, Group CDIO as well as to Country/Cluster Business management.
• Collaborate in Regional initiatives and share best practices, expertise, and information within his/her team
• Hire, lead and manage a world-class Security and IT team that meets the needs of a dynamic and scaling organization.
• Develop a comprehensive plan to attract, train and retain professionals with the requisite skills and interest in pursuing a cybersecurity career.

2. Policies, Compliance and Controls

The CISO oversees the application of security rules and standards on his/her Cluster/Country and Business perimeter:

• Communicate and explain Saint-Gobain security policies to stakeholders
• Ensure that Saint-Gobain security policy rules are correctly applied on the perimeter
• Define implementation and operational guidelines for IT services, according to central guidelines, to be compliant with Saint-Gobain security policy rules
• Ensure the recording and monitoring of security exceptions on the perimeter and escalate any exception triggering a group-level risk, as per Group risk management framework
• Design and implement a periodic control plan on the perimeter and report the results and required remediation plans to the proper stakeholders
• Participate in internal and/or external audits and acknowledge the results
• Monitor the implementation and follow-up of corrective action plans following audits or identified non-compliances

3. Security Architecture & Design

Ensure that projects are secured-by-design on his/her Cluster/Country and Business perimeter, according to the Saint-Gobain processes (PSAT, Third parties management security, SIP, risk analysis…):

• Perform Business risk analysis, and ensure that appropriate action plans are implemented to mitigate identified risks
• Formally approve and validate the security of Projects in accordance with the Digital Project Portfolio Management and the rules defined by the Saint-Gobain Group
• Ensure that all third parties contributing to a project or activity implement the appropriate set of security measures, of security tools, and provide the associated controls
• Make sure that all project activities include control reviews: code audits and penetration tests for Web developments, review of the management of administrator and user rights for any application component

4. Operational security

The ensures that all operational security actions are carried out on his/her Cluster/Country and Business perimeter:

• Ensure that security patches are successfully applied in due time and that identified vulnerabilities are handled by strictly applying the instructions contained in security bulletins
• Track vulnerabilities reported/identified by the vulnerability scanner and coordinate remediation plans for these vulnerabilities
• Ensure the proper deployment and maintenance of security tools on all assets within his/her perimeter
• Carry out the qualification and formal approvals of requests submitted for cybersecurity validation (management of authorizations, etc.)
• Launch and coordinate cybersecurity recertification campaigns
• Monitor cybersecurity remediation plans

5. Incident Management, Crisis Management

Participate to the handling of security incidents and the management of Cybersecurity crisis:

• Coordinate and supervise the management of security incidents and contribute to the resolution of major incidents on the perimeter in conjunction with the relevant teams, in collaboration with CyberSOC teams
• Actively communicate about the handling of incidents with all involved stakeholders, from operational teams to management
• Escalate any incident which is prone to expand to the Group to Region CISO
• Manage post-mortem analysis (in conjunction with CyberSOC for forensic analyses) and design associated action plans
• Contribute to the definition, implementation, test, and update of crisis management organization on the perimeter
• Contribute to the management of Cybersecurity crisis on the perimeter, in accordance with the crisis organization in place
• Organize local crisis management exercises, and participate to global initiatives organized at a more global level

6. Business Continuity & Disaster Recovery

Ensure that relevant teams (Business & IT) have formalized plans to ensure continuity of business in case of IT unavailability:

• Contribute to the development of the Business Continuity Plan (BCP) by providing assistance to the Business in the identification of the business impacts of application unavailability and ensuring that the cyberattack scenario is included in the BCP
• Ensure that Business Continuity Tests are carried out
• Contribute to the definition, implementation and testing of the Disaster Recovery Plan (DRP) on the perimeter

7. Cyber Communication & Awareness 

Ensure that IT and Business teams are aware of security risks and properly trained on cybersecurity best practices:

• Design and implement an awareness strategy (messages, phishing campaigns, etc.) toward all stakeholders of the perimeter, with the support of Central team
• Train and raise the awareness of the various IT teams on the various security processes and guidelines they intervene in
• Communicate any major changes related to cybersecurity to impacted Business and IT actors impacted by major changes in the scope (IT & Business teams)
• Collect and synthesize feedback and expectations from IT teams

8. Acquisitions and Divestitures

Ensure that acquisitions and divestitures are secured according to GDI standards:

• Manage all acquisitions and divestitures Cybersecurity topics in the region, following GDI standards and policies
• Follow up on acquisitions and divestitures projects on the perimeter and provide associated KPIs to the central M&A team operating for the Group CISO

9. Management

Country/Cluster CISO is responsible for the management of Security Officers included in his/her perimeter:

• HR follow up
• Assistance for budget
• Support in case of escalation, or major incident

 Conclusion

The position is a full-time permanent employment based in Bromma with a starting date to be agreed upon. 

We review applications on an ongoing basis and the position may be filled before the application deadline. Please submit your application as soon as possible, no later than October 30th.

A drug test and background check may be required prior to employment.

We warmly welcome your application!

Saint-Gobain Distribution Sweden includes the companies Bevego, Dahl, Kakelspecialisten, Konradssons Kakel, and Optimera, as well as several exciting subsidiaries. The companies within Saint-Gobain Distribution Sweden supply all types of building materials to Sweden's skilled professionals in water and sewage, ventilation, tiles, and construction.

Approximately 2,700 industry-experienced employees work within the group. Together, we generate a turnover of around SEK 17 billion and operate 180 stores and locations throughout Sweden.

Saint-Gobain Distribution Sweden is owned by Saint-Gobain, one of the world’s oldest industrial groups, listed on the stock exchange in Paris.