Lead – Information Security Risk & Assurance

INSPIRE | EXHILARATE | DELIGHT

For over seven decades, Chalhoub Group has been a partner and creator of luxury experiences in the Middle East. In its pursuit to excel as a hybrid luxury retailer, the Group has curated a portfolio of over 10 owned brands and strengthened its distribution and marketing expertise for over 400 international names across luxury fashion, beauty, jewellery, watches, eyewear, and art de vivre categories.

Every step at Chalhoub Group is taken to build a future where luxury dreams become reality — bridging cultures and crafting memorable experiences for our consumers. Be it by constantly reinventing itself, committing to innovation, or embracing new technologies, the Group is shaping the future of luxury retail. It delivers seamless omnichannel experiences across more than 950 stores, online platforms, and mobile apps. Driving this innovation journey is The Greenhouse — the Group’s innovation hub, incubator, and accelerator for startups and emerging businesses, regionally and globally.

Chalhoub Group fosters a people-at-heart culture rooted in diversity, equity, and inclusion, and a workplace catalysed by forward thinking and future-proofing. Today, it brings together over 16,000 talented professionals across eight countries in the Middle East, with a presence in LATAM. Their collective efforts have earned the Group the Great Place to Work certification in several markets.

Sustainability is at the core of the Group’s strategy, guided by a clear commitment to people, partners, and the planet. Chalhoub Group is proud to be a member of the United Nations Global Compact, a signatory of the Women’s Empowerment Principles, and to have pledged to reach Net Zero by 2040.

What You'll Be Doing

The Information Security Risk & Assurance Lead is responsible for establishing and leading Chalhoub Group’s enterprise-wide security risk and assurance capabilities. This role drives the development of risk frameworks, control assurance, ISO 27001 and PCI DSS compliance, and IAM governance, while serving as a strategic advisor to executive leadership. It plays a critical role in embedding a culture of security risk ownership and awareness through robust processes, education, and engagement.

• Define and establish the Information Security Risk capabilities, including governance frameworks, policies, reporting lines, and operating model.
• Partner with Enterprise Risk and Internal Audit to embed security risk into the Group’s Three Lines of Defence and Enterprise Risk Management (ERM) framework. Chair or co-chair relevant InfoSec risk committees or forums, providing credible challenge and escalation for emerging cyber risks across the business and technology estate.
• Act as the principal information security risk advisor to senior executives, business leaders, and functional heads.
• Translate complex technical risks into clear, actionable business insights and recommendations, aligned to Group objectives and risk appetite.
• Deliver quarterly security risk briefings, dashboards, and thematic risk deep dives for Executive Leadership and Board-level committees as required.
• Design and implement a scalable, metrics-driven security risk management framework covering risk identification, assessment, treatment, monitoring, and reporting.
• Establish and maintain a centralised Information Security Risk Register, ensuring ownership, tracking, and oversight of key risks and mitigation plans. Align Group risk methodologies to leading practices such as ISO 27005, FAIR, or NIST RMF where appropriate.
• Build and lead a risk-based security assurance programme in partnership with Internal Audit, covering internal audits, control testing, supplier reviews, and compliance assessments.
• Ensure continual improvement, compliance and ISO/IEC 27001 certification, driving maturity across the ISMS and control environment.
• Lead annual PCI DSS assurance and compliance programmes across retail, payments, and commerce channels.
• Provide assurance and second-line oversight over security incident management, including root cause analysis, response effectiveness, and post-mortem controls evaluation.
• Champion a culture of risk ownership, continuous learning, and control improvement following security events.
• Lead the development and delivery of a Group-wide information security risk education and training programme, tailored by audience and risk level.
• Equip business and technology stakeholders with practical knowledge to identify, assess, and own security risks as part of day-to-day operations.
• Collaborate with Group Risk, Internal Audit, and People & Culture to embed risk responsibilities into role-based learning paths, onboarding, and manager training.
• Track effectiveness of training initiatives through KPIs and maturity assessments, continuously evolving content and engagement strategies.
• Actively support a culture of proactive risk awareness, clear accountability, and continuous improvement across the organisation.
  
  

What You’ll Need To Succeed

• The ideal candidate will bring deep expertise in information security and enterprise risk management, with relevant qualifications such as CISA, CRISC, or ISO 27005, and proven experience embedding risk frameworks aligned to ISO 27001, NIST RMF, or FAIR in complex, multinational environments.
• Minimum 7 years of experience in Information Security or Technology Risk roles, with at least 5 years in a leadership capacity.
• Demonstrated experience building or maturing a Group-level security risk and assurance function in a complex, regulated or multinational environment.
• Proven leadership in achieving and maintaining ISO 27001 certification, PCI DSS compliance.
• Solid understanding of frameworks and standards such as ISO 27001/27005, NIST CSF/RMF, COBIT, FAIR, and the Three Lines of Defence model.
• Experience designing and delivering enterprise training or awareness programmes on risk and compliance topics is a distinct advantage.
  
  

What We Can Offer You

With us, you will turn your aspirations into reality. We will help shape your journey through enriching experiences, learning and development opportunities and exposure to different assignments within your role or through internal mobility. Our Group offers diverse career paths for those who are extraordinary, every day.

We recognise the value that you bring, and we strive to provide a competitive benefits package which includes health care, child education contribution, remote and flexible working policies as well as exclusive employee discounts.

We Invite All Applicants to Apply

It Takes Diversity Of Thought, Culture, Background, Differing Abilities and Perspectives to truly Inspire, Exhilarate and Delight our customers. At Chalhoub Group, we are committed to inclusion and diversity.

We welcome all applicants to apply and be part of our exciting future. We ensure equal opportunity for all our applicants without regard to gender, age, race, religion, national origin or disability status.