Head of Information Security

Head of Information Security

In this role, you hold overall responsibility for information security across the organization. You continuously develop the information‑security strategy, the Information Security Management System (ISMS), and the internal control system (ICS).

You lead IT risk management, ensure the effective implementation of policies, standards, and processes, and act as the central authority for audits, assurance, and regulatory security topics. You represent the organization with confidence in customer interactions, RfPs, and audits, and report in a stakeholder‑appropriate manner to senior management.

---

Key Responsibilities

Information Security Strategy & Governance

• Define information‑security requirements and develop, maintain, and update security strategies, policies, and concepts
• Continuously evolve the ISMS in line with business needs and regulatory requirements
• Maintain and enhance information‑security governance structures across the organization
• Ensure alignment with group‑level security principles and reporting structures

---

Risk Management & Internal Control System (ICS)

• Lead IT and information‑security risk management activities
• Develop, operate, and continuously improve the internal control system (ICS) for information security
• Carry out security controls within your area of responsibility and derive improvement measures
• Define security metrics and provide regular, structured reporting on the organization’s security posture

---

Audit, Assurance & Compliance

• Take full ownership of audit and assurance topics, with a strong focus on ISAE 3402
• Ensure high quality, completeness, and traceability of evidence management and proof‑of‑compliance activities
• Coordinate and support internal and external audits on information‑security topics
• Ensure compliance with applicable regulatory frameworks and legal requirements (e.g. FINMA Circular 2023/1)

---

Security Operations & Architecture

• Steer security operations and security testing activities
• Accompany and advise on security‑related architecture, transformation, and digitalization projects
• Support the handling of information‑security incidents and related data‑protection breaches
• Ensure pragmatic, risk‑based security solutions that support business continuity

---

Stakeholder & Vendor Management

• Act as the central contact person for customers, RfPs, audits, and security inquiries
• Advise the Head of IT and IT teams on the implementation and execution of security processes
• Counsel and support responsible parties in fulfilling their information‑security obligations
• Own vendor and third‑party security management

---

Training, Awareness & Group Collaboration

• Plan and conduct training sessions to raise information‑security awareness among employees
• Support continuous improvement of security culture across the organization
• Actively contribute to selected initiatives and projects within the CISO Office of Swiss Life Switzerland

---

Requirements & Profile

Must-Have Qualifications

• Higher professional education (HF, FH, or university degree), preferably in:
  • Computer Science
  • Business Informatics
  • or a comparable field
• Several years of professional experience (minimum 3 years) in:
  • A comparable information‑security role in a regulated environment, or
  • Information‑security consulting
• In‑depth knowledge of common information‑security standards and frameworks, such as:
  • ISO 2700x series
  • BSI IT‑Grundschutz
  • NIST
• Strong understanding of applicable regulatory and legal requirements, including FINMA Circular 2023/1
• Clear, audience‑appropriate communication skills and a high level of personal responsibility
• Structured, analytical decision‑making and strong time‑management skills
• Pragmatic, solution‑oriented mindset
• Excellent German language skills (ideally native speaker) and good English skills

---

Nice-to-Have

• Advanced certifications in information security, such as:
  • CISSP
  • CISM
  • CISA
  • MAS in Information Security or Risk Management
• Experience working in complex, group‑wide governance structures
• Exposure to financial services or highly regulated industries beyond banking

---

Personality & Mindset

• Highly responsible and reliable with a strong sense of ownership
• Structured, analytical, and risk‑aware
• Confident communicator across technical, business, and executive audiences
• Pragmatic problem solver with a continuous‑improvement mindset
• Collaborative and comfortable working across organizational boundaries

---

What We Offer

• A key leadership role with end‑to‑end ownership of information security
• High visibility within senior management and group‑level security functions
• Influence on strategy, architecture, and regulatory positioning
• Opportunities to shape security culture and governance in a regulated environment
• Long‑term development opportunities within a stable and reputable organization