Cybersecurity Risk and Compliance Manager

Great Opportunities. Great People.

One Company, Infinite Possibilities.

**COVID-19 Information**:
ATCO is committed to providing and maintaining a safe environment for our employees, contractors, partners, and customers. As part of this unwavering commitment to safety, all ATCO employees and contractors are required to be fully vaccinated.
- Always there. Anywhere. _That’s ATCO We are committed to delivering inspired solutions for a better world. We care about our communities, we care about each other, and we care about showing up for those who need us. We value and encourage different perspectives and we have the courage to do the right thing, even when it’s hard.

**DESCRIPTION**:
Cybersecurity is misleading in that we will never get to “secure”, just degrees of more or less secure. There is some amount of risk involved in every business activity. Successful companies are the ones that effectively manage risk while exploiting opportunities.

This role isn’t one of “pushing paper and checking boxes.” ATCO is a global organization. Our companies operate in many different industries and countries, with different regulatory regimes and threat profiles. We require a Cybersecurity Risk Manager with a creative mind for cyber risk measurement and management. You will need to understand all of this complexity, be able to distill it down to easily consumed risk metrics, and communicate the important details to the business leaders who need the information to operate their businesses safely. The secret sauce will be your ability to translate this data into actionable information to empower the business leaders to make fully informed decisions.

The scope of this role includes Information Security across all ATCO companies and geographies, Information Technology (IT) and Operational Technology (OT) environments.

**This opportunity is available in Calgary or Edmonton, Alberta.**

**WHAT YOU GET TO DO**:
**Risk Management**
- Process Owner of the Cybersecurity Risk Assessment Methodology
- Oversee implementation of risk assessment practices across internal and vendor teams
- Define metrics to measure effectiveness of and compliance with the process
- Training and support materials for the teams executing the risk assessments
- Service Owner of the ATCO Technology and Cybersecurity Risk Register
- Ensure risk register is accurate and up to date
- Validate the IT risk posture through interviews with IT leaders and executives quarterly
- Establish processes to follow up with risk owners to measure mitigation and remediation efforts
- Coordinate cybersecurity risks with Enterprise and business unit risk teams
- Risk Communications
- Quarterly reports for IT executives on the status of risk mitigation activities.
- Ad hoc creation and delivery of risk related presentations as required
- Trends in overall cybersecurity risk direction
- Provide direction and guidance in the development, implementation, and communication of risk-related policies and standards.
- Provide cybersecurity risk-related guidance to employees, colleagues, and/or customers.

**Compliance**
- Develop a cybersecurity compliance reporting program spanning the various internal business units and ATCO partnership businesses
- Develop and implement a strategy to assess and report on supply chain compliance and risks
- Evaluate compliance artifacts presented by ATCO’s technology service providers for conformity to ATCO’s cybersecurity standards and their contractual obligations

**Internal Audit Liaison**
- Act as the contact point for all IT-focused Internal Audit inquiries and initiatives
- Assist and advise on Internal Audit activities supporting ATCO’s external Audit partners.
- Ensure that changes in internal and external Audit standards and applicable regulations are reflected in CISO compliance artifacts and standards

**WHO YOU ARE**:

- Bachelor degree is required, with a preference given to a focus on IT or IT-risk-related disciplines (for example, Cybersecurity, privacy, business continuity management and compliance).
- Business degree is an asset
- A minimum of one of the certifications identified below are required:

- CISSP (Certified Information Systems Security Professional by ISC2)
- CISM (Certified Information Security Manager by ISACA)
- CISA (Certified Information Security Auditor by ISACA)
- CRISC (Certified in Risk and Information Systems Control by ISACA)
- CEH (Certified Ethical Hacker by EC-Council)
- SABSA-SCF ( Sherwood Applied Business Security Architecture)
- Minimum 5 years of direct Cybersecurity Risk Management experience; ideally with 10 years of experience in Information/Cyber Security, Technology Management, Risk Management or Technology Audits
- Lifelong love of learning and exploring
- A passion for change, and empathy for the impacts of change
- Ability to articulate the business benefits of risk management
- Experience in leading cross-functional initiatives
- Experience supporting Auditors and tr