Technology Risk Management - Group Risk Management, AVP (Cyber Risk Assurance - Red Team)
- Plan and execute periodic in-house and external red-team exercises of the HKEX Group, and oversee the implementation of rectification measures.
- Evaluate existing cyber defenses against MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework.
- Perform per-launch penetration testing exchange-related systems, products and applications upon request.
- Monitor and analyse emerging cyber risks of the HKEX Group, having regard to cyber intelligence and threat landscape related to relevant Group entities.
- Escalate major cyber risks to senior management and relevant stakeholders in a timely manner, and coordinate measures for addressing the risk.
- Conduct specialist investigation into significant cyber incidents or control lapses.
- Conduct regular cyber-fire drills for enhancing ongoing readiness of relevant stakeholders in handling cyber incidents, exercise oversight of cyber incident management, and formulate an appropriate cyber insurance strategy.
- Deliver an effective independent cyber security review strategy, covering specialist reviews and tests on cyber security controls.
- Provide specialist support to ongoing cyber awareness training and phishing test.
- Provide specialist support to the formulation of effective strategy, framework and structure for managing cyber risk of the HKEX Group and the implementation through collaboration with relevant stakeholders.
- Provide specialist support to the delivery of effective governance on cyber risk, covering the risk appetite, risk metrics, risk monitoring and governance reporting.
- Provide specialist support to the definition of policies and guidelines which incorporate all applicable legislative and regulatory requirements, industry standards and best practices, while ensuring that the policies and guidelines are effective and practicable.
- Propose, drive and coordinate other cyber initiatives for facilitating 2nd Line responsibilities whenever there is a need.
- Foster and maintain effective relationships and collaboration with regulators, law enforcement, exchange peers and industry partners.
Experience, Skills and Qualifications:
- A self-motivated, reliable, consensus building, persuasive individual with highly effective communication skills for delivering cyber risk messages in English to a broad range of technical and non-technical audiences, including business users. Proficiency in Chinese and Putonghua would be an advantage
- University degree in information security, computer science, or related fields of study
- At least 6-8 years of relevant experience in cyber risk management, preferably in financial services sector or professional services for clients in financial services industry
- Solid experience in monitoring and analyzing cyber risk and intelligence, planning and delivering red-team exercises (e.g. Bank of England CBEST, CREST STAR, HKMA iCAST), organizing cyber drills and overseeing cyber incident management, conducting cyber security reviews and tests, cyber forensic practices, cyber awareness training and phishing tests
- Hands-on security operations, threat intelligence, incident response, malware reverse engineering and other related experience would be beneficial;
- Demonstrate good knowledge in IT environment and cyber related controls from both a tactical and strategic viewpoint
- Proven track record in initiating and implementing significant changes or projects involving different stakeholders and aligning their interests.
- At least one of the relevant certification/accreditations required such as CREST (CCSAS/CCSAM/CCT), OSCE3 (OSWE/OSED/OSEP), OSCP, GIAC (GXPN/GCPN/GWAPT/GPEN)
- General knowledge of exchange business and regulatory practices is highly regarded
Applicants who do not hear from us within 6 weeks may consider their applications unsuccessful. Personal data provided will only be used for the purpose of employment application to HKEX.