Group Technology and Operations (T&O) enables and empowers the bank with an efficient, nimble and resilient infrastructure through a strategic focus on productivity, quality & control, technology, people capability and innovation. In Group T&O, we manage the majority of the Bank's operational processes and inspire to delight our business partners through our multiple banking delivery channels.
About the role The incumbent will be responsible for delivery and implementation of the Bank's cybersecurity risk management and compliance program and ensure that the Bank is in compliant with the relevant cybersecurity regulation and risks pertaining to the Bank's technology and information assets are identified. The candidate is required to work with the key stakeholders to implement practices that meet the Bank's policies and standards for cybersecurity risk management and compliance and ensure that the identified risks and gaps are adequately addressed and remediated. The candidate is also responsible for providing oversight and governance over cybersecurity related activities and update management on the metrics and compliance posture of the cybersecurity environment.
The incumbent will support the security governance and compliance activities in the Bank. This includes:
working with key stakeholders and counterparts within the Bank to ensure the compliance to key cyber and information security legislations and regulations,
engage senior management on the key cybersecurity initiatives, risk metrics and regulatory matters, and
support the regional information security services teams to engage their location senior management teams on the Group initiatives and risk metrics.
Legislation, regulations and policies
Take ownership of cybersecurity program including cyber security policies, regulatory audits, compliance management, metrics, risk and performance indicators, senior management reporting
Track and monitor new security regulatory guidelines, and assess the compliance of and impact to the Bank's security policy architecture, and develop, review and update information security policies and standards to comply with the regulatory requirements as required
Work with regional information security services teams in the core markets to monitor new cybersecurity legislation and/ or regulation, and assess the impact to and the compliance of the Bank's security policy architecture
Develop, review and update information security policies and standards to meet the compliance and regulatory requirements, and
Where necessary, work with Line of Business Technology units to drive a change program to comply with the regulatory guidelines.
Develop a set of security metrics and visualization for the reporting of cybersecurity risk landscape to senior management and the Board
Where possible, automate the extraction, transformation and loading of raw security events to generate the security metrics and graphs for the reporting
Establish a framework to organize, manage and archive the security data used for the generation of security metrics and visualization
Generate quarterly reports and insights to apprise senior management of the security trends and areas of concern
Security risk and compliance
Responsible and development of security risk management using continuous self-assessments and executive reporting
Provide leadership and engage with lines of business to perform security assessments and ensure timely execution of projects and program while mitigating any security risks
Continuously evaluate cybersecurity controls to ensure effectiveness, compliance and adherence to key controls and policies and drive its remediation efforts
Engage Line of Business Technology units to conduct annual cybersecurity risk assessment for key bank systems as required under the prevailing regulations
Engage external auditors to conduct cybersecurity audit for key bank systems as required
Assess the security deviations and risk acceptance raised by Business Units/ Support Units
Liaise with the auditors and the information security services teams for cybersecurity related audits.
Information security professional with 8 or more years of experience, with a background in a financial or technology environment.
Experience in implementing a program the collation, management and reporting of security metrics such as open security vulnerabilities, penetration testing findings, security alerts and incidents, etc.
Experienced in information security framework including ISO27000, NIST800-53 and regulations such as Cybersecurity Act, Technology Risk Management Guidelines and Personal Data Protection Act.
Good working knowledge of enterprise security risk management methods and techniques to successfully deliver the security risk management and assessment outcome.
Strong background on security technology solutions including IDS, IPS, anti-virus, content filtering, secure email solutions, network sniffing, log analysis, forensics and VPN
Hands-on technical experience in the management of security data for the generation of security metrics and visualization
Good verbal and written communication for the generation of security awareness content
Proactive, analytical and independent worker with strong organization skills and performance-oriented, demonstrate effectiveness to track and follow up on the assigned projects
Regional experience is a plus and the ability to travel on need-to basis
We offer a competitive salary and benefits package and the professional advantages of a dynamic environment that supports your development and recognises your achievements.