General Description:

The Asia Chief Information Security Officer is a senior leadership role responsible for working closely with the Global Chief Information Security Officer & Asia Chief Information Officer to define, implement, and oversee the enterprise-wide cybersecurity strategy in Asia. This role bridges the gap between security operations and business objectives, ensuring that security controls are effectively integrated into the organization’s processes while enabling innovation and growth. The Asia CISO will drive strategic security initiatives, enhance risk management, and foster a security-first culture across all business units and geographies in the Asia segment.

Position Responsibilities:

• Strategy and Collaboration:
• Collaborate with the Global CISO & Asia CIO to localize the organization’s cybersecurity strategy, ensuring alignment with business objectives.
• Provide executive leadership in the design and implementation of security frameworks, policies, and controls.
• Advocate for cybersecurity initiatives at the executive level, translating technical risks into business-relevant discussions.
•   Establish and lead governance structures to ensure compliance with local regulatory, legal, and industry-specific security requirements.
• Define and implement security strategies in collaboration with local IT teams and global cybersecurity partners to enhance the security and reliability of technical capabilities. Evaluate enterprise-wide security and protection tools on aspects of fit-for-purpose, support and compliance with Local Market regulation and needs across all the Asia markets.
• Security Maturity and Risk Management: Continuously improve the overall security posture of the organization, monitor risk levels, and ensure compliance with regulatory requirements and applicable internal standards. Establish hand enforce Information Security Policies, Standards and Guidelines across all markets within the Asia segment.
• Application Security: Work with Asia Delivery and Dev Sec Ops to strengthen application security and implement controls in alignment with the risk management framework and regularly assess their effectiveness. Drive deployment across the markets, including annual penetration testing, dynamic application security testing (DAST), static application security testing (SAST), Snyk scanning, secrets management, and Web Application Firewalls (WAF) processes for Asia.
• Risk Assessment and Monitoring: Align with Business Unit and Functional Technology Delivery Teams to drive risk demand, perform risk assessments, monitor control performance, and manage corrective action plans and exceptions to address operational defects. Manage planning sessions with risk stakeholders to prioritize demand against fixed capacities at the segment and business unit levels.
• Business Engagement & Risk Management:
• Partner with senior business leaders to integrate security into corporate strategy, ensuring security is a business enabler rather than a barrier
• Drive security risk management programs, working with risk, compliance, and legal teams to manage enterprise risk exposure.
• Oversee security assessments for new business initiatives, mergers & acquisitions, and third-party engagements/Services.
• Reporting and Compliance: Produce and deliver annual CISO reports to the Board of Directors and ensure annual regulatory compliance certifications. Maintain strong knowledge of local market regulatory reporting obligations and cybersecurity frameworks compliance.
• Policy and Standards Review: Review and provide input on all policies and standards, facilitate impact analyses, and lead programs to align with new requirements as required.
• Project Delivery: Deliver risk requirements for all projects resourced from segment and shared service teams, using a standard methodology and ensuring a smooth handover to operations upon completion.
• Cyber Operations: Works with the Global CISO, central cyber security functions, Regional and market stakeholders on threat detection and monitoring, incident management including response, investigation, mitigation and prevention.
• Collaboration and Communication: Collaborate with global and regional IT teams to integrate security into all aspects of IT Application Delivery and operations. Communicate effectively with stakeholders, including executives, employees, and external partners, regarding all security initiatives and issues. Represent and advocate for the Asia segment in all global security committees and forums.
• Audit and Inquiry Management: Address audits and inquiries using a system of record for risk and controls management and drive continuous improvement for governance and controls practices.
• Training and Development: Provide regular training to the technology community, covering topics such as annual penetration test lessons learned, emerging risks, new standard requirements, security best practices and refreshes etc.
• Team Leadership: Oversee the Asia teams responsible for application security, risk assessments, vulnerability management, audits, controls testing, regulatory compliance, and other cybersecurity functions. Build and lead a high-performing information security team in the Asia segment.

Required Qualifications:

• Experience: A minimum of 10+ years in security, risk, compliance, and technology leadership, with proven experience in developing and executing both strategic and tactical plans.
• Proven track record of developing and executing security strategies that align with business objectives.
• Experience in risk management, governance, and security operations within global organizations
• Strong analytical, problem-solving and decision-making skills
• Industry Leadership: Recognized as an industry leader with broad technical skills across all aspects of information security and risk management. Prior experience working within Asia markets would be an important advantage.
• Technical Expertise: Deep experience in cybersecurity, cloud security, software engineering practices, and vulnerability management.
• Qualifications: Bachelor’s degree in computer science, Information Technology, or a related field; master’s degree or MBA is preferred. Industry certifications such as CISSP, CISM, CISA, or equivalent would be an advantage.
• Best Practices: Strong knowledge of industry information security frameworks, standards, and best practices would be important.
• People Management: Proven experience in leading a team of 5-10 senior-level professionals. Proven ability to lead and manage cross-functional teams in a multicultural environment. Excellent communication and interpersonal skills.
• Program Establishment: Demonstrated success in establishing and delivering programs to raise cybersecurity maturity while aligning with an agile delivery methodology.
• Team Building: Proven ability to build and lead a risk management and security team capable of delivering with high impact.

Working Conditions:

• This position will be based in either Hong Kong or Singapore and is considered to be a Hybrid role and the normal Working Better Guidelines will apply.
• This role requires occasional travel to various locations within the Asia region and outside of it.
• The CISO may be required to work outside of normal business hours to address security incidents or attend meetings in different time zones etc. in the normal course of the role.

關於宏利和恒康

宏利金融公司是一家業界領先的國際金融服務集團，致力於幫助人們實現「輕鬆智選，精彩人生」。我們的全球總部位於加拿大多倫多；在亞洲、加拿大和歐洲以「宏利」之名營運，在美國主要以「恒康」之名營運。我們為個人、團體和機構提供財務諮詢、保險以及財富和資產管理解決方案。截至 2022 年底，我們擁有超過 40,000 名員工、超過 11.6 萬名代理人，及數以千計的經銷夥伴，為超過 3400 多萬名客戶提供服務。截至 2022 年底，我們管理的資產規模達 1.3 兆加元（1.0 兆美元），其中投資資產總額為 0.4 兆加元（0.3 兆美元），獨立基金淨資產為 0.3 兆加元（0.3 兆美元）。我們在多倫多、紐約和菲律賓的證券交易所以「MFC」名稱進行交易，在香港證券代碼為「945」。

宏利為重視就業機會平等之雇主

在宏利／恒康，我們擁抱多元。我們致力吸引、發展並留住多元化的員工隊伍，正如我們所服務的客戶一樣多元化，並打造包容的工作環境，在充分發揮文化優勢的同時尊重個體差異。我們矢志維持公平的招聘、挽留、晉升及薪酬制度，我們管理的所有實踐及項目不會因種族、血統、原籍地、膚色、族裔、国籍、宗教或宗教信仰、信仰、性別（包括懷孕及其相關情況）、性取向、遺傳特徵、退伍軍人身份、性別認同、性別表達、年齡、婚姻狀況、家庭狀況、殘疾或受適用法律保護的任何其他因素而區別對待。  

我們的首要任務是消除障礙，為員工提供平等就業機會。人力資源部代表將盡力為應徵過程中提出要求的申請人提供合理協助。  申請人要求提供協助所分享的信息將會按照適用法律及宏利政策儲存及使用。  應徵過程中如需協助，請聯絡[via CTgoodjobs Apply Now]