Chief Information Security Officer (CISO)

European Defence Agency
  • Location
    Brussels, Belgium
  • Sector
    Non Profit
  • Experience
    Mid Career / Advanced
  • Apply by
  • Posted
    Oct 16

Position description

The European Defence Agency was established on 12 July 2004, and is governed by Council Decision (CFSP) 2015/1835 defining the statute, seat and operational rules of the European Defence Agency. The Agency has its headquarters in Brussels.

The main task of EDA is to support the Council and the Member States in their effort to improve the Union's defence capabilities in the field of crisis management and to sustain the Common Security and Defence Policy (CSDP) as it currently stands and as it develops in the future.

The Agency is structured into four directorates. Three operational directorates: Industry, Synergies and Enablers (ISE); Capability, Armament & Planning (CAP); Research, Technology and Innovation (RTI) and the Corporate Services Directorate (CSD). 





The Agency is an “outward-facing” organisation, constantly interacting with its shareholders, the participating Member States, as well as with a wide range of stakeholders. It works in an integrated way, with multi-disciplinary teams representing all of the Agency’s functional areas, to realise its objectives. Its business processes are flexible and oriented towards achieving results. Staff at all levels need to demonstrate the corresponding qualities of commitment, flexibility, innovation, and team-working; to work effectively with shareholders and stakeholder groups, formal and informal; and to operate without the need for detailed direction.





The Management Team consists of the Chief Executive (CE), the Deputy Chief Executive (DCE) and the four Directors and is supported by the Policy and Planning Unit and the Media and Communication Unit.





The European Defence Agency (EDA) is preparing to build and deploy Communication and Information systems (CIS) for the processing of EU unclassified and classified information (EUCI). These systems will be operated and used by EDA in Brussels but will have connections with other unclassified and classified networks operated by EU institutions and by government organisations in EU member states. The project covers all aspects of the implementation, ranging from IT-related activities (such as procurement process, architecture design, vendor management, quality management) to formal accreditation processes, physical security arrangements, document security measures, organisational adjustments, training and awareness activities etc. In order to modernize its handling of information not only from a technical perspective, but also from a policy and process angle, EDA is selecting a Chief Information security Officer to lead the transformation of the organization in all areas related to information security.

Reporting directly to the Chief Executive/Deputy Chief Executive, but largely on his own initiative and in close cooperation with the Head of IT and the Head of Security, the CISO will have the following responsibilities:

  • Refine, update and lead the implementation of EDA’s information security policy, considering existing policies and procedures in place for the following layers: personnel security, physical security, security of information, industrial security, exchange of information with third states or international organisations;
  • Define and lead the implementation of EDA’s information security policy, in accordance with other EU-wide policies;
  • Implement and lead appropriate processes to ensure a continuous risk assessment / risk evaluation for information security as mandated by EU Policy for EUCI handling;
  • Oversee classification / declassification of information between security domains, following appropriate policies;
  • Define and lead the implementation of EUCI security management instructions, and establish appropriate monitoring processes, in accordance with the risk management process;
  • EUCI Security lifecycle management;
  • Refine and lead the implementation of effective business continuity / disaster recovery procedures following appropriate EUCI policies;
  • Refine and lead the implementation of effective information security incident management procedures following appropriate EUCI policies;
  • Oversee and lead project management activities on EUCI-related CIS projects;
  • Act as the Agency reference point for all activities related to EUCI handling both internally and externally, i.e. liaise with counterparts in other EU institutions (in particular the EU Council, identified as the Security Accreditation Authority for any information security system in EDA) and member states.

Duties may evolve according to development of the EDA’s structure and activities, and the decisions of EDA management.





a. Conditions for eligibility


  • be a national of a Member State participating in the Agency;
  • be entitled to his/her full rights as a citizen;
  • have fulfilled any obligations imposed on him/her by the laws concerning military service;
  • produce the appropriate character references as to his/her suitability for the performance of his/her duties;
  • be physically fit to perform his/her duties;
  • have a thorough knowledge of one of the languages of the participating Member States and a satisfactory knowledge of another of these languages to the extent necessary to discharge his/her duties;
  • have no personal interest (financial, family relationship, or other) which could be in conflict with disinterested discharge of his/her duties within the Agency;
  • hold, or be in a position to obtain, a valid Personnel Security Clearance Certificate (national or EU PSC at SECRET UE/EU SECRET level). Personnel Security Clearance Certificate (PSCC) means a certificate issued by a competent authority establishing that an individual is security cleared and holds a valid national or EU PSC, and which shows the level of EUCI to which that individual may be granted access (SECRET UE/EU SECRET), the date of validity of the relevant PSC and the date of expiry of the certificate itself;
  • have a level of education which corresponds to completed university studies attested by a diploma when the normal period of university education is four years or more, or a level of education which corresponds to completed university studies attested by a diploma and appropriate professional experience of at least one year when the normal period of university education is at least three years or be a graduate of a national or international Defence College.

Only diplomas that have been awarded in EU Member States or that are the subject of equivalence certificates issued by the authorities in the said Member States shall be taken into consideration. In the latter case, the authority authorised to conclude contracts of employment reserves the right to request proof of such equivalence.

b. Essential selection criteria

(1) Professional

The candidate will be required to demonstrate that he/she has:

  • a consistent track record of successful project delivery in a military or civilian organisation handling classified and unclassified information on a daily basis;
  • a minimum of 10 years of experience in Information Security, in roles of growing responsibility;
  • a minimum of 5 years of experience leading information security teams in medium to large organisations dealing with responsibilities similar to the ones detailed above;
  • a deep understanding of the role of Information Security policy in large organisations;
  • one or more formal certifications in Information Security, such as CISSP (Certified Information Systems Security Professional);
  • detailed knowledge of a formal project management methodology (PMI or PM2 are preferred);
  • detailed knowledge or certified knowledge of information systems governance frameworks (such as COBIT5/COBIT2019, CGEIT) and functions;
  • extensive experience with organisational change management and business transformation in large organisations or military organisations;
  • very good knowledge of ICT and Cyber-security markets structure, challenges, players and state-of-the-art;
  • good understanding of IT systems architectures, security implications, classified systems accreditation process;
  • a very good knowledge of written and spoken English.

(2) Personal

All staff must be able to fit into the Agency's way of working (see para. 2). Other attributes important for this post include:

  • excellent people networking skills, capable of identifying and establishing successful relationships with key stakeholders and decision-makers;
  • proven ability to establish effective relations at CxO level with senior decision-makers, from both civilian and military environments;
  • excellent communication and presentational skills, both written and oral;
  • ability to work independently and collaboratively;
  • ability to work effectively in a multicultural environment;
  • proven ability to present complex information in an easily understandable way, communicating in plain English and avoiding unnecessary jargon;
  • flexibility and innovativeness;
  • a genuine commitment to the Agency's objectives. 

c. Desirable 

The following will be considered an advantage:

  • experience with EUCI handling environments in an international/defence environment;
  • experience with defining, implementing and monitoring Information Security policies in large organisations;
  • experience with managing large Projects with strong impact on the core mission of the organisation;
  • experience with implementation of ICT systems for classified information handling, either at national or international scale;
  • experience with multicultural, multinational environments;
  • experience with ICT systems lifecycle management;
  • hold a valid Personnel Security Clearance Certificate (national or EU PSC at SECRET UE/EU SECRET level).


Application instructions

Please be sure to indicate that you saw this position on

follow us on Twitter