Vice President- Group Risk Management (Cyber Inspection)
The Hong Kong Stock Exchange (HKEX) are hiring two offensive security positions in a new function. These positions are based in Hong Kong to build a new team to develop our in=house red team capability.
We are looking for candidates with technical hands-on offensive experience who are able to understand and execute red team assessments and also communicate effective results remediation. Job Responsibilities:
- Monitor and analyse emerging cyber risks of the HKEX Group, having regard to cyber intelligence and threat landscape related to relevant Group entities. Escalate major cyber risks to senior management and relevant stakeholders in a timely manner, and coordinate measures for addressing the risk.
- Lead, plan and execute periodic in-house and external red-team exercises of the HKEX Group, and oversee the implementation of rectification measures.
- Organise and conduct regular cyber-fire drills for enhancing ongoing readiness of relevant stakeholders in handling cyber incidents, exercise oversight of cyber incident management, and formulate an appropriate cyber insurance strategy.
- Formulate and deliver an effective independent cyber security review strategy, covering specialist reviews and tests on cyber security controls.
- Conduct specialist investigation into significant cyber incidents or control lapses.
- Establish and enhance in-house cyber forensic capability and practices.
- Drive and conduct proper ongoing cyber awareness training and phishing test programme.
- Provide specialist support to the formulation of effective strategy, framework and structure for managing cyber risk of the HKEX Group and the implementation through collaboration with relevant stakeholders.
- Provide specialist support to the delivery of effective governance on cyber risk, covering the risk appetite, risk metrics, risk monitoring and governance reporting.
- Provide specialist support to the definition of policies and guidelines which incorporate all applicable legislative and regulatory requirements, industry standards and best practices, while ensuring that the policies and guidelines are effective and practicable.
- Propose, drive and coordinate other cyber initiatives for facilitating 2nd Line responsibilities whenever there is a need.
- Foster and maintain effective relationships and collaboration with regulators, law enforcement, exchange peers and industry partners.
- A self-motivated, reliable, consensus building, persuasive individual with highly effective communication skills for delivering cyber risk messages in English to a broad range of technical and non-technical audiences, including business users and up to the board and executive committee levels. Proficiency in Chinese and Putonghua would be an advantage
- University degree in information security, computer science, or related fields of study
- At least 10 years of relevant experience in cyber risk management, preferably in financial services sector or professional services for clients in financial services industry
- Solid experience in monitoring and analyzing cyber risk and intelligence, planning and delivering red-team exercises including those required by the regulators (e.g. Bank of England, the HKMA), organizing cyber drills and overseeing cyber incident management, conducting cyber security reviews and tests, cyber forensic practices, cyber awareness training and phishing tests
- Demonstrate good knowledge in IT environment and cyber related controls from both a tactical and strategic viewpoint
- Proven track record in initiating and implementing significant changes or projects involving different stakeholders and aligning their interests.
- At least one of the relevant certification/accreditations required such as CREST CRT, OSCP, OSCE, GIAC (GXPN, GWAPT, GPEN, GMOB, GNFA, GCFA, GCFE), HKIB CCASP, EnCE
- General knowledge of exchange business and regulatory practices is highly regarded
Applicants who do not hear from us within 6 weeks may consider their applications unsuccessful. Personal data provided will only be used for the purpose of employment application to HKEX.