IT Risk Officer (Freelance, preferably Dutch speaking)

Group CISO is looking for a first line IT security risk officer, who is able to play a key role in strengthening how the organisation understands, reports, evidences, and improves its IT and cyber risk position.

The role is responsible for coordinating and improving key risk and assurance reporting activities, including Group Technology Risk Reporting. Internal and external cybersecurity audits, the Group IT In Control Statement, quarterly reporting across the Cyber Risk Domains, and the further development towards a more SOC 2-based assurance reporting model for all departments in the Group IT organization.

You operate close to the (Business Unit) Security Officers, senior management, second line risk functions (IRM/ORM), internal audit (CAS), external auditors, and other stakeholders across NN Group. Your focus is to translate complex IT and cyber risk information into clear, reliable, traceable, and actionable reporting.

This role is to help NN Group IT demonstrate that it is effectively managing IT and cyber risks from a first line perspective. This includes improving the quality of risk reporting, defining and maintain key risk indicators, ensuring timely collection and validation of evidence, supporting audit readiness, and providing senior management with clear insight into risk posture, control status, and required actions. This role helps ensure that IT and cyber risk reporting is clear, consistent, timely, traceable, and decision-ready. It supports management accountability by bringing together risk data, audit evidence, control status, and cyber risk domain reporting into a coherent assurance view.

Risk reporting and assurance

• Coordinate and prepare Risk management reporting for NN Group IT
• Support the creation and ongoing improvement of the Group IT In Control Statement
• Prepare and coordinate quarterly reporting on the Cyber Risk Domains within NN Group IT
• Drive the yearly strategic risk assessments for Group IT
• Translate risk, control, and assurance information into clear management reporting
• Improve the quality, consistency, traceability, and reliability of IT and cyber risk data
• Support the transition towards a more SOC 2-based assurance reporting approach, including reporting structure, evidence collection, control mapping, and stakeholder alignment

Cybersecurity audits

• Coordinate and support internal and external cybersecurity audits
• Work with control owners, Security Officers, IT teams, and management to collect, structure, and validate audit evidence
• Track audit requests, findings, actions, deadlines, dependencies, and follow-up activities
• Ensure that audit and assurance activities are properly planned, documented, and delivered on time
• Challenge incomplete, unclear, or inconsistent evidence before it enters the formal audit or assurance process

Stakeholder alignment

• Work closely with (BU) Security Officers, senior management, second line risk, internal audit, and external auditors
• Proactively reach out to stakeholders to collect input, clarify expectations, and resolve gaps
• Help senior management understand the current cyber risk position, key themes, emerging issues, and required actions
• Build strong working relationships across teams to keep risk reporting timely, accurate, and useful
• Act as a linking pin between technical IT and security teams and risk, governance, and assurance stakeholders

Planning, coordination, and improvement

• Maintain clear planning for recurring reporting cycles, audits, evidence requests, and management deliverables
• Monitor deadlines and follow up proactively on open actions and dependencies
• Improve reporting templates, dashboards, data flows, and documentation standards
• Identify opportunities to simplify, automate, or improve risk reporting processes
• Use data reporting tools to create better insight into risk trends, control performance
• Explore opportunities to use AI-enabled tooling for analysis, reporting, summarization, data quality improvement, and reporting efficiency

The preferred candidate has a strong basis in risk reporting and a clear affinity with IT and cyber risk. The role does not require a deep technical expertise, but it does require thorough understanding of cybersecurity and associated risk, enabling asking the right questions, recognizing weak answers, and translating technical input into reliable risk reporting. Furthermore, you have:

• A few years of experience in risk reporting, IT risk, cyber risk, internal control, IT audit or assurance
• Experience with recurring reporting cycles, management reporting, control evidence, audit requests, and action tracking
• Strong planning and coordination skills, with clear ownership of timelines and deliverables
• A proactive attitude and confidence to reach out to stakeholders across different levels of the organization
• The ability to work with a plethora of stakeholders, including senior management, technical specialists, Security Officers, control owners, auditors, and risk specialists
• Strong analytical skills and attention to detail
• The ability to learn quickly and understand new frameworks, reporting requirements, and assurance models
• Strong written and verbal communication skills in English. Given the stakeholder context, proficiency in Dutch is strongly preferred

For this role, strong data and reporting skills are important. The candidate should be comfortable working with:

• Microsoft Excel, including structured data handling, formulas, pivot tables, data checks, and reporting templates
• Power BI, including dashboards, reporting views, management insights, and data visualisation
• Workflow, planning and ITRC tooling such as Azure DevOps, ServiceNow, IBM OpenPages
• AI-enabled tooling or automation concepts that can support reporting efficiency, evidence summarisation, inconsistency detection, and data analysis.

You will report directly to the Head of Information Security and Governance. In this role, you will collaborate closely with all teams within Group CISO and other security officers within NN. You will engage with a wide range of stakeholders across the organization. Your expertise will be valued not only within the Dutch business units, but also across NN Group’s international organization, giving you the opportunity to make a broad impact.

If you have any questions about the assignment, you can reach out to Nina Moekotte (Talent Acquisition Specialist) via nina.moekotte@nn-group.com.