NEOM Green Hydrogen Company Limited (NGHC)
NEOM Green Hydrogen Company (NGHC) is an equal joint venture between Air Products, ACWA Power, and NEOM responsible for the development of the NEOM Green Hydrogen Project in the autonomous NEOM region within the Kingdom of Saudi Arabia. The Project will see the construction of the world’s largest plant to produce green hydrogen at scale, producing up to 600 tonnes of carbon-free hydrogen per day through the integration of approximately 4GW of Solar and Wind energy. The plant will produce green ammonia for export to global markets and is scheduled to be onstream in 2026.
Division: NGHC Leadership Team
Reports To: CEO
Liaise/Co-operate With: IT Director, VP Operations, Leadership Team
No. Of Direct Reports:7 TO 10
Location Of Travel: Mainly within Saudi Arabia, GCC, some international travel.
The CISO is responsible for leading cybersecurity work within the organization, establishes vision and direction for its industrial cybersecurity and related strategies, resources and activities and advises the leadership on the effective management of the organization’s cyber risks.
The CISO position requires a senior leader with relevant experience in managing critical infrastructure, sound knowledge of business management and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem including Operational Technology Cybersecurity.
NATURE & SCOPE
The CISO reports to the Chief Executive Officer and is part of the NGHC leadership team. The CISO should understand and articulate the impact of cybersecurity risks on business and be able to articulate this to senior stakeholders. He/ she will establish a comprehensive cybersecurity framework (people, process, technology) and serve as the process owner of assurance activities not only related to confidentiality, integrity and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements.
This position is anticipated to recruit and lead a cybersecurity department of 07-10 employees and multiple vendors providing technology and support services.
PRINCIPAL DUTIES AND RESPONSBILITIES
Establish Governance and Build Knowledge:
- Develops and oversees Industrial Cybersecurity program management.
- Facilitates an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
- Provides regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
- Develops, socializes and coordinates approval and implementation of security policies, ensuring awareness and compliance with all stakeholders.
- Works with the vendor management office to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations, committing the supply chain to appropriate service level support.
Lead the Organization:
- Leads the information security function across the company to ensure consistent and high-quality information security management in support of the business goals.
- Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas.
- Manages the budget for the information security function, monitoring and reporting discrepancies.
Set the Strategy:
- Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate.
- Develops, implements, and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled and/ or processed by the organization.
- Develops and implements the security architecture and processes to protect information and industrial security assets, assuring secure segmentation, monitoring and control of technologies and data.
Develop the Frameworks:
- Develops and enhances an up-to-date information security management framework based on the following: NCA, HCIS, and other relevant frameworks such as Organization for Standardization (ISO) 2700X, ITIL, ENISA, ISA-62443, COBIT/Risk IT and National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.
- Develops and maintains a document framework of continuously up-to-date information security policies, standards and guidelines. Oversees the approval and publication of these information security policies and practices.
Operate the Function:
- Creates a risk-based process for the assessment and mitigation of any information and cyber security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties.
- Works with the compliance staff to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy.
- Collaborates and liaises with the data privacy officer to ensure that data privacy requirements are included where applicable.
- Defines and facilitates the processes for information and cyber security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.
- Develop, implement, and monitor a strategic, comprehensive enterprise information security and IT and OT risk management program.
- Lead, coordinate, communicate, integrate and be accountable for the overall success of the Company’s Cybersecurity program, ensuring alignment with enterprise priorities as well as shareholder and regulatory requirements and international cybersecurity best practices.
- Define Company’s Cybersecurity direction and policy, direct resources, and identify programs or infrastructure to achieve desired goals. Develop changes in Cybersecurity strategy to support new initiatives or required changes.
- Manage the process of Cyber governance, developing, updating, reviewing, and approving Information Security policies, procedures and other documents and communicate them to applicable stakeholders.
- Evaluate the impact of new and changing Legal and Regulatory requirements, identify any potential gaps within the Cybersecurity function and communicate with the related stakeholders for rectification.
- Assure Compliance with Legal and Regulatory requirements like NCA regulations, ISO 27001 as well as Audit observations and shareholder requirements.
- Provide key insights and Risk Analysis on Cybersecurity and Information Security for Chief Information Officer (CIO)to facilitate Cybersecurity governance related decision-making and justify needed improvements.
- Ensure the conduction of Cybersecurity Risk Assessments, provide recommendations on Risk Mitigation and Treatment options, and measure the effectiveness of Cybersecurity controls.
- Oversee the Company’s Information Security Management System (ISMS) to ensure that it operates as specified and aim to achieve certifications that validate compliance with industry and national standards.
SKILLS / TECHNICAL KNOWLEDGE AREAS:
- Strong functional and technical knowledge of Cybersecurity, Information Security and IT Infrastructure.
- Good knowledge of overall Cybersecurity, Information Security and IT infrastructure including hardware, applications, networks and IT systems and services.
- Knowledge of relevant cybersecurity aspects of legislative and regulatory requirements, relating to ethics and privacy.
- Good knowledge of IT Business Continuity management.
- Strong problem-solving skills.
- Strong leadership skills.
- Strong interpersonal communication skills.
- Strong command of oral and written English.
- Strong Cybersecurity Risk, Governance and Compliance management.
- Strong Cyber program and project management.
- Strong technical knowledge in Infrastructure security, Data Security, Identity and Access Management, GRC, End Point protection, Cloud Security, Industrial Control system security, IT/OT Convergence, IoT Security risk management, and Emerging technology cybersecurity risk management such as AI, VR, AR, robotics, block chains, and digital twins.
- Minimum of 15 years in Information Technology, Operational Technology Cybersecurity, particularly in Critical Infrastructure environments, preferably with strong technical knowledge and experience.
- 5 years’ experience in similar Director level role.
- MS / BS in Cybersecurity, Information Security, Computer Science or equivalent.
DESIRED EDUCATION and/or QUALIFICATIONS REQUIRED
Professional security management certification is desirable, such as:
Certified Information Systems Security Professional (CISSP), Global Industrial Control Systems Professional (GICSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) Cyber Security Incident Response Professional (CSIRP) or other similar credentials.