Information Security Manager

My Clinic

Job Summary

Primary Responsibilitie

• Governance and Policy Development: Develop, implement, and maintain comprehensive information security and data protection policies, procedures, and guidelines to ensure alignment with industry standards (e.g., CIS, NIST, NCA) and regulatory requirements, including KSA’s Personal Data Protection Law (PDPL).
• Risk Management: Lead enterprise-wide risk assessments to identify, analyze, and prioritize cybersecurity and data protection risks. Develop and maintain a risk register, implement risk mitigation strategies, and monitor risk treatment plans to safeguard sensitive data and critical systems.
• Security Operations Center (SOC) Oversight: Oversee the outsourced SOC operations from My Clinic’s perspective, ensuring the third-party SOC provider effectively monitors, detects, and responds to cybersecurity threats. Review and enforce key performance indicators (KPIs) for the SOC, evaluate incident handling processes, and collaborate with the provider to align SOC activities with My Clinic’s security objectives and compliance requirements.
• Compliance Oversight: Ensure organizational compliance with relevant cybersecurity frameworks (CIS, NIST, NCA) and data protection regulations, including PDPL. Conduct regular compliance reviews to align with the requirements of regulatory bodies such as the Saudi Data and Artificial Intelligence Authority (SDAIA) and National Cybersecurity Authority (NCA) when necessary.
• Data Protection Impact Assessments (DPIAs): Perform DPIAs to evaluate and mitigate risks associated with processing personal and sensitive data, ensuring adherence to data protection principles and regulatory obligations.
• Incident Response and Management: Oversee the development and execution of incident response plans for cybersecurity and data breach incidents. Ensure timely investigation, mitigation, and reporting to relevant authorities within regulatory timeframes, incorporating lessons learned into risk management processes and coordinating with the outsourced SOC provider.
• Training and Awareness Programs: Design and deliver organization-wide training and awareness programs to foster a culture of cybersecurity, risk management, and data protection compliance among employees and stakeholders.
• Third-Party Risk Management: Evaluate and monitor contracts with third-party vendors, data processors, and partners, including the outsourced providers, to ensure compliance with cybersecurity and data protection requirements, including PDPL and other relevant standards.
• Auditing and Monitoring: Conduct regular audits of cybersecurity practices, data processing activities, and GRC controls to ensure ongoing compliance with internal policies and external regulations. Provide actionable recommendations to address identified gaps.
• Advisory and Collaboration: Serve as a focal point for IT and business senior management, the risk committee, and IT leadership on cybersecurity risks, data protection strategies, and GRC initiatives. Maintain and update the risk register, providing regular reports on risk status, mitigation progress, and emerging threats to the relevant risk committee and IT leadership to support informed decision-making.
• Overall IT Security Operations Handling and Execution: Oversee and coordinate the execution of IT security operations, working closely with IT and business senior management to ensure robust protection of My Clinic’s assets through proactive monitoring, threat detection, and response strategies. Integrate operational insights into risk management and security frameworks to enhance organizational resilience.
• Team Leadership and Development: Lead and mentor the internal information security team, fostering professional growth and ensuring effective execution of security and risk management responsibilities while coordinating with the outsourced SOC team.

Education / Professional Qualifications

Education

Experience

Knowledge

Technical Skills

Professional Certifications