Chief Information Security Officer

• Be responsible for formulating and overseeing the Bank’s overall information security policies and protection strategies, leading the cyber security department in daily operations and information security risk management, along with managing, supervising, and identifying issues related to the Bank’s information security incidents
• Support the ASP Regional Cybersecurity team to implement locally those regional programs that provide a strategic core for the market, and which may also be leveraged by other ASP regions
• Collaborate with Global, Regional and market stakeholders, including Technology and peer managers, to implement the Cyber team's goals around entity policy, expense policy and regulatory requirements
• Lead and support peers in developing, implementing, and monitoring a strategic, comprehensive enterprise cyber security management program
• Assist the ASP Region with overall business technology planning by providing current knowledge and a future vision of cyber technology and systems and contribute to the ASP Region's Cybersecurity strategy of securing the bank's technology from the inside out, while maintaining, protecting and enhancing HSBC's values, reputation and stakeholder value
• Provide/organize Cybersecurity related training sessions to improve the awareness level of staff members, setting performance targets of direct reports and contributing to employees' professional development
• Assist business stakeholders and second line of defense (2LOD) in the market to raise awareness of risk management concerns and educate market management about local specific cybersecurity risk level and actions required to mitigate/control existing risks
• Supporting the market business for local specific initiatives related to cybersecurity delivery, consultancy and country augmentation, as required
• Carefully consider the security requirements of the market organization and market business requirements in order to address security risks while satisfying the organization’s business goals
• Keeping abreast of developing security threats and helping the market Board understand the Bank's security posture and awareness of the threat landscape and events impacting the industry
• Brief market senior management about ongoing Cybersecurity improvement projects' benefits, status and challenges which require their attention and/or involvement to make it success
• Providing guidance and ensuring market regulatory requirements related to Cybersecurity are addressed in a timely fashion, including the implementation of relevant controls and the development/amendment of policies/standards to comply with the requirements
• Provide assistance in market Governance related matters, ensuring consistency with Global key messaging and exercising formal governance through appropriate governance forums
• Be responsible for co-signing the internal control statement with CEO, Chairman, Head of Audit, and Compliance Head and ensure the implementation of internal controls in line with the three lines of defense model

• Minimum Bachelor’s Degree with some years’ experience in IT security governance and operational processes, preferably in the Financial Services industry or global corporate service provider
• Understanding of Financial services cybersecurity related regulations and experience facing and engaging with regulators
• Desirable but not essential (background): experience in one or more of risk management, Audit, ISR (qualifications) one or more industry-recognized cybersecurity-related certifications including ISO270001, CISA, CISM, CISSP, CRISC..etc
• Availability to travel (if required) for this role, i.e. travel within the market as well as occasional international travel
• Positive and professional attitude, team player, flexible and adaptable, open to change(s)
• confident and takes responsibility and ownership for work and personal development
• Good spoken and written communication and ability to adapt style based on audience (Fluent in spoken / written English and Chinese), along with ability to communicate technical subject matter to non-technical stakeholders and to engage with local and regional senior stakeholders
• GPAD (Group Personal Account Dealing) Covered
• To be fulfilled after onboarding: 每年至少應接受十五小時以上資訊安全專業課程訓練或職能訓練 (資訊安全專責單位人員)

Experience in one or more of risk management, Audit, ISR (qualifications) one or more industry-recognized cybersecurity-related certifications including ISO270001, CISA, CISM, CISSP, CRISC

None explicitly mentioned