- Information Security
- Project Management
- Risk Assessment
- Risk Management
- Stakeholder Management
APAC Group Information Security Officer
Location: APAC-HKG-Hong Kong-Hong Kong
- Report to the Asia Pacific (ASPAC) Regional Information Security Officer (RISO) and work with all Group Information Security Officers (GISO) in ASPAC as well as Global Information Security team to manage Information Security (IS) programs, Shared services and operations.
- Hong Kong is a key regional location for Citi includes all of the senior business leadership for regional Trade and Treasury Solutions (TTS), includes significant innovations and initiatives in the consumer business domain as well as an active and progressive regulator (HKMA). Several new regulations including ICAST (for Penetration Testing) and CRAF – Cyber Risk Assessment have been pioneered by HKMA in the region.
- The primary responsibility of this role is to serve as engagement manager for Information Security to the Business and Product Leader(s) within ASPAC Regional teams across sectors (Institutional Business, Consumer Business and Corporate Solutions) primarily in Hong Kong and to provide IS advice, business risk advice and risk mitigation approaches by engaging Global and Regional SMEs across various IS domains.
- This role will also serve as a backup to the Hong Kong IS Head and shall be actively involved to understand all aspects of Hong Kong business needs as well as regulatory needs. Along with the Country IS Head, this role will work closely with the country team to ensure a colloborative Information Security Team in HK.
- Strong IS risk focused engagement with the regional Business and Technology Heads in Hong Kong as well as the conduit for all regional support alignment with the teams based in Singapore and other locations.
- Key part of the ASPAC IS Leadership team along with the other Regional GISOs based out of Singapore and Japan.
- Understand business needs and identify opportunities to make sure people, process and solutions for IS can be continously reviewed for pragmatic changes and improvements.
- Ensure Business initiatives and related – design and approach are reviewed from an IS perspective and support the Business to effectively implement new products and solutions in line with Citi’s Information Security Policies and Standards
- Work with the ASPAC GISOs across sectors to develop easy to use Information Security standards for the relevant business which are mandatory and which can be managed with relevant mitigating controls.
- The personnel must have both the aptitude and knowledge to review the policy and controls with the risk based rationale given the nature of the business and the Products leveraged
- Work closely with the Global IS office and ensure alignment to various IS programs in the region as well as collaborate on new products, associated risks and its management.
- Implement & monitor corporate IS Policies / Programs in the region in collaboration with the global IS functions, with focus on the corporate Fast Track and High Focus IS programs and manage relevant IS metrics in ASPAC as needed.
- For the Hong Kong region, engage in Cyber security related events, exercises and client response/presentations to support the relevant business.
- Understand and implement requirements from other relevant Citigroup policies, legal and regulatory requirements that impact IS and Technology Risk Management
- \Develop a strong understanding of the business to be able to engage with the ISOs from the Technical team as well as other domains to be able to interpret technical requirements of the IS Policy and provide appropriate consultation to the businesses on the resolution options.
- Explore and implement solutions to efficiently manage the IS programs and simplify the processes
- Demonstrate a comprehensive understanding of how areas of IS controls collectively integrate in achieving business goals (good financial industry knowledge is expected).
- Ensure coverage and oversight of Business As Usual operational needs, where needed for the various Business sectors and manage IS escalations effectively.
- Monitor IS related Risk Exceptions, Corrective Action Plans and remediation efforts in response to security events, Security assessments and audits.
- Maintain up-to-date knowledge of the status of all IS programs and initiatives in the business.
- Work Closely with the Country Business Management and O&T Head to ensure Hong Kong IS needs are well understood as part of the overall regional needs.
- Provide management and leadership support to the ASPAC GISOs and Hong Kong Country BISO.\
- Support Country businesses on IS matters during audit reviews and regulatory inspections by Hong Kong regulators
- Report Hong Kong specific Security Incidents to management and provide relevant information to help business assess the impact
- Oversee Electronic Transportable Media conducted by business
- Validate Hong Kong specific third party issues and ensure management’s awareness of the risk involved
- Support MIS reporting and presentations on IS required monthly, weekly, quarterly for various business meetings
- Review and Analysis of IS related incidents and identify necessary initiatives/ programs to mitigate and/or remediate ; work with stakeholders across business, operations and technology teams on prevention of recurrence.
- University Degree is a requirement and CISA / CISM / CISSP certification(s) Background in Technology related roles and domain is a plus
- 10 to 12 years of solid experience in business engagement for Information Security, Risk or Control & Compliance, IT Analysis / Design, Program / Project Management
- Work experience in a Multi National Financial Industry in Hong Kong is a plus
- Strong collaborative and communication skills Highly dependable team player with ongoing commitment to excellence
- Demostrated capability to take charge, excellent stakeholder management, ability to influence change and persevere to implement improvements in situations where legacy practices can be hard to be replaced
- Effective leadership skills with the ability to create empowered teams including knowledge sharing, documentation, timeliness and proactive planning
- Ability to interface with Senior management from the supported Business Units and present / articulate IS related concerns and improvements
- Ability to interface with Regulators and auditors on an as needed basis and present / articulate Citi’s IS position
- Strong aptitude, detail oriented, be accountable and ensure the business trust is established as well as ability to clearly separate the difference between the Technology and Business needs of the Information Security impact due to policy, issue, incident etc
- Should be able to work with virtual teams and leadership across the ASPAC region as well as EMEA and US management and timezones, whenever needed
|Career Level||Lead (more than 10 years)|
|Qualification||Certified Information Security Manager (CISM), Certified Information System Auditor (CISA), Certified Information Systems Security Professional (CISSP)|