Full Job Description
KPMG Canada is seeking an experienced professional to fulfill the role of Business Information Security Officer (BISO) - Advisory. This role reports to the Firm's Chief Information Security Officer and operates within the Advisory Business Unit, serving as the primary liaison between the central security function and the business.
This is an exciting opportunity for an individual with deep, cutting-edge experience in assessing security risks related to modern AI-enabled technology solutions and designing security guardrails to enable their safe and effective use.
Advisory at KPMG is a fast-paced environment, offering Risk and Management Consulting, Cyber Security, and Deal Advisory services to drive value and success. KPMG Canada's Digital Security Group is responsible for governing and overseeing the Firm's data and information security programme.
The BISO will collaborate with Business, Risk, Privacy, and Technology teams to assess and analyze cybersecurity risks. The individual will provide security recommendations based on identified threats and risks, while considering compliance and regulatory requirements relevant to the Business Unit. Additionally, the individual will document and track identified risks and recommendations and obtain necessary risk and security approvals where required.
The ideal candidate will demonstrate strong knowledge of modern application lifecycle practices, security architecture, cloud platforms, Generative AI tools, frontier models, API security, and application security standards such as OWASP, along with familiarity with frameworks such as ISO 42001.
What you will do
347 Serve as the primary information security liaison between the Business Unit and the Digital Security Group347 Translate Firm security policies, procedures, and standards into practical, risk-based controls for the Business Unit technology ecosystem347 Proactively unblock and manage security, risk, and compliance issues by bringing together Advisory, ITS, Risk, Security stakeholders, driving decisions, tracking actions, and ensuring issues are worked through to a clear and timely end state347 Monitor compliance with KPMG security policies, standards, and control requirements; identify non-compliance, initiate remediation actions, and track exceptions through formal risk acceptance processes with appropriate compensating controls347 Act as the BU key point of contact to understand security risks related to evolving business requirements for technology and solutions, and apply security-by-design principles to provide proactive, business-focused, guidance aligned with Firm's security policies and standards347 In coordination with Platform Security team, assess and review business-requested software, tools, and AI capabilities (including SaaS and Generative AI solutions) for security, privacy, and compliance risks; lead intake, risk evaluation, and provide delegated approval or whitelisting where necessary347 Collaborate with Project, Technology, Business, and Risk teams to gather requirements and support the Security Assessment Review (SAR) process, led by Platform Security347 Develop and maintain a business unit Risk Register to track security risks347 Coordinate with stakeholders to ensure security requirements are documented and tracked throughout the project lifecycle
Governance
347 Maintain a strong understanding of KPMG security policies (e.g., GISP, AUP, ATO), requirements, and guidance from the CISO, Risk Management Partner, and Office of the General Counsel347 Maintain and validate a comprehensive inventory of business applications, tools, and technology assets (on-premises and cloud), ensuring alignment with Firm security standards347 Coordinate implementation and onboarding of new security programs and capabilities as directed by the CISO347 Contribute to annual business planning processes and recommend initiatives to enhance security posture and operational efficiency347 Represent the business unit and provide key metrics in monthly security governance forums
Vulnerability Management and Incident Response
347 Own BU-level vulnerability management, including identification, prioritization, and remediation tracking across applications, endpoints, and cloud environments (including CSPM)347 Partner with Technology teams to drive timely remediation of identified vulnerabilities347 Manage responses to security incidents following KPMG's incident management processes347 Represent the business unit in SEV1 incident response bridges
Monitoring
347 Monitor adherence to KPMG security policies and standards347 Review compliance reports generated by security tools and address identified issues347 Perform regular reviews of installed applications to identify prohibited software and initiate remediation actions347 Maintain an accurate and up-to-date inventory of business applications (on-premises and cloud environments including Azure, AWS, and GCP)347 Monitor control effectiveness across all technology assets within the business unit
What you bring to the role
347 Bachelor's or Master's degree in Information Technology, Computer Science, Cyber Security or a related field, or equivalent experience347 10+ years of experience in application, technology, or solution design, architecture, development, and implementation347 5+ years of experience in secure design/architecture and project risk assessments across modern cloud and on-premises environments, including SaaS solutions347 5+ years of experience as a security practitioner in a leadership role347 Deep understanding of modern application development ecosystems, open systems, Generative AI, and emerging technologies347 Strong knowledge of information security standards and frameworks (e.g., CSA CCM, ISO 27001/27017/27018/42001, PCI DSS, NIST CSF, NIST 800-53) and data protection principles347 Experience working with modern AI tools and capabilities347 Proven experience in a consulting or advisory role, collaborating with Technology, Project, and Business stakeholders347 Holding any of the following certifications would be considered an asset but not required: CISSP, CISA, CRISC, CISM
Providing you with the support you need to be at your best
Our Values, The KPMG Way
Integrity, we do what is right | Excellence, we never stop learning and improving | Courage, we think and act boldly | Together, we respect each other and draw strength from our differences | For Better, we do what matters