Technology Risk Manager, Risk & Security Management

Job description

Responsibilities:

This candidate will be a member of the Technology & Cyber Risk team that provides the Cyber risk and security advisory functions to the organization:

• Provide consultative information security governance, risk, and compliance advisory services for IT/OT systems and services, balancing appropriate security, business goals, and enterprise priorities to achieve collaborative outcomes to challenging business problems/objectives in a secure way

• Work with IT/OT and business partners to ensure collaborative security control design and implementation in accordance to the security framework

• Investigate complex, and sometimes historic practices/solutions to determine gaps, identify improvements and facilitate migration to a preferred state with a high degree of independence

• Assess risk of issues/findings, assign ownership and obtain agreement from finding owner on a remediation plan

• Develop and maintain comprehensive documentation of engagements performed and risks identified

• Drive documentation and management of IT/information security issues and exceptions

• Develop and deliver presentations tailored to different audiences to communicate the need for good information security practices embedded within IT/OT and business functions

• Maintain and present executive level dashboards for management reporting

• Review and keep up-to-date IT Policies and Standards, including introduction of new policies as required.

Pre-requisites:

• Degree or Diploma in Computer-related disciplines

• Information Security or IT Controls Certification such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) would be an added advantage

• At least 3 years’ experience that covers the below functions:

  • Experience in Technology Risk assessment and/or security advisory with thorough understanding of IT security best practices and the ability to effectively apply those practices

  • Experience with applying various governance frameworks and standards including ISO 27001/2, PDPA, PCI-DSS and NIST etc.

  • Possess knowledge across various information security technologies/areas in a large enterprise including firewalls, intrusion detection, encryption, Linux O/S, Windows O/S, databases, antivirus, patch management, vulnerability scanning, backup, logging and monitoring, remote access, application development, network security, application security, and change management

  • Conversant and well-versed in recommending efficient IT security controls throughout the SDLC cycle. Understanding security controls within Agile development framework would be an added advantage

  • Proven record of balancing business need/benefit versus security risk.  Direct experience owning a customer or business relationship on behalf of an organization a major plus