Regional Information Security Manager Middle East and Africa

The Apex Group was established in Bermuda in 2003 and is now one of the world’s largest fund administration and middle office solutions providers.

Our business is unique in its ability to reach globally, service locally and provide cross-jurisdictional services. With our clients at the heart of everything we do, our hard-working team has successfully delivered on an unprecedented growth and transformation journey, and we are now represented by over circa 13,000 employees across 112 offices worldwide.Your career with us should reflect your energy and passion.

That’s why, at Apex Group, we will do more than simply ‘empower’ you. We will work to supercharge your unique skills and experience.

Take the lead and we’ll give you the support you need to be at the top of your game. And we offer you the freedom to be a positive disrupter and turn big ideas into bold, industry-changing realities.

For our business, for clients, and for you

The Role:

Regional Information Security Manager – Will be working as the MEA regional technical risk team to manage risk exposure and compliance across GCC/Africa entities. Align with Cyber Strategy and Group CISO directives; deliver inputs to the Global Technology Risk Forum and host local technology risk forums; and integrate UAE PDPL, Dubai International Financial Centre (DIFC) Data Protection, Saudi SAMA Cybersecurity Framework, Saudi NCA Essential Cybersecurity Controls (ECC), South Africa POPIA, plus global frameworks (NIST CSF 2.0, ISO/IEC 27001, ISO 31000, COBIT 2019, PCI DSS).

You will work with Risk Managers at all regions and The Global Head of Technical Risk.

Key duties and responsibilities:

Security Engineering

• MEA Regulatory Alignment: UAE (Federal PDPL): Govern consent/legal bases, DPO roles, breach reporting, cross border transfer requirements; coordinate with UAE Data Office guidance.
• DIFC: Apply DIFC data protection and recent amendments; manage scope across controllers/processors and stable arrangements; ensure rights, transparency, and fines awareness.
• Saudi Arabia: SAMA CSF for financial entities—governance, defense, response/recovery; maturity expectations.
• NCA ECC (incl. ECC 2 updates): implement governance/defense/resilience/third party/cloud/ICS controls; follow national reporting obligations.
• South Africa (POPIA): Enforce lawful processing, breach notification, and data subject rights under POPIA and Information Regulator oversight.
• Framework Integration: Map controls to Apex Gold Standard, NIST CSF 2.0, ISO/IEC 27001:2022, ISO 31000, COBIT 2019; maintain PCI DSS readiness for payments.
• Metrics, RCSA, & TRF: Define MEA KRIs/KPIs; lead RCSA; drive remediation; publish Technology Risk Forum packs with clear risk narratives. Govern regional KRIs/KPIs and ensure fit-for-purpose metrics mapped to risk appetite.
• Stakeholder Management & Communication: Coordinate with local regulators, business heads, and technology stakeholders; deliver concise executive-level presentations.
• Lead annual RCSA with ISO 31000 risk principles: close remediation actions.
• Maintain compliance to NIST CSF 2.0, ISO/IEC 27001:2022, COBIT 2019; sustain PCI DSS v4.0/v4.0.1 for payments.
• Feed clear, decision ready inputs to the Technology Risk Forum; coordinate with application/infra/service owners to turn metrics green.
• Drive a Metric Rewrite Protocol for persistently failing metrics (RCA → redesign → pilot → cutover).
• Ensure SOX 404 (where applicable) alignment for ICFR/ITGCs, coordinate management assessment and external audit readiness.
• Drive SecurityScorecard activities.
• Execute delegated tasks as deemed appropriate by the Group CISO and other empowered Group Cyber leadership authorities, ensuring timely and effective completion in alignment with organizational priorities.
• Support the Group Cyber Strategy end-to-end, driving alignment of all activities, decisions, and deliverables with strategic objectives and business outcomes.

Experience and Knowledge:

• 10–15 years in Cyber risk/ Technical Risk /Compliance in GCC/Africa financial institutions; practical delivery across UAE PDPL, DIFC, SAMA CSF, NCA ECC, POPIA landscapes.
• Exceptional communication, presentation, and articulation skills; ability to influence diverse stakeholder groups.
• Good knowledge of cloud and hybrid security models (Azure, AWS, or equivalent).
• Industry certifications advantageous (e.g., CISM/ CRISC, ISO 27001 Lead Auditor; cloud security certs.).
• Familiarity with frameworks such as ISO 27001, SOC 2, and NIST, MEA, PDPL,DIFC, NCA ECC, SAMA CSF, POPIA etc.
• Experience with IAM/PAM concepts and platforms (CyberArk, SailPoint, etc.) is beneficial but not required.
• Strong analytical and problem‑solving skills with a methodical approach to security engineering.
• Ability to communicate technical concepts clearly to both technical and non‑technical audiences.
• Highly organized, with the ability to manage multiple tasks in a fast‑paced global environment.
• Passion for continuous learning, upskilling, and improving security capabilities.

What you will get in return:

• High visibility within a fast‑growing global organization.
• Opportunity to work with a diverse and international team of security professionals.
• Exposure to leading security technologies across multiple environments and jurisdictions.
• A role where your contributions directly improve the organization’s security maturity.
• Professional development opportunities, including certifications and hands‑on learning.
• A positive, supportive, and collaborative work environment.
• A unique opportunity to grow within one of the world’s leading independent fund administrators.

Disclaimer: Unsolicited CVs sent to Apex (Talent Acquisition Team or Hiring Managers) by recruitment agencies will not be accepted for this position. Apex operates a direct sourcing model and where agency assistance is required, the Talent Acquisition team will engage directly with our exclusive recruitment partners.