Business Information Security Officer (BISO)

Stay safe online.Now more than ever it's important to be cybersafe. See Santam's tips to help you stay safe online. Learn more.

Santam BITS has a career opportunity for a senior role of Business Information Security Officer (BISO) in the Business Information and Technology Services (Santam Technology Services) department, which will be based in the Western Cape or Gauteng.

• Establish and manage a Santam Business Unit (SBU) Information Security Programme.
• Implement cybersecurity awareness campaigns.
• Participate in Group Information Security Programme (GISP) initiatives.
• Information Security Governance and Assurance.
• Document processes and artefacts that prove that the relevant governance and assurance processes were implemented as designed.
• Information Security Incident Response and Cyber Crisis Management.
• Application (including cloud), Infrastructure Security, and Cybersecurity Education, Training and Awareness.
• The BISO will implement processes and controls as agreed with the Group Information Security Officer (GISO), GISP and the Group CIO.
• The BISO will be responsible for the quality and cost-effectiveness of information security services delivery in the SBU and will report on these metrics to the GISP and GISO.
• Provide regular feedback to Santam Manco on Group-wide information security issues.
• The BISO will report to the GISO on new initiatives, plans, and progress, which will be discussed with the Group Information Security Committee.
• Review and improve existing IT and Information Security risk assessment, reporting and management practices.
• Update the Santam IT and Information Security Risk register.
• Document a security risk management action plan, including priorities, ownership, and timelines.
• Priorities will be aligned to Santam and GISP priorities. The BISO must have an action plan to implement these initiatives in Santam.
• Maintain up-to-date Santam cloud technology outsourcing and third-party register (where applicable).
• Review and respond to PSPG and risk acceptance requests within the agreed time.
• Communicate clearly and timely with management and users regarding planned group awareness campaigns.
• Identify risk-related awareness or training needs and implement targeted interventions.
• Align with the Group's annual security education, training and awareness plan.
• Document the logical access review schedule for Line of Business Applications, review results, facilitate resolution, and report progress.
• Review and respond to all security-related audit findings.
• Report all cybersecurity incidents (including privacy-related incidents) to the Sanlam Group Technology (SGT) CSIRT when the compromise occurred through technology.

• Be a primary contact for cybersecurity incidents identified by the SGT CSIRT.
• Ensure appropriate actions are taken when policy breaches are identified in the SBU.
• Facilitate engagement and communication with key stakeholders in the Santam during a major incident.
• Produce Quarterly Group ISO Forum and GISP reports.
• Ensure security gates are a formal part of the SDLC/ Agile/ relevant solution development methodology.
• Interventions and role-players must be clearly specified.
• Active participation in Sanlam-sanctioned industry bodies (e.g. ISF Live, ISACA, FS-ISAC).
• Timely escalation of new, high or escalating cybersecurity risks.
• Engage with application owners and the Group Cyber Security Centre (GCSC) Operations Team to address system vulnerabilities identified during penetration tests, Red Team exercises, or vulnerability scans.
• Keep the Group CIO informed of risks and actions required.
• Facilitate workshops and risk documentation during Control Self Assessments or Crown Jewel Risk Assessment processes.
• Find root causes and implement permanent or long-term fixes for cyber-related incidents.
• Strong understanding of integration between Workstations and Network/Servers.
• Installations and monitoring of devices using automated tools (e.g. SCCM) and scripting.
• Maintain a configuration register of assets and licenses.

• Bachelor's Degree or Diploma in Computer Science, Information Systems or related field, or equivalent work experience.
• Minimum 7 years of relevant experience.
• Cyber and information security certifications (such as CISM, CISSP, CCSP, CISA, ISO 27000 Lead Implementer/Auditor) are in force. If not possessed, evidence of pursuing them is required.

• High Stress Tolerance.
• Building and maintaining relationships.
• Teamwork and ability to function independently.
• Facilitation Skills.
• Planning and organising.
• Interpersonal savvy.

Santam is the market leader in the general insurance industry in Southern Africa. As a large, diversified, and expanding company, we are committed to transformation and growth. While our headquarters are in South Africa, we are rapidly extending our presence into emerging markets across Africa and Asia.

With a client base of over 1 million policyholders, Santam serves individuals, commercial enterprises, specialist business owners, and institutions-including 80 of the Top 100 companies listed on the JSE. Our commitment to Insurance, Good and Proper goes beyond just providing cover-we offer peace of mind, ensuring our clients can focus on living in the moment, not worrying about the unexpected. Because at Santam, we believe the freedom to seize every day is worth protecting.

People drive our business, and we are committed to attracting the best talent, whether for permanent roles or short-term opportunities.

Santam is committed to diversity, inclusion, and belonging. As an equal opportunity employer, we encourage applications from candidates of all backgrounds, including persons with disabilities. We are dedicated to neuro-inclusivity and fostering a workplace where everyone can thrive.

Take the next step in your career-apply now and be part of a company that's shaping the future of insurance. This is Freedom!

Our recruitment process

You made it. Here we ensure we receive all your documents to get you onto our payroll system.