Head of Information Security

Direct message the job poster from Boost

The Head of Information Security is responsible for ensuring the security of the Company's information systems and data, and for managing the Company's overall information security strategy.

• Formulate and facilitate the implementation of Technology Risk Management Framework (TRMF) and Cyber Resilience Framework (CRF) which are to be aligned to Enterprise Risk Management Framework.
• Drive the execution of BHSB's cyber security and information security strategy via an appropriate management forum to achieve cyber security vision and target security capabilities.
• Drive group wide cybersecurity maturity program based on NIST Cybersecurity Framework.
• Work closely with all relevant business divisions, IT and other support functions to put in place appropriate policies & procedures in place to support & complement TRMF and CRF.
• Assess adequacy of IT security & cybersecurity strategy including the employment of effective tools to monitor and enable timely detection of anomalous activities.
• Responsible for developing and implementing IT Security Assessment (Application, infrastructure, network architecture) and risk management frameworks, policies and including site reviews of branch offices, data centres and vendors.
• Assess whether enterprise information security architecture and roadmaps are able to support both business and information security objectives and monitor/report on the status of implementation.
• Develop appropriate technology risk appetite (tolerance levels) and suitable Key Risk Indicators (KRIs) to effectively monitor technology & cyber risks.
• Review & monitor results of penetration testing/vulnerability assessments/IT audits and monitor/report on status of corrective actions taken.
• Work closely with System, Network and Application teams for closure of non-compliance issues, which could be identified through periodic IT Security-related reviews / audits and controls.
• Liaise with Internal Audit team on cybersecurity audit, regulatory assessment including updating Board on cybersecurity audit result.
• Advise and validate the operational IT Security requirements for any technology projects including cloud technology, AI/ML adoption.
• Assess the reasonableness/practicality of expenditures and capital investments pertaining to the implementation of new technologies.
• Develop and/or review adequacy of Cyber Incident Response Plan (CIRP), processes, reporting templates and rules to formalise response to incidents involving cyberattacks or disaster.
• Coordinate with relevant stakeholders on forensic investigations, cybercrimes, and/or cyberattacks and incident response.
• Coordinate threat management and recovery against cyber threats (e.g., malware, phishing, hacking)
• Ensure timely reporting IT Security related incidents (cyberattacks, etc.) to senior management, Axiata Group Information Security, the Board and regulators and participate and contribute from a risk assessment perspective as and when required.
• Establish and enforce directive controls, validate internal detective and preventive security controls.
• Work together with relevant stakeholders to assess cyber, and technology risk.
• Lead and manage team members including setting KPIs and professional and personal development, providing mentoring and coaching, and uplifting of skills and capabilities.

Job Requirements:

• Degree in Information Technology (IT), Computer Science or other related discipline with relevant experience in managing cyber risk in financial market infrastructures, critical national infrastructure, military, security intelligence or equivalent.
• 8+ years of full-time work experience in information security management and/or related functions (such as IT audit and IT Risk Management)
• Professional certification such as CISM, CISA, CSXP, CISSP, CREST, GPEN or equivalent is highly desirable.
• Good understanding of the regulatory frameworks and compliance requirements associated with financial services and thorough understanding of end-to-end IT operations and how IT interfaces with business, risk management and compliance processes and IT Security.
• Understanding of international, regional, and local regulatory requirements and guidelines and standards for cyber security, data protection, and privacy specifically for the financial industry.
• Experience and familiarity in implementing leading practices, standards, frameworks, and guidelines for managing cyber security risks and incident management.
• Experience and understanding in cyber threat intelligence, incident management and response, attack simulation and red team exercises.
• Experience related to information and cyber security strategy planning, security architecture design and review. Including Cloud technology.
• Experience and understanding of security operations, security management, IT and network infrastructure, IT operations, technology and solution architecture, and overall IT operations and IT service management.
• Familiarity and experience with security technology and solution design and implementation, especially in the areas of security monitoring and detection such as SIEM, SOAR, and overall security operations centre's operations and management.
• Must possess excellent interpersonal skills and able to communicate and manage relationship at all levels including senior management, business users, participants, vendors and team members.
• Ability to communicate security risks in business terms to all levels of the organization.
• Knowledge of security metrics and Key Security Risk indicators.

Director

Full-time

Information Technology