Protect the enterprise against potential cyber-attacks. Play a key leadership role in all Cyber Security Incident Response Team (CSIRT) activities, responding to potential security incidents and proactively implementing detection/avoidance mechanisms. Be involved in all aspects of the design, build and operation of cybersecurity for adidas globally. This will require working with various internal stakeholders to develop and deliver a continuous cybersecurity protection program. In addition, the Director of Cyber Security Incident Response will work closely with other internal stakeholders, such as the CISO, CIO, IT Risk, Internal Audit and Business Units to establish a full Incident Response capability. While the core responsibility of this role will be to lead Cyber Security Incident Response globally, it is anticipated that the role will evolve as the capability is further matured.
Director Cyber Security Incident Response at adidas is responsible to implement global cyber threat response capabilities across the adidas Group, which includes Security Incident Handling, Security Threat Intelligence, corporate investigation's and forensics support.
This role requires hiring, training and managing of security professionals and project managers split up in teams globally, focusing on:
- Avoid Cyber-attacks against the enterprise (prevent, detect, respond).
- Provide Cyber Threat Intelligence to identify, analyses, track and report external threats
- Build and maintain a strong exchange network and strategic partnership with other industry security teams, security companies and academic institutions
- Provide situational awareness and rapid response for potential cyber threats
- Working with the adidas Crisis Management and IT-Risk Management to ensure all processes are defined and setup as required
- Contribute to the adidas cyber risk strategy, governance structure and operating model, working closely with our IT Risk team and Internal Audit, as well as various other stakeholders to define and agree detailed roles and responsibilities
- Work closely with and report to Senior Director Information Security to formally define cyber risk appetite and contribute to the implementation of a cyber risk management process based on threat modelling and clear risk prioritization mechanisms
- Assess, design and enhance/build cyber threat management capabilities across cyber threat intelligence, security monitoring and incident/crisis management – once fully established, lead ongoing activities
- Understands and complies with relevant organizational policies and procedures, taking responsibility for assessing and managing risks around the use of information.
- Ensures that information is presented effectively.
- Ensures that effective controls are in place for internal delegation, audit and control and that the board receives timely reports and advice that will inform their decisions.
- Communicates information security risks and issues to business managers and others.
- Performs basic risk assessments for small information systems.
- Contributes to vulnerability assessments.
- Applies and maintains specific security controls as required by organisational policy and local risk assessments.
- Takes action to respond to security breaches in line with security policy and records the incidents and action taken.
- Interprets information assurance and security policies and applies these in order to manage risks.
- Provides advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines.
- Uses testing to support information assurance.
- Contributes to the development of policies, standards and guidelines.
- Takes responsibility for understanding client requirements, collecting data, delivering analysis and problem resolution.
- Identifies, evaluates and recommends options, implementing if required.
- Collaborates with, and facilitates stakeholder groups, as part of formal or informal consultancy agreements.
- Seeks to fully address client needs, enhancing the capabilities and effectiveness of client personnel, by ensuring that proposed solutions are properly understood and appropriately exploited.
- Contributes to research goals and builds on and refines appropriate outline ideas for the evaluation, development, demonstration and implementation of research.
- Reports on work carried out and may contribute significant sections of material of publication quality.
- Contributes to research plans and identifies appropriate opportunities for publication and dissemination of research findings.
Business process improvements
- Analyses business processes; identifies alternative solutions, assesses feasibility, and recommends new approaches.
- Contributes to evaluating the factors which must be addressed in the change programme.
- Helps establish requirements for the implementation of changes in the business process.
Requirements definition and management
- Facilitates scoping and business priority-setting for change initiatives of medium size and complexity.
- Contributes to selection of the most appropriate means of representing business requirements in the context of a specific change initiative, ensuring traceability back to source.
- Discovers and analyses requirements for fitness for purpose as well as adherence to business objectives and consistency, challenging positively as appropriate.
- Obtains formal agreement by stakeholders and recipients to scope and requirements and establishes a base-line on which delivery of a solution can commence.
- Manages requests for and the application of changes to base-lined requirements. Identifies the impact on business requirements of interim (e.g. migration) scenarios as well as the required end position.
Business process testing
- Designs and manages tests of new/updated processes.
- Specifies test environment for whole life-cycle testing (e.g. using model office concept).
- Manages selection/creation of relevant scenarios for testing and ensures that tests reflect realistic operational business conditions.
- Ensure tests and results are documented, reported to stakeholders and are available for specification of user instructions.
- Highlights issues and risks identified during testing to business stakeholders.
- Provides specialist guidance and advice to less experienced colleagues and users to ensure that test are conducted in an appropriate manner.
- Monitors the application and compliance of security administration procedures and reviews information systems for actual or potential breaches in security.
- Ensures that all identified breaches in security are promptly and thoroughly investigated and that any system changes required to maintain security are implemented.
- Ensures that security records are accurate and complete and that request for support are dealt with according to set standards and procedures.
- Contributes to the creation and maintenance of policy, standards, procedures and documentation for security.
- Coordinates and manages planning of penetration tests, within a defined area of business activity.
- Delivers objective insights into the existence of vulnerabilities, the effectiveness of defences and mitigating controls - both those already in place and those planned for future implementation.
- Takes responsibility for integrity of testing activities and coordinates the execution of these activities.
- Provides authoritative advice and guidance on the planning and execution of vulnerability tests.
- Defines and communicates the test strategy.
- Manages all test processes, and contributes to corporate security testing standards.
- Ensures that appropriate action is taken to anticipate, investigate and resolve problems in systems and services.
- Ensures that such problems are fully documented within the relevant reporting system(s).
- Enables development of problem solutions.
- Coordinates the implementation of agreed remedies and preventative measures.
- Analyses patterns and trends.
- Ensures that incidents are handled according to agreed procedures.
- Investigates escalated incidents to responsible service owners and seeks resolution.
- Facilitates recovery, following resolution of incidents.
- Ensures that resolved incidents are properly documented and closed.
- Analyses causes of incidents, and informs service owners in order to minimise probability of recurrence, and contribute to service improvement.
- Analyses metrics and reports on performance of incident management process.
- Conducts investigations to correctly gather, analyse and present digital evidence to both business and legal audiences.
- Collates conclusions and recommendations and presents forensics findings to stakeholders.
- Contributes to the development of policies, standards and guidelines.
- Identifies the communications needs of each stakeholder group in conjunction with business owners and subject matter experts.
- Translates communications / stakeholder engagement strategies into specific tasks.
- Facilitates open communication and discussion between stakeholders, acting as a single point of contact by developing, maintaining and working to stakeholder engagement strategies and plans. (For example, may oversee the organisation's promotional/selling activities to one or more clients, to ensure that such activities are aligned with corporate marketing objectives).
- Negotiates with stakeholders at senior levels, ensuring that organisational policy and strategies are adhered to.
- Provides informed feedback to assess and promote understanding.
- Build the appropriate structure to be able to manage the respective organization effectively, identify and develop the future talents and create realistic succession scenarios for key positions
- Ensure appropriate leadership skills are present at every level by creating a motivational and supportive work environment in which employees are coached, trained and provided with career opportunities through development
- Allocate the different projects/programs and work streams to the respective teams and employees considering experience, project complexity, workload and organizational efficiency
- Global IT
- IT Senior Management Team (SVP/VP)
- Respective business function (GOPS, Finance, HR, Brand Marketing, Wholesale/Retail)
- Business and IT program and project managers
- HR Management
- Legal and Compliance
- Data Protection
Knowledge, Skills and Abilities
- Proven track record in building and leading diverse global teams, as well as excellent communication skills (communicating and reporting complex technical concepts to business and risk stakeholders)
- Experience dealing directly with senior stakeholders (C-Suite, Board and Regulators), as well as a broad knowledge of financial services and cybersecurity-related regulations
- Deep technical expertise in cyber threat management (cyber threat intelligence and incident/crisis management)
- Strong understanding of enterprise-level information systems and technology architectures, expertise in network security, cryptography, virtualization, cloud security concerns.
- A solid understanding of ISO2700X, PCI-DSS, ITIL is a must.
- Selecting and working closely with external cybersecurity partners as is required to supplement/complement adidas internal capabilities as well as the identification and selection of supporting security technologies
- Pro-active (engaging & impact-oriented) mindset, ability to think end-to-end.
- Business- and solution-oriented, global mindset of strategic orientation, with ability to act tactically as required.
- Ability to be self-directed, must be able to deliver well under pressure.
- Strong leadership skill, ability to motivate teams.
- Ability to cope with change, make decisions and act comfortably with risk and uncertainty.
- Ability to travel, domestic or international, as required.
- Four-year college or university degree with focus on Business Administration or IT or related areas, or equivalent combination of education and experience
- Preferred industry qualifications (e.g. CISSP, CISM, CISA, etc.) which are directly related to cybersecurity
- 10+ years of progressive work experience with a minimum of 10 years direct cybersecurity experience is required.
- 3-5 years of experience in managing a team