Purpose of the Role

The IT and Information Security Manager is responsible for building and sustaining a robust technology and cyber risk management capability across PASHA Financial Holding. The role bridges technical cybersecurity expertise and enterprise risk governance, ensuring that IT and information security risks are identified, assessed, and managed in alignment with the Holding's risk appetite and international standards.

Positioned within the Risk Management Department and reporting to the Head of Risk Management, the role plays a central part in embedding cyber resilience into the Holding's broader enterprise risk management framework. It provides advisory support to senior management and drives continuous improvement across security governance, risk oversight, and compliance practices.

Key Responsibilities

Strategy and Framework

• Establish cyber resilience objectives and technology risk management priorities for the Holding.

• Develop, implement, and continuously enhance Information Security, IT Risk, and Cyber Risk management frameworks.

• Ensure alignment of security practices with international standards including ISO 27001, ISO 22301, ISO 27005, and NIST CSF.

• Integrate cyber and IT risk management into enterprise risk management processes.

Risk Assessment and Monitoring

• Develop security requirements and methodologies covering business continuity, critical systems, third-party risks, and penetration testing.

• Contribute to the development, maintenance, and periodic review of the Risk Appetite Statement (RAS) for IT and cyber risk domains.

• Establish cyber risk reporting practices, Key Risk Indicators (KRIs), and technology risk monitoring mechanisms.

Governance and Oversight

• Oversee cybersecurity governance, awareness programs, incident management, data protection, and access control activities across the Holding's group entities.

• Provide cybersecurity governance and risk oversight for AI initiatives, new technologies, and business solutions.

• Lead cybersecurity maturity assessments and continuous improvement initiatives.

Advisory and Stakeholder Engagement

• Provide advisory support to senior management on emerging cyber threats and technology risks.

• Translate complex technical and cybersecurity topics into clear, business-oriented messages for non-technical audiences and decision-makers.

Key Relationships

The role works closely with senior management across the Holding, group entity risk and IT functions, and external advisors and auditors. It partners with the Head of Risk Management and engages regularly with business and technology leaders to embed cyber risk considerations into strategic and operational decision-making.

Requirements

Required:

• Relevant academic qualifications in Informatics, Computer Science, Information Systems, or a related field.

• Experience in IT and/or Information Security roles, preferably within regulated industries.

• Strong understanding of Information Security, IT Risk Management, and Cybersecurity principles.

• Experience in security governance, risk assessment, control frameworks, and compliance management.

• Knowledge and practical experience with cybersecurity standards and industry best practices, including ISO 27001, ISO 22301, ISO 27005, and NIST CSF.

• Familiarity with key technology domains — including operating systems, networking, application security, identity and access management, vulnerability management, and security monitoring — sufficient to provide effective governance oversight and evaluate controls across these areas.

• Strong written and verbal communication skills with the ability to influence stakeholders through risk-based reasoning.

Preferred:

• Professional certification such as CISSP, CISM, CRISC, ISO/IEC 27005 Risk Management, or other relevant IT and security certifications.

• Experience and understanding of banking, insurance, or other highly regulated industries.