Business Information Security Officer, Advisory

Overview
At KPMG in Canada, our people bring their unique perspectives to Canada's most important challenges. Here, you can build momentum that reaches beyond our business, develop skills for the future, and take ownership of your career with support at every stage. Join a firm where your career can make a difference.

KPMG Canada is seeking an experienced professional to fulfill the role of Business Information Security Officer (BISO) - Advisory. This role reports to the Firm's Chief Information Security Officer and operates within the Advisory Business Unit, serving as the primary liaison between the central security function and the business.

This is an exciting opportunity for an individual with deep, cutting-edge experience in assessing security risks related to modern AI-enabled technology solutions and designing security guardrails to enable their safe and effective use.

Advisory at KPMG is a fast-paced environment, offering Risk and Management Consulting, Cyber Security, and Deal Advisory services to drive value and success. KPMG Canada's Digital Security Group is responsible for governing and overseeing the Firm's data and information security programme.

The BISO will collaborate with Business, Risk, Privacy, and Technology teams to assess and analyze cybersecurity risks. The individual will provide security recommendations based on identified threats and risks, while considering compliance and regulatory requirements relevant to the Business Unit. Additionally, the individual will document and track identified risks and recommendations and obtain necessary risk and security approvals where required.

The ideal candidate will demonstrate strong knowledge of modern application lifecycle practices, security architecture, cloud platforms, Generative AI tools, frontier models, API security, and application security standards such as OWASP, along with familiarity with frameworks such as ISO 42001.

What you will do

• Serve as the primary information security liaison between the Business Unit and the Digital Security Group
• Translate Firm security policies, procedures, and standards into practical, risk-based controls for the Business Unit technology ecosystem
• Proactively unblock and manage security, risk, and compliance issues by bringing together Advisory, ITS, Risk, Security stakeholders, driving decisions, tracking actions, and ensuring issues are worked through to a clear and timely end state
• Monitor compliance with KPMG security policies, standards, and control requirements; identify non-compliance, initiate remediation actions, and track exceptions through formal risk acceptance processes with appropriate compensating controls
• Act as the BU key point of contact to understand security risks related to evolving business requirements for technology and solutions, and apply security-by-design principles to provide proactive, business-focused, guidance aligned with Firm's security policies and standards
• In coordination with Platform Security team, assess and review business-requested software, tools, and AI capabilities (including SaaS and Generative AI solutions) for security, privacy, and compliance risks; lead intake, risk evaluation, and provide delegated approval or whitelisting where necessary
• Collaborate with Project, Technology, Business, and Risk teams to gather requirements and support the Security Assessment Review (SAR) process, led by Platform Security
• Develop and maintain a business unit Risk Register to track security risks
• Coordinate with stakeholders to ensure security requirements are documented and tracked throughout the project lifecycle

Governance

• Maintain a strong understanding of KPMG security policies (e.g., GISP, AUP, ATO), requirements, and guidance from the CISO, Risk Management Partner, and Office of the General Counsel
• Maintain and validate a comprehensive inventory of business applications, tools, and technology assets (on-premises and cloud), ensuring alignment with Firm security standards
• Coordinate implementation and onboarding of new security programs and capabilities as directed by the CISO
• Contribute to annual business planning processes and recommend initiatives to enhance security posture and operational efficiency
• Represent the business unit and provide key metrics in monthly security governance forums

Vulnerability Management and Incident Response

• Own BU-level vulnerability management, including identification, prioritization, and remediation tracking across applications, endpoints, and cloud environments (including CSPM)
• Partner with Technology teams to drive timely remediation of identified vulnerabilities
• Manage responses to security incidents following KPMG's incident management processes
• Represent the business unit in SEV1 incident response bridges

Monitoring

• Monitor adherence to KPMG security policies and standards
• Review compliance reports generated by security tools and address identified issues
• Perform regular reviews of installed applications to identify prohibited software and initiate remediation actions
• Maintain an accurate and up-to-date inventory of business applications (on-premises and cloud environments including Azure, AWS, and GCP)
• Monitor control effectiveness across all technology assets within the business unit

What you bring to the role

• Bachelor's or Master's degree in Information Technology, Computer Science, Cyber Security or a related field, or equivalent experience•
• 10+ years of experience in application, technology, or solution design, architecture, development, and implementation
• 5+ years of experience in secure design/architecture and project risk assessments across modern cloud and on-premises environments, including SaaS solutions
• 5+ years of experience as a security practitioner in a leadership role
• Deep understanding of modern application development ecosystems, open systems, Generative AI, and emerging technologies
• Strong knowledge of information security standards and frameworks (e.g., CSA CCM, ISO 27001/27017/27018/42001, PCI DSS, NIST CSF, NIST 800-53) and data protection principles
• Experience working with modern AI tools and capabilities
• Proven experience in a consulting or advisory role, collaborating with Technology, Project, and Business stakeholders
• Holding any of the following certifications would be considered an asset but not required: CISSP, CISA, CRISC, CISM

Providing you with the support you need to be at your best
Our Values, The KPMG Way
Integrity , we do what is right | Excellence , we never stop learning and improving | Courage , we think and act boldly | Together , we respect each other and draw strength from our differences | For Better , we do what matters

KPMG in Canada is a proud equal opportunities employer and we are committed to creating a respectful, inclusive and barrier-free workplace that allows all of our people to reach their full potential. A diverse workforce is key to our success and we believe in bringing your whole self to work. We welcome all qualified candidates to apply and hope you will choose KPMG in Canada as your employer of choice.

Adjustments and accommodations throughout the recruitment process
At KPMG, we are committed to fostering an inclusive recruitment process where all candidates can be themselves and excel. We aim to provide a positive experience and are prepared to offer adjustments or accommodations to help you perform at your best. Adjustments (informal requests), such as extra preparation time or the option for micro breaks during interviews, and accommodations (formal requests), such as accessible communication supports or technology aids, are tailored to individual needs and role requirements. You will have an opportunity to request an adjustment or accommodation at any point throughout the recruitment process. If you require support, please contact KPMG's Employee Relations Service team by calling View phone number on onjobcentre.ca.

AI Usage
Weembrace the use of artificial intelligence (AI) to enhance the candidate experience and streamline our recruitment processes. AI tools may help with organizing applications or surfacing relevant qualifications. However, no hiring decisions are made using AI. Every hiring decision is made by our hiring managers and recruitment professionals, who are equipped with training that empowers them to use these tools responsibly. AI technologies used in our recruitment process undergo detailed risk assessments, including security and privacy requirements, that align with KPMG's Trusted AI framework.

We believe technology should empower human judgment, not replace it. It's one of the many ways we're delivering on our vision of being a technology-first, people-driven firm.