Skip to content

Cybersecurity Audit & Risk Lead  at NCBA Group

Expired
Job Overview
Employment FullTime
Location Nairobi Kenya
Experience At least 5-7 years
Education Level Bachelor's/Master's Degree
View More in Jobs > Information Technology (ICT)
svg background up
Opportunities Meet Aspirations

Job Purpose Statement

The Cybersecurity Audit & Risk Lead is a senior position responsible for acting as the main liaison between the Bank and Internal/External Audit, IT Risk, and regulatory bodies on cyber and IT matters. This role oversees the entire audit and assurance process, from scoping and information gathering to closure. Key duties include managing the IT Risk and Control Self-Assessment (RCSA), maintaining a robust Cyber/IT Risk Register with Key Risk Indicators (KRIs), and tracking audit and compliance issues through to remediation. The role also involves providing timely management responses and evidence within the GRC platform, as well as in audit and risk reports and board papers. The position conducts third-party security risk assessments during onboarding and annual reviews and is a permanent member of the DRMC. The role ensures the Bank’s cyber control environment is effective, audit-ready, and aligned with ISO, NIST, CBK requirements, and internal policies.

Key Accountabilities (Duties and Responsibilities)

Audit & Risk Liaison (25%)

  • Serve as the primary contact for internal, external, and regulatory IT & Cyber audits.
  • Act as the main liaison for all IT risk engagements.
  • Collaborate with the Cyber Assurance team to manage reports and trackers for all red/purple team engagements.
  • Coordinate walkthroughs, evidence packs, and management responses, ensuring all submissions are made on time.
  • Provide clear, timely management responses and evidence within the GRC platform and in audit/risk reports and board papers.
  • Maintain the IT Audit Issue Tracker.
  • Produce a monthly Assurance Dashboard highlighting open/overdue items, repeat findings, and root causes.

Overall Risk Assessments & Advisory (25%)

  • Conduct comprehensive risk assessments within the IT and cybersecurity environment.
  • Develop and implement risk mitigation plans with relevant stakeholders.
  • Perform threat modeling (e.g., STRIDE) and recommend control designs and compensating measures.
  • Monitor and track key risk indicators (KRIs) and key performance indicators (KPIs) related to IT risk.

IT RCSA & Risk Register Ownership (20%)

  • Lead the IT & Cyber RCSA cycle, including planning, scoping, control testing, and residual rating.
  • Maintain the Cyber/IT Risk Register in the GRC tool, ensuring clear risk statements, causes, impacts, KRIs, treatment plans, and target dates.
  • Facilitate the risk acceptance process, ensure approvals within delegation, and report exceptions and trend analysis to management.
  • Work closely with the Cybersecurity Assurance team to integrate issues identified during penetration testing and technical assessments into the RCSA, ensuring accurate risk representation and timely remediation.

IT Third-Party Security & Compliance (15%)

  • Conduct Third-Party Risk Assessments (TPRA), including risk scoping, due diligence, attestation, evidence review, issue logging, and onboarding recommendations.
  • Monitor critical vendors’ SLAs, incident notifications, RTO/RPO commitments, and right-to-audit clauses; schedule annual reassessments and witness tests as needed.

DMRC Cybersecurity Champion (5%)

  • Support the Head of Information Security in preparing for DRMC meetings by ensuring management comments and actions are current and of high quality.
  • Serve as a permanent member of all DRMC meetings.
  • Ensure escalations for critical items and integrate DMRC actions into the GRC workflow.

Reporting, Analytics & Continuous Improvement (10%)

  • Maintain metrics such as RCSA completion rate, control effectiveness, audit closure rate, TPRA coverage, and KRIs (e.g., overdue high risks, control test pass rate).
  • Drive root-cause analysis of repeat findings, document lessons learned, and propose control or process improvements.

Job Specifications

  • Bachelor’s degree in Information Security, Computer Science, Risk Management, or related field (Master’s preferred)
  • At least two of the following certifications: CISSP, CRISC, CISA, ISO 27001 Lead Implementer/Auditor, CGEIT/COBIT, PCI ISA, ISO 31000, CompTIA Security+
  • Minimum 5–7 years of experience in IT audit, IT risk management, or related field; hands-on with GRC tools, familiarity with cloud infrastructure, running RCSAs, and audit remediation. Financial services experience preferred. Technical background is an advantage.
  • Experience engaging with C-suite is an added advantage

Technical Competencies

  • Strong knowledge of ISO 27001/27701, ISO 22301, ISO 27005/31000, NIST CSF/800-53/800-30, PCI DSS, privacy/DPA, CBK guidelines, and cloud/service models
  • Strong grasp of risk management, compliance obligations, and ITIL practices
  • Familiarity with GRC platforms and data analytics/reporting tools
  • Strategic thinking, financial acumen, stakeholder influence, program management, and excellent communication skills

Behavioural Competencies

  • High ethical standards and objective judgment
  • Excellent communication and stakeholder management skills
  • Attention to detail and ability to manage multiple priorities
  • Analytical and problem-solving mindset with a pragmatic, solutions-oriented approach
  • Highly organized, diplomatic, and able to ensure follow-through on commitments and remediation activities
  • Aligns governance with business value and technology trends
  • Builds consensus across diverse stakeholder groups
  • Uses data-driven insights for decision-making and continuous improvement
  • Champions a culture of compliance and innovation

Read More & Apply
Share This Post
Don't miss out on new jobs listing! Follow our channels Today WhatsApp Channel
Disclaimer Opened Career is a free job-posting website that does not charge applicants. We do not support recruitment agents or entities that demand money or favors to expedite the hiring process. Please use our platform responsibly and report any suspicious activity.
Why Opened Career
OUR OBJECTIVES
At Opened Career, we prioritize inclusivity, diversity, and equal opportunities for all individuals, regardless of their backgrounds or experiences. We believe in creating a level playing field where every candidate has the chance to showcase their skills and potential, and every employer has access to a diverse pool of qualified candidates.
CORE VALUES
Innovation
Integrity
Team Work
Excellence
Customer Focus
Professionalism
Filters & Sorting
Select Specialism