Information Security Lead, Banking

Information Security Lead, Banking, Security Delivery and Operations
Full Time Permanent
Oakville

Client: Canadian Tire
About Us
Canadian Tire Corporation, Limited (“CTC”) is one of Canada’s most admired and trusted companies. With more than 90 Owned Brands, 1,700 retail locations, financial services, exemplary e-commerce capabilities, and exciting market-leading merchandising strategies. We dream big and work as one to innovate with purpose for our customers at every level of our business, investing in new technologies and products, and doubling down on top talent to drive the company forward. We offer competitive salaries and wages to CTC employees, as well as store discounts, supported learning through our Triangle Learning Academy, Canadian Tire Profit Sharing, and retirement and savings programs for eligible employees. As part of our enhanced flex benefits program, we offer mental health benefits in the amount of $5,000 per year for benefits-eligible employees and their families, including total well-being, and mental health tools and resources for all employees. Join us in helping to make life in Canada better through living and working our Core Values: we are innovators and entrepreneurs at our core, outcomes drive us, inclusion is a must, we are stronger together and we take personal responsibility. It is an especially exciting time to join CTC and its family of companies where career opportunities are wide-ranging! Join us, where there's a place for you here.

Canadian Tire Bank (“CTB” is part of the Canadian Tire Corporation, Limited (“CTC”), which is one of Canada’s most admired and trusted companies. With world-class Owned Brands and exciting market-leading merchandising strategies, we are continually innovating with purpose: to be there for Canadians from coast-to-coast. We are relentlessly focused on innovating at every level of our business, investing in new technologies and products, and doubling down on the best talent to drive the company forward. It is an especially exciting time to join Canadian Tire and its group of companies.
The Information and Cyber Security Governance (IRGS) function is a dedicated team responsible for effectively managing and controlling information and cyber security within an organization. They develop and maintain policies, standards, and procedures/guidelines/process documents related to information and cyber security. The team identifies, assesses, and manages cyber risks, performs risk assessments, and reports on the organization's cyber risk profile. They promote a strong cyber risk and information security culture throughout the organization.
Additionally, the IRGS team conducts vendor assessments, reviews hardware and software for security gaps, remediates deficiencies, and tests control effectiveness. They build partnerships with stakeholders across the organization, implement self-assessment processes incorporating risk and controls assessment in day-to-day activities, and contribute to adopting state-of-the-art tools and techniques. The team also escalates significant cyber-related issues or observed non-compliance or unethical behavior.
It's important to note that the IRGS team reports directly to the Chief Information Security Officer (CISO) of CTB, who oversees the organization's overall information and cyber security strategy. This reporting relationship ensures alignment with strategic goals and facilitates effective coordination, collaboration, and decision-making between the IRGS function and other areas of the organization.
In summary, the IRGS function plays a vital role in governing and managing information and cyber security to protect the organization's assets, data, and systems from potential threats while maintaining a direct line of communication with senior leadership through its reporting structure to the CISO.

At Canadian Tire we work flexibility embracing ‘Hybrid’ whereby individuals utilize a combination of working at a CTC campus and or virtually in service of outcomes. Determined by managers, decisions around work location will be made based on business and team needs and grounded in a desire to support individual well-being and personal needs. Our goal is to empower teams and individuals to make the right decisions for them, and we expect that to look different for everyone. However, starting December 1, 2026, we are mandated to be at office 4 days a week.

Lead Role – Security Delivery & Operations

What you’ll do:
The Lead is a key player responsible for spearheading initiatives to identify, investigate, communicate, resolve, and improve information security governance, risk and compliance in our IT investments. 
 
You will partner with across the organization, including, Technology, Enterprise Risk Management, Internal Audit, PCI Compliance, Vendor Management and other stakeholders to assess cybersecurity risks for the organization, including vulnerabilities, while helping teams determine mitigation strategies to maintain and/or reduce the residual risk of the organization. Sounds like a lot? Well, there’s more:
 

• Be the champion in risk assessment of technologies and processes in the environment, including our digital crown jewels and other compliance impacting technologies and processes.
• Understand and collaborate with stakeholders for prioritizing and mitigating vulnerabilities identified within the environment through vulnerability assessment, penetration testing, application security testing and/or any other risk assessment activity.
• Following up on vulnerabilities, configuration and cloud gaps and track remediation
• Help navigate team to further enhance existing vulnerability management program
• Connect the dots to improve and enhance risk assessment processes.
• Assess third-party risk on the use of vendors for day-to-day operations.
• Provide oversight, reporting, and metrics on risk functions.
• Anticipate risk and assist owners in building action plans for risk mitigation.
• Review risk assessments of non-senior team members and peers
• Validating operating effectiveness of IT general controls
• Maintaining risk and controls repositories and documentation 
• Providing support for policy exception management procedures
• Assisting with metrics and reporting
• Be a subject matter expert for vulnerability management program, application security program, configuration management, and penetration and scenario based testing

What you bring:

• University degree or college diploma in technology.
• Possess one or more professional certifications, such as CISSP, CISM, CISA, CCSP, CRISC etc.
• Overall 5 to 7 years of experience in information technology and/or information/cyber security
• Good knowledge and understanding of risks, audits and processes relating to Information/Cyber Security and IT.
• Excellent communication skills
• Good documentation and presentation skills
• Creative thinker who takes initiative
• Problem solver with the ability to analyze and prioritize to meet business objectives
• Collaborative team player with superior influencing skills, who builds relationships easily
• Organized individual who is always seeking to automate or improve efficiency of procedures
• Creative thinker who is observant to seek new opportunities and perceptive to abstract ideas
• Goal driven individual to seek out continuous improvement opportunities
• The ability to take a collaborate approach to build strong relationships and have positive team experiences
• Good knowledge/understanding and experience of vulnerability and configuration management procedures and how those impact an organization. 
• Good knowledge and understanding about penetration testing and application security
• Flexible and dynamic individual who is able to adjust and prioritize accordingly to adapt to business demands and requirements
• Solid foundation of relevant technical skills
• Good scripting skills using Python or similar tools
• Experience with developing dashboards using Power BI
• Demonstrates behaviors of transparency, accountability agility and learning from others that will support your success
• Understands/Experience in risk assessments including third-party risk
• Have knowledge of security governance frameworks, policies and standards 
• Understands principles of security controls testing
• Audit and/or IT risk management 
• Knowledge of IT risk and control frameworks, COBIT 5, NIST CSF & ISO27001, CIS
• Understand System Development Life Cycle (SDLC) process and agile methodologies
• Familiarity with Data Privacy and Protection standards PCI, PII.
• Basic knowledge of cryptography and encryption algorithms.
• Good knowledge of identity management controls including Multi Factor Authentication and Single Sign On.