Position title: Senior Manager, Information Security GRC
Contract type / duration: 5-year fixed-term contract
Location: Geneva
Department: Public Engagement & Information Services
Team: Knowledge Management & Technology Solutions
Reports To: Chief Information & Security Officer
N° of positions supervised (if applicable): 8+ Consultants
Career Step: 4
1. About the Role
This role is responsible for developing and implementing information security and business continuity programmes, which include policies, procedures and controls designed to protect IT systems/platforms, enterprise communications, and assets from both internal and external threats, with excellent focus on process, control efficiency and risk management. This role will act as the subject matter expert on security and risk and must be able to translate risk mitigation and business continuity requirements into controls and develop metrics for ongoing security performance measurement and reporting. This role is also responsible for coordinating the internal and external IT audits and ensure risk mitigation is in place and reported on.
Key Success Metrics:
• 50% – Based on Gavi’s security operations, including metrics such as the number of security breaches.
• 20% – Success in implementing Gavi’s Business Continuity and IT Security policies, procedures, and controls.
• 20% – Updates to the IT Risk Register and execution of risk mitigation plans, including risk and control assessments of applications and infrastructure.
• 10% – Timely response to internal and external audits.
2. Key Responsibilities
• Is part of the security team led by Gavi’s Chief Information Security Officer; leads the security team to develop a security programme and security projects that address identified risks and business security requirements;
• Manages the process of gathering, analysing and assessing the current and future threat landscape, as well as providing management with a realistic overview of risks and threats in the organisation environment;
• Develops and maintains a security architecture process that enables the organisation to develop and implement security solutions and capabilities that are clearly aligned with business, technology and threat drivers;
• Validates IT infrastructure and other reference architectures for security best practices and recommend changes to enhance security and reduce risks, where applicable;
• Ensures a complete, accurate and valid inventory of all systems, infrastructure and applications that should be logged by the security information and event management (SIEM) or log management tool;
• Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements;
• Provides security communication, awareness and training for audiences, which may range from senior leaders to staff;
• Leads security issues and incidents, and participate in problem and change management forums;
• Works with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation;
• Provides support and guidance for legal and regulatory compliance efforts, including audit support.
• Manages security projects and provide expert guidance on security matters for other IT projects;
• Assists and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing and maintenance of disaster recovery plans;
• Works with the CISO and IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security programme.
• Other duties and activities as required.
3. Your Experience and Skills
Academic:
• Bachelor’s degree in information security, computer science or related field; advanced degree preferred.
• Certifications in information security and audit (e.g., ISO27001, NIST, GDPR, ITIL, TOGAF).
• Certification in business continuity is a plus.
Work Experience:
• Typically, 8-12 years of relevant experience of IT experience, with 5 years in an information security role and at least 2 years in a supervisory capacity;
• Direct, hands-on experience or an excellent working knowledge of vulnerability management tools;
• Demonstrated experience in investigating security incidents is necessary;
• Demonstrated experience in responding to audits is key.
Core Technical & Solutioning Skills:
• Excellent knowledge of key infrastructure domains including networking, cloud platforms, directory management, data centres and data management systems;
• Experience with common information security management frameworks, such as International Standards Organisation (ISO) 2700x, the IT Infrastructure Library (ITIL), NIST standards and Control Objectives for Information and Related Technology (COBIT) frameworks;
• Expertise in cloud security and solutions like SAP, Salesforce, Azure, O365 and ServiceNow and expertise in security configuration in Azure and O365;
• Ability to build excellent relationships at all levels and across all business units and organisations, and understand business imperatives;
• An excellent understanding of the business impact of security tools, technologies and policies;
• Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organisation, project and application development teams, management and business personnel;
• In-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; an excellent understanding of information security concepts, protocols, industry best practices and strategies.
Communication & Interpersonal Skills:
• Ability to explain complex technology concepts;
• Treating all individuals with fairness and respect;
• Demonstrating sensitivity for diversity and cultural differences;
• Showing great drive and commitment to the organisation mission;
• Maintaining high standards of personal integrity.
• Execution and delivery oriented, meets deadlines;
• Commits to organisational goals;
• Collaborates with others in own unit;
• Willing to seek help as needed. Escalates quickly and appropriately to resolve issues;
• Open to new ideas;
• Shares own knowledge; applies knowledge in daily work;
• Acts as a change champion in support of organisational change efforts.
• Proactively identifies obstacles and resolves prior to becoming issues;
• Analyses issues and problems systematically.
Languages Needed:
• Written and spoken fluency in English.
• Other languages desirable, particularly French.
4. How You Work (Behaviours and Mindsets)
• Analytical Thinking and Decisive Judgement – Proactively identifies and resolves issues, applying systematic analysis to complex problems.
• Drive for Results – Demonstrates strong execution and delivery orientation, meeting deadlines and committing to organizational goals.
• Team Collaboration – Works effectively across cultures and teams, seeks support when needed, and escalates issues appropriately.
• Learning and Change Agility – Embraces new ideas, shares knowledge, and champions organizational change.
• Integrity and Respect – Maintains high standards of personal integrity, treats others with fairness and respect, and values diversity.
If you wish to apply, please provide a cover letter and resume through our Careers webpage and apply by clicking on ”Senior Manager, Information Security GRC”. Deadline for applications is 1 4October 2025.
Become part of our community and join us on Facebook and Twitter for updates about our mission to save children’s lives! You can also follow our hashtag #vaccineswork
In support of Gavi’s commitment to diversity, equality and inclusion, we hire globally and welcome applications regardless of age, disability, ethnicity, national origin, family status, sex, gender identity or expression, physical characteristics, race, religion, spirituality or sexual orientation. Gavi has zero tolerance towards sexual harassment, sexual exploitation and abuse as well as any form of discrimination or harassment. Everyone at Gavi is expected to conduct themselves with integrity and respect towards each other. Gavi is committed to creating a work environment that is safe and professional, therefore all selected candidates will undergo rigorous reference checks. Read more here.
Gavi brings together the public and private sectors to save lives and protect people’s health by increasing equitable and sustainable use of vaccines against 18 infectious diseases. You will work in a culturally diverse environment with over 70 nationalities. You will collaborate with partners such as WHO, UNICEF, the Bill & Melinda Gates Foundation, the World Bank – and from business, civil society and government. And you will work in the first global health organisation to receive equal gender salary certification. Your unique experience, skills and talents can help us achieve our vision of leaving no one behind without the life-saving power of vaccines.
Gavi, the Vaccine Alliance is a public-private partnership committed to saving children's lives and protecting people's health by increasing equitable use of vaccines in lower-income countries. The Vaccine Alliance brings together implementing country and donor governments, the World Health Organisation, UNICEF, the World Bank, the vaccine industry, technical agencies, civil society, the Bill & Melinda Gates Foundation, and other private sector partners. Gavi uses innovative finance mechanisms, including co-financing by recipient countries, to secure sustainable funding and adequate supply of quality vaccines. Since 2000, Gavi has contributed to the immunisation of more than 1 billion children and the prevention of more than 17 million future deaths.
