Business Information Security Officer, Advisory

About The Position

Requirements

• Bachelor’s or Master’s degree in Information Technology, Computer Science, Cyber Security or a related field, or equivalent experience
• 10+ years of experience in application, technology, or solution design, architecture, development, and implementation
• 5+ years of experience in secure design/architecture and project risk assessments across modern cloud and on-premises environments, including SaaS solutions
• 5+ years of experience as a security practitioner in a leadership role
• Deep understanding of modern application development ecosystems, open systems, Generative AI, and emerging technologies
• Strong knowledge of information security standards and frameworks (e.g., CSA CCM, ISO 27001/27017/27018/42001, PCI DSS, NIST CSF, NIST 800-53) and data protection principles
• Experience working with modern AI tools and capabilities
• Proven experience in a consulting or advisory role, collaborating with Technology, Project, and Business stakeholders

Nice To Haves

• Holding any of the following certifications would be considered an asset but not required: CISSP, CISA, CRISC, CISM

Responsibilities

• Serve as the primary information security liaison between the Business Unit and the Digital Security Group
• Translate Firm security policies, procedures, and standards into practical, risk-based controls for the Business Unit technology ecosystem
• Proactively unblock and manage security, risk, and compliance issues by bringing together Advisory, ITS, Risk, Security stakeholders, driving decisions, tracking actions, and ensuring issues are worked through to a clear and timely end state
• Monitor compliance with KPMG security policies, standards, and control requirements; identify non-compliance, initiate remediation actions, and track exceptions through formal risk acceptance processes with appropriate compensating controls
• Act as the BU key point of contact to understand security risks related to evolving business requirements for technology and solutions, and apply security-by-design principles to provide proactive, business-focused, guidance aligned with Firm’s security policies and standards
• In coordination with Platform Security team, assess and review business-requested software, tools, and AI capabilities (including SaaS and Generative AI solutions) for security, privacy, and compliance risks; lead intake, risk evaluation, and provide delegated approval or whitelisting where necessary
• Collaborate with Project, Technology, Business, and Risk teams to gather requirements and support the Security Assessment Review (SAR) process, led by Platform Security
• Develop and maintain a business unit Risk Register to track security risks
• Coordinate with stakeholders to ensure security requirements are documented and tracked throughout the project lifecycle
• Maintain a strong understanding of KPMG security policies (e.g., GISP, AUP, ATO), requirements, and guidance from the CISO, Risk Management Partner, and Office of the General Counsel
• Maintain and validate a comprehensive inventory of business applications, tools, and technology assets (on-premises and cloud), ensuring alignment with Firm security standards
• Coordinate implementation and onboarding of new security programs and capabilities as directed by the CISO
• Contribute to annual business planning processes and recommend initiatives to enhance security posture and operational efficiency
• Represent the business unit and provide key metrics in monthly security governance forums
• Own BU–level vulnerability management, including identification, prioritization, and remediation tracking across applications, endpoints, and cloud environments (including CSPM)
• Partner with Technology teams to drive timely remediation of identified vulnerabilities
• Manage responses to security incidents following KPMG’s incident management processes
• Represent the business unit in SEV1 incident response bridges
• Monitor adherence to KPMG security policies and standards
• Review compliance reports generated by security tools and address identified issues
• Perform regular reviews of installed applications to identify prohibited software and initiate remediation actions
• Maintain an accurate and up-to-date inventory of business applications (on-premises and cloud environments including Azure, AWS, and GCP)
• Monitor control effectiveness across all technology assets within the business unit

Benefits

• Our Values, The KPMG Way
• Integrity, we do what is right | Excellence, we never stop learning and improving | Courage, we think and act boldly | Together, we respect each other and draw strength from our differences | For Better, we do what matters
• KPMG in Canada is a proud equal opportunities employer and we are committed to creating a respectful, inclusive and barrier-free workplace that allows all of our people to reach their full potential.
• A diverse workforce is key to our success and we believe in bringing your whole self to work.
• We welcome all qualified candidates to apply and hope you will choose KPMG in Canada as your employer of choice.
• Adjustments and accommodations throughout the recruitment process
• At KPMG, we are committed to fostering an inclusive recruitment process where all candidates can be themselves and excel.
• We aim to provide a positive experience and are prepared to offer adjustments or accommodations to help you perform at your best.
• Adjustments (informal requests), such as extra preparation time or the option for micro breaks during interviews, and accommodations (formal requests), such as accessible communication supports or technology aids, are tailored to individual needs and role requirements.
• You will have an opportunity to request an adjustment or accommodation at any point throughout the recruitment process.
• If you require support, please contact KPMG’s Employee Relations Service team by calling 1-888-466-4778.
• AI Usage
• We embrace the use of artificial intelligence (AI) to enhance the candidate experience and streamline our recruitment processes.
• AI tools may help with organizing applications or surfacing relevant qualifications.
• However, no hiring decisions are made using AI.
• Every hiring decision is made by our hiring managers and recruitment professionals, who are equipped with training that empowers them to use these tools responsibly.
• AI technologies used in our recruitment process undergo detailed risk assessments, including security and privacy requirements, that align with KPMG’s Trusted AI framework.
• We believe technology should empower human judgment, not replace it.
• It’s one of the many ways we’re delivering on our vision of being a technology-first, people-driven firm.