Assistant Vice President / Manager, Information Security & Digital Risk Management

Responsibilities

• Support the implementation of risk management framework for technology, information and cyber risk domains in collaboration with relevant stakeholders including Group counterparts, technology teams, business / support units and other risk management functions. 
• Formulate, review and update risk management framework and supporting policies and guidelines which incorporate applicable Group standards, industry practices, and regulatory requirements.
• Organize the ISDRM-related risk management committee and related working groups as the secretariat and represent ISDRM in various Group and local risk governance meetings and forums whenever required. 
• Assist to prepare and deliver regular risk reports, analysis and metrics (e.g. KRIs) on the Bank’s overall security posture for the Board and senior management.
• Provide advice, support and challenge on technology, information and cyber risk domains associated with new products, major technology / Fintech initiatives, strategic digital transformation projects and third-party arrangements (e.g. cloud computing, APIs).
• Conduct or participate in thematic reviews and compliance assessments over emerging risks (e.g. DDoS attack) and regulatory guidelines (e.g. CRAF’s Maturity Assessment & iCAST).
• Monitor and perform independent review of specific aspects of day-to-day risk management activities conducted by the first line of defense (i.e., technology teams), covering risk assessment & acceptance, incident response, change management and implementation of key controls or remediation actions.
• Work alongside the Group counterparts to plan and take part in the risk awareness, training and testing programs for all staff.
• Support or coordinate internal and external audits, and regulatory examinations or communications with respect to technology, information and cyber risk domains. 

Requirements

• Degree holder in technology, computer science, information security, business or related disciplines
• At least 5 years of relevant experience in information security, cyber / technology risk or technology audit gained from financial services industry (FSI) or professional services serving FSI clients.
• CISM, CISSP, CISA or other recognized certificates under ECF on Cybersecurity for second line of defence required
• Strong risk management mindset. Solid understanding in IT environment, threat landscape and technology/information/cyber controls, including relevant industry standards (e.g. ISO/IEC27001) and regulatory guidelines (e.g. HKMA’s SPM TM-G-1, C-RAF)
• Good communication skills, with the ability to interact with both technical and non-technical stakeholders at various levels and articulate complex risk issues with effective challenge and practical recommendation. 
• Good command of both spoken and written Chinese and English
• Self-motivated and organized. Able to work independently and as a member of a team
• Experience in conducting risk assessments, threat modelling or audits will be an advantage
• Candidates with less experience will be considered for the rank of Manager