Cybersecurity Lead at FIRST E&P Limited

Description

• The Cybersecurity Lead is responsible for safeguarding the organization’s information assets, operational technology interfaces, digital platforms, and data by leading the enterprise cybersecurity and information security function.
• Reporting directly to the Chief Technology Officer (CTO), the role provides independent oversight of cybersecurity risk, governance, and compliance while supporting safe, reliable, and efficient business and operational outcomes. 
• The role operates within a lean technology organization and works closely with Technology Operations, Digital & Technology Innovation, and Technical Project Management teams to embed cybersecurity controls into day‑to‑day operations and project delivery.  

Key Accountabilities
Cybersecurity Strategy & Governance:

• Define the organization information and cybersecurity strategy together with the Digital and Technology innovation team. And execute the strategy in alignment with operational reliability, safety, and business objectives. 
• Establish and maintain cybersecurity policies, standards, and procedures aligned with global best practices and regulatory expectations. 
• Ensure security considerations are integrated into infrastructure, cloud, business applications, and digital transformation initiatives. 

Cyber Risk Management & IT GRC:

• Lead enterprise cybersecurity risk management activities, including identification, assessment, mitigation, and reporting of cyber risks. 
• Maintain the cybersecurity and IT risk register and support integration with broader enterprise risk management processes. 
• Ensure compliance with applicable regulatory requirements, contractual obligations, and data protection standards relevant to the oil and gas operating environment. 
• Coordinate and support internal and external audits, risk assessments, and assurance activities. 

Security Operations & Incident Response:

• Provide oversight and service assurance for outsourced Security Operations Centre (SOC) services. 
• Lead and coordinate cybersecurity incident response activities, including investigation, containment, remediation, and post‑incident reviews. 
• Ensure incident response plans, escalation procedures, and communication protocols are defined, tested, and operationally practical. 

Threat Intelligence, Vulnerability & Assurance:

• Oversee vulnerability management and penetration testing programs delivered by third‑party providers. 
• Work with Technology Operations teams to ensure timely remediation of identified vulnerabilities, prioritised based on operational and business risk.
• Monitor emerging cyber threats and industry‑relevant attack patterns and translate insights into practical control improvements. 

Identity, Access & Architecture Security:

• Oversee Identity and Access Management (IAM) controls, including privileged access management and user lifecycle processes. 
• Promote least‑privilege access, segregation of duties, and zero‑trust principles across enterprise IT and digital platforms. 
• Provide security input into system architecture, solution designs, and technology standards. 

Third‑Party & Supply Chain Security:

• Assess and manage cybersecurity risks associated with vendors, service providers, and technology partners. 
• Ensure appropriate security controls and requirements are embedded within contracts and service agreements. 

Security Awareness & Capability Development:

• Deliver security awareness and targeted training programs to improve cyber hygiene across the organization. 
• Provide guidance and coaching to technology and digital delivery teams on secure practices. 
• Line‑manage and mentor a Cybersecurity Analyst to build internal security capability. 

Reporting & Stakeholder Engagement:

• Report cybersecurity risks, incidents, and overall security posture directly to the CTO. 
• Provide clear, practical cybersecurity insights to technology leadership and business stakeholders. 
• Act as the primary cybersecurity point of contact across the organization. 

Requirements
The ideal candidate must possess the following: 

• Bachelor’s Degree in Information Technology, Computer Science, Cybersecurity, or a related discipline.  
• 5 - 8 years’ experience in cybersecurity, information security, or IT GRC roles within enterprise environments.  
• Practical experience with cybersecurity governance frameworks such as ISO/IEC 27001, NIST Cybersecurity Framework, or similar.  
• Proven experience conducting cybersecurity risk assessments, audits, and compliance activities.  
• Familiarity with security operations concepts, incident response, vulnerability management, and third‑party security oversight.  
• Experience working in regulated or asset‑intensive industries (e.g., oil & gas, energy, utilities, or heavy industry) is an advantage.  
• Relevant professional certifications (or working towards them) such as ISO 27001, CISSP, CISM, or CRISC are desirable. 
• Strong understanding of both technical cybersecurity controls and IT governance, risk, and compliance. 
• Practical, risk‑based approach suited to operational environments where availability, safety, and business continuity are critical