INSPIRE | EXHILARATE | DELIGHT

For over seven decades, Chalhoub Group has been a partner and creator of luxury experiences in the Middle East. In its pursuit to excel as a hybrid luxury retailer, the Group has curated a portfolio of over 10 owned brands and strengthened its distribution and marketing expertise for over 400 international names across luxury fashion, beauty, jewellery, watches, eyewear, and art de vivre categories.
Every step at Chalhoub Group is taken to build a future where luxury dreams become reality — bridging cultures and crafting memorable experiences for our consumers. Be it by constantly reinventing itself, committing to innovation, or embracing new technologies, the Group is shaping the future of luxury retail. It delivers seamless omnichannel experiences across more than 950 stores, online platforms, and mobile apps. Driving this innovation journey is The Greenhouse — the Group’s innovation hub, incubator, and accelerator for startups and emerging businesses, regionally and globally.
Chalhoub Group fosters a people-at-heart culture rooted in diversity, equity, and inclusion, and a workplace catalysed by forward thinking and future-proofing. Today, it brings together over 16,000 talented professionals across eight countries in the Middle East, with a presence in LATAM. Their collective efforts have earned the Group the Great Place to Work certification in several markets.
Sustainability is at the core of the Group’s strategy, guided by a clear commitment to people, partners, and the planet. Chalhoub Group is proud to be a member of the United Nations Global Compact, a signatory of the Women’s Empowerment Principles, and to have pledged to reach Net Zero by 2040.

The Information Security Risk & Assurance Lead is responsible for establishing and leading Chalhoub Group’s enterprise-wide security risk and assurance capabilities. This role drives the development of risk frameworks, control assurance, ISO 27001 and PCI DSS compliance, and IAM governance, while serving as a strategic advisor to executive leadership. It plays a critical role in embedding a culture of security risk ownership and awareness through robust processes, education, and engagement.

• Define and establish the Information Security Risk capabilities, including governance frameworks, policies, reporting lines, and operating model.
• Partner with Enterprise Risk and Internal Audit to embed security risk into the Group’s Three Lines of Defence and Enterprise Risk Management (ERM) framework.Chair or co-chair relevant InfoSec risk committees or forums, providing credible challenge and escalation for emerging cyber risks across the business and technology estate.
• Act as the principal information security risk advisor to senior executives, business leaders, and functional heads.
• Translate complex technical risks into clear, actionable business insights and recommendations, aligned to Group objectives and risk appetite.
• Deliver quarterly security risk briefings, dashboards, and thematic risk deep dives for Executive Leadership and Board-level committees as required.
• Design and implement a scalable, metrics-driven security risk management framework covering risk identification, assessment, treatment, monitoring, and reporting.
• Establish and maintain a centralised Information Security Risk Register, ensuring ownership, tracking, and oversight of key risks and mitigation plans.Align Group risk methodologies to leading practices such as ISO 27005, FAIR, or NIST RMF where appropriate.
• Build and lead a risk-based security assurance programme in partnership with Internal Audit, covering internal audits, control testing, supplier reviews, and compliance assessments.
• Ensure continual improvement, compliance and ISO/IEC 27001 certification, driving maturity across the ISMS and control environment.
• Lead annual PCI DSS assurance and compliance programmes across retail, payments, and commerce channels.
• Provide assurance and second-line oversight over security incident management, including root cause analysis, response effectiveness, and post-mortem controls evaluation.
• Champion a culture of risk ownership, continuous learning, and control improvement following security events.
• Lead the development and delivery of a Group-wide information security risk education and training programme, tailored by audience and risk level.
• Equip business and technology stakeholders with practical knowledge to identify, assess, and own security risks as part of day-to-day operations.
• Collaborate with Group Risk, Internal Audit, and People & Culture to embed risk responsibilities into role-based learning paths, onboarding, and manager training.
• Track effectiveness of training initiatives through KPIs and maturity assessments, continuously evolving content and engagement strategies.
• Actively support a culture of proactive risk awareness, clear accountability, and continuous improvement across the organisation.