Team Description
The team with two CoE’s for Cybersecurity & Foundational Technology Risk is part of the Non-Financial Risk (NFR) domain. The team focuses on identifying, managing, measuring, and mitigating technology-related risks across the organization.
Specifically in focus are IT processes “Program and Service Governance”, “Design and Configuration Management”, “Identity and Access Management”, “IT Change Management”, “IT Resilience”, “Security Detection and Response”, “Vulnerability Management” and “Data Center Management and Networks” across the full stack of relevant technologies, amongst others IT Infrastructure, Cloud Technologies, Data Bases and Operating Systems, IT4IT. This expertise is matched with deep understanding of cyber risks, common and emerging attack vectors and measures to counter them.
The CoE sets frameworks, policies, and procedures, and provides oversight and challenge to the first line of defense, supporting ING’s global risk management objectives.
Specific Function
The Lead Foundational Technology & Cybersecurity Risk is responsible for directing specialized teams that focus on both cybersecurity risk and foundational technology risk. This role involves establishing and maintaining comprehensive risk frameworks, policies, and procedures tailored to these domains. The Lead Foundational Technology & Cybersecurity Risk provides ongoing monitoring and oversight of business lines and entities to ensure effective risk management practices are in place. A key part of the position is to identify and address emerging risks in both cybersecurity and foundational technology areas. Additionally, both CoE’s contributes to quarterly Non-Financial Risk Domain (NFRD) messaging, supports in-depth reviews and assessments of the bank’s ability to withstand future events, and rigorously challenges the first line of defense regarding metrics, thresholds, and limits that inform the bank’s Risk Appetite Statements.
Job Description
As the Lead Foundational Technology & Cybersecurity Risk, you will guide teams focused on both technology and cybersecurity risk, establishing and maintaining frameworks, policies, and procedures to manage these areas effectively. Your responsibilities include overseeing risk identification and mitigation for cybersecurity, IT resilience, infrastructure, cloud, and platform security, as well as representing the Non-Financial Risk function in governance forums and senior stakeholder meetings. You will drive improvements to risk management practices, support and challenge the business on risk appetite and controls, and promote a culture of proactive risk management. The role also involves engaging regularly with both internal and external stakeholders, including regulators and senior leaders, to ensure robust oversight and compliance.
Specific Tasks and Responsibilities
Lead the development and maintenance of IT risk-related frameworks, policies, procedures, and templates.
Represent NFR in governance forums and senior stakeholder discussions.
Oversee the identification, registration, and reporting of all material operational risks.
Support and conduct thematic deep-dives and reviews.
Identify and assess emerging risks, and recommend mitigating actions.
Support policy implementation and ensure embeddedness across the organization.
Challenge the first line of defense on risk metrics and thresholds.
Manage direct reports (up to 10 FTEs) and foster team development.
Steering of FTE’s from ING’s hubs that extend the capacity of the local team.
Liaise with internal stakeholders (MT CTO, country Heads of IT, local Heads of IRM, MT NFR) and external stakeholders (ECB, DNB, ORX, other regulators).
Specific Knowledge and Experience
Master’s degree in Computer Science, Mathematics, Engineering, or equivalent.
Minimum of 10 years’ leadership experience in preferebly technology functions (1LoD) and ideally IT Risk Management (CISO or IRM functions).
Strong expertise in data centers, infrastructure, cloud, platform, and business applications.
Deep knowledge of risk types: Cybercrime (Resilience), IT Resilience, Foundation, Identity and Access Management, IT Change Management, Platform Security, Security Monitoring.
Solid understanding of non-financial risk management and relevant regulations (e.g., DORA, EBA, MARisk).
Experience managing cross-country teams.
Strong analytical, problem-solving, and delivery skills.
Excellent communication and stakeholder management skills.
Ability to lead through change and ambiguity.
Cultural sensitivity and ability to work across geographies.
Required Soft Skills
Change leadership and adaptability: Demonstrates the ability to lead through change and uncertainty, quickly adjusting to shifts in the external risk environment—whether driven by regulatory developments, societal trends, or emerging risk types. Able to guide teams through transformation and maintain focus in a continuously evolving landscape.
Risk-based decision-making and focus: Applies a risk-based mindset to prioritize what truly matters, makes courageous decisions in complex situations, and maintains focus on areas with the greatest impact for the organization.
Hands-on approach: Willingness to actively engage in operational details and lead by example, ensuring practical solutions are implemented effectively.
Positive mindset and can-do mentality: Demonstrates optimism and resilience, inspiring the team to overcome challenges and pursue continuous improvement.
Cooperative yet able to be strict: Balances collaboration with the ability to enforce standards and make tough decisions when necessary.
Consistency: Maintains a reliable and steady approach in decision-making, communication, and execution of responsibilities.
Strong collaboration skills: Excels at building relationships across teams, departments, and geographies to achieve shared goals.
Constructive influence: Encourages open dialogue, provides clear direction, and fosters a culture of accountability and trust.
Reporting Line and Classification
Lead Foundational Technology & Cybersecurity Risk reports hierarchically to the Global Head of IT Risk Management located in Amsterdam
This position is classified as: GJA Head of NFR I | JG 21 – Job Title: Lead Foundational Technology & Cybersecurity Risk | Job Family Group: Non-Financial Risk | Job Family: Non-Financial Risk