Gulf African Bank, a pioneering Shari’ah-compliant financial institution in Kenya, continues to uphold its reputation as a trusted partner for individuals, businesses, and institutions seeking ethical and innovative financial solutions. With a commitment to excellence, security, and digital transformation, the Bank is looking for dynamic professionals to join its workforce in delivering secure, high-quality services to its customers.
As part of its commitment to enhance data security and ensure full compliance with the Kenya Data Protection Act (2019) and associated regulations, Gulf African Bank is inviting qualified and experienced candidates to apply for the position of Manager, Information Security and Data Protection. This permanent role will be based at the Bank’s head office in Nairobi, and will report to the Senior Manager, Information Security.
Position: Manager, Information Security and Data Protection
Advert Number: 4782/2025
Location: Nairobi
Employment Type: Permanent
Reporting To: Senior Manager, Information Security
Vacancies: 1
Job Purpose
The Manager, Information Security and Data Protection will lead initiatives aimed at achieving and maintaining compliance with the Data Protection Act, 2019. The incumbent will design, implement, and monitor security frameworks, data protection policies, and IT governance practices to secure sensitive information, safeguard customer data, and ensure operational continuity during business disruptions.
This role also entails close collaboration with internal departments and external regulators, offering strategic guidance on data governance, regulatory compliance, business continuity, cyber risk management, and incident response.
Key Responsibilities
1. Data Protection and Privacy Management
- Serve as the principal contact for data protection issues, both internally and with external supervisory authorities.
- Evaluate and oversee all data processing activities conducted by the organization to ensure legal compliance and ethical management of personal data.
- Provide structured guidance in the planning and execution of Data Protection Impact Assessments (DPIAs).
- Advise the organization and its staff on their legal responsibilities as data controllers or processors under the Data Protection Act.
- Monitor compliance with the Act, including conducting training sessions, promoting awareness, and performing internal audits.
- Liaise directly with the Office of the Data Protection Commissioner (ODPC) and other regulatory bodies in all matters related to data privacy.
2. Information Security Management
- Support the implementation and alignment of the Bank’s Information Security Management System (ISMS) with recognized standards such as COBIT, ISO/IEC 27001, PCI DSS, and the CIS Controls.
- Ensure the development and ongoing refinement of information security policies, procedures, and standards that reflect current risk scenarios and best practices.
- Conduct regular reviews to ensure that all security practices and procedures meet evolving regulatory and technological requirements.
3. Regulatory Compliance
- Keep abreast of changes to CBK Prudential Guidelines and other regulations impacting IT security and governance.
- Ensure that internal documentation and policies are regularly updated to remain in compliance with both local and international regulations.
- Provide advisory support to management and other departments regarding regulatory expectations and changes in law.
4. Risk and Audit Management
- Assist in the planning and execution of comprehensive risk assessments encompassing people, processes, and technologies.
- Evaluate and manage third-party risks, ensuring suppliers and partners comply with Gulf African Bank’s information security and privacy policies.
- Coordinate responses to both internal and external audits on information security and data protection matters.
- Maintain an effective tracking system for audit issues and risk remediation activities.
- Lead the delivery of awareness and training programs to embed a security-conscious culture throughout the organization.
5. Business Continuity and Disaster Recovery
- Support the development and execution of the Bank’s Business Continuity Management (BCM) and Disaster Recovery (DR) plans.
- Conduct Business Impact Assessments (BIAs) and risk assessments to identify potential operational disruptions.
- Update and test business continuity and recovery plans to validate readiness and compliance with predefined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
- Facilitate scenario planning, testing exercises, and post-mortem reviews to strengthen resilience across all operations.
6. Information Security Assurance
- Implement a comprehensive user access management framework, ensuring appropriate privileges are assigned and monitored.
- Oversee vulnerability management activities including regular scanning, reporting, and mitigation in line with the Bank’s policy.
- Develop and maintain secure configuration standards for all critical systems.
- Implement advanced endpoint protection mechanisms to detect and respond to cyber threats effectively.
- Provide oversight of the Bank’s Security Operations Centre (SOC) to ensure timely detection and response to security incidents.
- Collaborate with project teams to ensure that all new initiatives, products, and technologies meet the Bank’s security and compliance requirements.
Required Qualifications and Experience
- Bachelor’s Degree in Computer Science, Information Systems, ICT, Information Security, or related discipline.
- Certifications in Data Protection (mandatory).
- At least one of the following security certifications:
- Certified Information Security Manager (CISM)
- ISO/IEC 27001 Lead Implementer
- Certified Information Systems Auditor (CISA)
- ISO/IEC 27001 Lead Auditor
- Technical cybersecurity certifications such as CEH (Certified Ethical Hacker), CCNA (Cisco Certified Network Associate), API Security, or Cloud Security credentials.
- Added advantage for certifications in:
- Business Continuity Management
- Project Management (e.g. PRINCE2 Practitioner)
- IT Governance (e.g. ITIL)
- Minimum of 5 years of progressive experience in Information Security or IT Governance.
- At least 2 years should have been in a managerial capacity with a focus on data protection compliance.
- At least 3 years of hands-on experience in conducting information security risk assessments, compliance assessments, and audits.
Required Skills and Competencies
Technical Competencies
- Strong knowledge of the Kenya Data Protection Act (2019), CBK Prudential Guidelines, and related data privacy laws.
- In-depth understanding of cybersecurity governance, including best practices in access control, endpoint security, vulnerability management, and incident response.
- Proven expertise in designing and implementing Business Continuity and Disaster Recovery plans.
- Familiarity with enterprise-grade security technologies including SIEM, DAM, FIM, NAC, PAM, and endpoint protection tools.
- Ability to align information security strategies with evolving business needs and industry standards.
Behavioural Competencies
- High level of integrity, ethics, and professional conduct.
- Excellent interpersonal and communication skills, with the ability to manage diverse stakeholder expectations.
- Strong leadership and self-motivation capabilities, promoting collaboration, innovation, and accountability across teams.
- Analytical thinker with attention to detail and the ability to interpret complex regulations and technical risks into actionable business guidance.
Why Join Gulf African Bank?
At Gulf African Bank, you become part of a visionary organization that blends ethical banking with technological innovation. The Bank is committed to investing in its people and fostering a culture of excellence, inclusion, and integrity. In this role, you will not only safeguard customer trust and regulatory compliance but also shape the future of digital banking in a secure and sustainable way.
You will be empowered to work on critical projects, engage with regulatory stakeholders, and lead the charge in building a resilient information security framework that aligns with the highest international standards.
If you meet the qualifications and are passionate about data protection, cybersecurity, and strategic IT governance in a dynamic banking environment, this opportunity is for you.
Application Deadline: 10th July 2025
Location: Nairobi
Number of Positions: One (1)
How to Apply
Applications should be submitted in accordance with the Bank’s application process. Interested candidates are advised to submit their applications before the closing date.
If applications are not via email, insert link below where instructed.