Senior Technology Risk Manager /Technology Risk Manager (Cyber Security Control Division)

Roles and Responsibilities & Specific Requirements (Cyber Security):

• Formulate and manage cyber security policies, standards and procedures.
• Assist in planning of technology related risk management strategies, processes and work plans.
• Participate in Cyber Security projects for the design, development and implementation.
• Plan and conduct cyber security assessment and IT risk evaluation in area covering IT general controls, information asset management, access controls, cloud/server/endpoint/ network/ middleware security review. Support the implementation of security initiatives to ensure the compliance with corporate information security policies and compliance standards.
• Participate in organizing/conducting penetration test, red/blue/purple teaming exercises, vulnerability assessment, validation controls for local/overseas entities.
• Provide Cyber Security incident response operation and support, work with local & regional SOC team to seek for continuous improvement for daily Cyber Security monitoring, incident analysis & investigation, incident response operation and support.
• Experience in arrangement and co-ordination of cross-countries cyber incident response drills.
• Experience in Security operations, managing SOC, Offensive security, Container security, CSPM, Threat Hunting, OSINT, Dark Web monitoring, Malware analysis, SecOps , Digital forensics , Attack surface management, managing Cloud/ISP/On-premises Anti-DDoS solution, AI/LLM security, Threat modeling, Supply chain cybersecurity and Vulnerability management.
• Serve as a subject matter expert to support business units and cross-functional teams in identifying and addressing cybersecurity risks. Engage with various business units and teams to discuss risk issues and control gaps, and propose effective remediation strategies.
• Research and evaluate on latest security threats and Cyber Threat Intelligence, stay informed about latest developments in cyber security field.
• Familiar with technologies on Firewall, IDS, IPS, WAF, DNS Security, Email Security, SIEM, SOAR, DLP, UEBA, BAS, XDR, Deception, Generative AI/Machine Learning, Application of AI/ML/LLM/MCP/RAG libraries in Python , Zero Trust, Micro-segmentation, Unified endpoint management, SASE/SSE Solution, Database security, and Network/Cloud security are preferable.
• Willing to travel to different oversea region occasionally to conduct regional cyber security assessment, provide cyber security incident and response support as well as to participate different training / red team exercises (eg. Asia Pacific area, Shenzhen and Shanghai).

General Job Requirements:

• Degree holder in Computer Science or other degree majoring in Information Systems, or related discipline.
• At least 2 years of experience in IT security, technology risk management, compliance or IT audit function, gained from other sizable financial institutions
• Holding at least one recognized professional qualification under HKMA enhanced competency framework such as CISA, CISSP, CISM. Industry-recognized cyber security certifications ,such as OSCP/OSCE/OSWE/OSEE/GXPN/GPEN/GCPN/GCIH/GSOC/ GCFA/OSDA/CCIE/CCNP, is preferable
• Familiar with HKMA TM-E-1, TM-C-1, TM-G-1, C-RAF, PCI-DSS, ISO 27001, PDPO, NIST, MITRE ATT&CK, OWASP, Protection of Critical Infrastructures (Computer Systems) Bill or other security risk management framework or regulatory requirements is an advantage
• Independent, strong self-initiative and with passion in cyber security professional.
• Good command of written and spoken English with Mandarin is preferable and
• Good communication and interpersonal skills.
• Candidate with less experience or qualification will also be considered as Assistant Technology Risk Manager