Security Manager, Vice President
Primary Job Responsibilities
The role is to support Group Head of Technology Information Security Office in the development, implementation and maintenance of governance framework and technology information security strategies and standards with the purpose of protecting the Group and its customers' information and technical assets. This role is responsible for identifying, evaluating and reporting on key risk metrics, aligning security posture of the organization across its subsidiaries in a manner that supports effective management oversight on security governance and operations at the Group level.
This role also provides advisories to business and IT on application and infrastructure projects in ensuring that systems and information are implemented / protected in accordance with the Group's security standards and overall business strategic objectives and risk appetite. Key Responsibilities
I. Team: Policy & Communications
The Security Manager oversees and manages the following functions under the "Policy & Communications" team:
- Ensure technology information security standards, guidelines and procedures are up-to-date
- Obtain feedback and buy-in from stakeholders and approval from risk committees for new and material changes to governance framework and technology information security strategies and standards.
- Drive work streams to align subsidiaries to the Group's security framework and standards.
- Run regular regional meetings to report on departmental key risk metrics, project status and state of alignment to support effective management oversight on security governance and operations at the Group level
- Provide risk management reports and metrics and any other ad-hoc management reporting as required.
- Manage cyber threat alerts and advisories from regulators and other relevant sources to ensure prompt dissemination and follow-up.
- Raise employee awareness through the publication of monthly security newsletters on emerging threats.
- Provide support to internal, external and regulatory audits on technology information security, and ensure committed action items to audit observations are closed in a timely manner.
II. Team: Application & Infrastructure Review
The Security Manager oversees and manages the following functions under the "Application & Infrastructure Review" team:
- Develop, implement and maintain risk assessment methodologies, processes and procedures.
- Conduct risk assessment on application and infrastructure systems to identify and address risk areas and non-compliance to technology information security standards and regulatory requirement and ensure that security requirements are integrated into the SDLC process.
- Keep abreast of new and emerging technologies, such as cloud computing and tokenization etc, and articulate their associated risks in practical and business context.
- Manage vulnerability assessment, penetration testing and secure code reviews to ensure identified vulnerabilities are assessed appropriately. Ensure that the necessary mitigation and remediation measures are in place to address the risks.
- Manage IT outsourcing risks through due diligence reviews on outsourced service providers to ensure that the engagement is in compliance with regulatory requirements and industry guidelines.
- Establish and provide metrics to reflect the team's performance on a regular basis.
Qualifications Job Requirements:
- Serves as escalation point for issues faced by the teams
- Accountable for departmental KPIs on risk, service, people and finance within the area of responsibilities.
- Collaborate with other departments on projects or work streams in the area of IT risk management.
- Prepare and deliver presentations to management as required.
- Initiate and lead process improvement and realignment initiatives to improve the effectiveness and efficiency of existing processes and procedures. Monitor the schedule and scope to ensure they remain on track.
- Strong knowledge in information security principles and IT controls, technology risk management and outsourcing risks.
- Familiarity with regulatory requirements and industry guidelines (MAS TRMG, PCIDSS, ABS, BNM, CBRC, PBOC, HKMA etc) is a must.
- Demonstrated ability to motivate staff and inspire effective teamwork.
- Ability to articulate security requirements in the business context and challenge the evidence provided to substantiate the review .
- Resourceful and able to engage the various stakeholders to drive outcomes and discussions around new initiatives.
- Excellent communication, planning and organization skills.
- Demonstrated experience in business process re-engineering is an advantage.
- BSc/BA degree in related technical and security disciplines.
- At least 10 years of working experience in information security, with at least 5 years in managing a security team.
- Certifications in information security are not required but would be advantageous.