US Chief Information Security Officer (CISO) and Global Payments Solutions (GPS)

In compliance with applicable laws, HSBC is committed to employing only those who are authorized to work in the US. Applicants must be legally authorized to work in the U.S. as HSBC will not engage in immigration sponsorship for this position.

Our purpose – Opening up a world of opportunity – explains why we exist. Here at HSBC, we use our unique expertise, capabilities, breadth, and perspectives to open up new kinds of opportunity for our more than 40 million customers. We’re bringing together the people, ideas and capital that nurture progress and growth, helping to create a better world – for our customers, our people, our investors, our communities, and the planet we all share.

The US Chief Information Security Officer is responsible for supporting the Regional Information Security Officer (RISO) in providing regional input into and executing the Group Information Security and Cybersecurity strategy across the designated Region. The key responsibilities include managing Governance & Reporting, Information Security Risk and Remediation, Secure Business Transformation, Compliance to US legal entity regulations and reporting the cyber risk posture to assigned legal entity boards, senior management and risk management forums.

The role requires the ability to translate highly technical Cybersecurity concepts into consumable language, in order to support/drive continuous assessment and improvement of cybersecurity and information security risk in line with risk appetites and a constantly evolving cyber-threat landscape. The role is expected to support the execution of the global Cybersecurity strategy through a series of run-the-bank programs within the US and through coordination with the central Cybersecurity functions in execution of change-the-bank programs.

This role holder will collaborate with other cybersecurity team members within the region, work in partnership with the central functions of Group Cybersecurity, the virtual team (PODs), technology teams, information security control owners, non-cyber control owners and the regional/ business Chief Controls Office to achieve their goals.

The role is responsible for inputting into the Group's Information Security and Cybersecurity Strategy and improving the same while operating/ executing it within their respective Region/ Country. The role will support the RISO and the Group Cybersecurity team to provide effective services to the allocated Region/ Country and will support the business and its technology function in their run the bank and change the bank programs, particularly in relation to information security and cybersecurity requirements.

As our US Chief Information Security Officer you will:

Scope of Coverage

• This position is part of the 1LOD (1st line of defense) and is charged with defining and implementing an industry-leading Cybersecurity Service that supersedes the Bank's constantly changing information security threats
• Manage Information and Cybersecurity risks and controls (including cyber owned and non-cyber owned controls), relating to their governance, operation, monitoring and reporting
• Report into the RISO of the respective region, which in turn reports to the Global Head of Cybersecurity Business Enablement, as well as the US Chief Information Officer

Governance & Reporting

• Provide Information Security monitoring and risk reporting for the respective Country, ensuring all Cybersecurity related activities are executed with quality in a timely manner:
  • Support the Chief Operating Officer (COO), Chief Information Officer (CIO) and the Heads of Technology functions in the respective Country in the management of information security risks and the maintenance of an effective and robust information and cybersecurity control environment
  • Leverage global reporting capabilities (augmented to meet specific local requirements) to provide monthly updates to drive Cybersecurity control improvement initiatives
  • Own all Cybersecurity related activities for the respective Country regardless of which organization delivers that security service
  • Work closely with the RISO to ensure all Region/Country requirements are provided to the Group cybersecurity team in order to drive prioritization and scope definition for these capabilities and programmers
  • Track and report on business-critical Cybersecurity strategic transformation programs
  • Represent Cybersecurity in relevant management and governance forums
• Align with existing governance structure and drive improvement for the effective management of information security and cybersecurity controls (both cyber owned and non-cyber owned) for the respective Region/Country
• Support the RISO to deliver the Global Cybersecurity strategy for respective Region/ Country following the Group Strategy with local requirements supported
• Support the RISO to build and manage local plans and budgets which identify value and cost reduction opportunities
• Promote Cybersecurity awareness and clear reporting of Region/ Country initiatives, threat intelligence, etc. to improve the overall perception of Cybersecurity as an enabler for business

Information Security Risk Management & Remediation

• Understand the Country's critical assets, identify threats/ vulnerabilities and determine corresponding information security risk levels based on globally established control requirements and augmented by local or jurisdictional requirements
• Work collaboratively with the RISO to drive and support the information security and cybersecurity risk management and remediation activities for the respective Region/Country
• Align with Chief Compliance Officer (CCO), 2nd line, Chief Technology Officer (CTO), and local CIO teams to ensure security is developed by design and work to remediate issues identified, in a timely manner
• Facilitate understanding of cybersecurity risk by senior management in business and technology teams, to ensure informed decision-making while performing business. Ensure risk sits within defined appetite and ensure that this is cascaded up the RISO and CIO in a timely manner
• Work with stakeholders in respective Region/ Country to support the resolution / remediation of all major cybersecurity incidents and in partnership with Global Cybersecurity Operations (GCO) in the respective Region/Country
• Assess the impact of major incidents on respective Region/ Country; work with the RISO and the Global Cybersecurity service lines on action plans to minimize impact
• Work with the RISO and peers to meet common Region/ Country goals, linked to the risk framework i.e. operational risk simulations, incident exercises, cyber-enabled fraud collaboration, data security reporting, exceptional access and risk reviews of regional business initiatives

Secure Business Transformation

• Partner with the business to help them achieve their strategic objectives by ensuring that cybersecurity services provided are fit for purpose. Ensure business/ regional/ country strategies and requirements are incorporated within the cyber global investment/ transformation program
• Enable secure business transformation, including support of business led projects, divestitures, mergers and acquisitions within the respective Region/Country as applicable while ensuring that new capabilities and entities are set up securely and adopted efficiently in the respective Region
• Ensure adherence to cybersecurity controls and enable/ facilitate access to existing cybersecurity services to support the business strategy
• Determine and drive the respective requirements to be addressed by the local team members from the global security capabilities/services or central cybersecurity functions
• Support the RISO to oversee the implementation and gap assessments of global, regional and local initiatives for respective Region/Country

Regulatory Compliance and Industry and Customer Engagement

• Drive the management and reporting of regulatory compliance requirement for cybersecurity and information security controls in the respective region/ country by collaborating with Cybersecurity central functions
• Build and maintain strong relationships with relevant regional/ country associations, government agencies, forums etc. to represent HSBC's strategic direction with regard to legal and regulatory requirements
• Ensure adherence to the three lines of defense organizational model with clear lines of responsibility, accountability and segregation of duties
• Support the RISO in ensuring compliance with internal audit and external regulators that any organizational changes are fit-for-purpose and meet their expectations
• Face off to the region/country's legal entities for regulatory, audit and external security engagements
• Participate in Cybersecurity forums with industry peers and regional/ country regulators
• Provide review and attestation, as appropriate and where required (e.g., SWIFT attestation, SEC filings, etc.)

Team & Stakeholder Management

• Establish strong stakeholder relationships within the assigned Region/Country
• Entity management of local (within assigned Region/Country) Cybersecurity resources

Local Job Requirements

• Major Challenges:
  • HSBC operates from over 3,900 offices in 67 countries, supporting 38 million customers in an increasingly digital offering that requires always on and secure operations of the technology estate. Any lapse in the confidentiality, integrity or availability of these systems impacts our customers’ access to their accounts, incur operational losses for the firm, damage the HSBC brand, and could lead to censure by external regulators
  • Build strong internal and external relationships. Operate with transparency and consistency in relationships with the key stakeholder groups. Build an effective working relationship with the respective Region's management to ensure that Cybersecurity is given appropriate focus
• Management of Risk (Operational Risk / FIM requirements):
  • Ensure the fair treatment (service excellence) of our customers is at the heart of everything we do, both personally and as an organization
  • Continually reassess the operational risks associated with the role and inherent in the business
  • Ensure all actions take account of the likelihood of operational risk occurring
• Observation of Internal Controls (Compliance Policy / FIM requirements):
  • Demonstrate adherence to all relevant internal procedures, keeping appropriate records and, where appropriate, by the timely implementation of internal and external audit points, including issues raised by external regulators
  • Implement the group compliance policy by containing compliance risk in liaison with Global Head of Compliance, Global Compliance Officer, Area Compliance Officer or Local Compliance Officer. The term 'compliance' embraces all relevant financial services laws, rules and codes with which the business must comply
  • Adhere to all relevant processes/procedures and by liaising with compliance department about new business initiatives at the earliest opportunity. Also, when applicable, fostering a compliance culture and optimizing relations with regulators

You´ll likely have the following qualifications to succeed in this role:

• Experience in IT security governance and operational processes, preferably in the Financial Services industry or global corporate service provider
• Background – previous experience as a Chief Information Security Officer within the US Financial Services Industry (FSI) is required, including ownership of direct engagements with US FSI regulators (OCC, FRB); strong preference for candidates that have previously served this role at a sizeable ($100bn in assets or larger) firm. Previous experience providing briefings to Board of Directors is a must

Desirable but NOT essential is experience in one or more of risk management, Audit, ISR:

• One or more industry recognized cybersecurity-related certifications required (as per Regional Regulatory Requirements) including ISO270001, CISA, CISM, CISSP, CRISC
• Availability to travel (if required) for this role, i.e. travel within country
• Positive and professional attitude, team player, flexible and adaptable, open to change(s)
• Confident and takes responsibility and ownership for work and personal development
• Excellent spoken and written communication and ability to adapt style based on audience (Fluent in spoken / written English)
• Ability to communicate technical subject matter to non-technical stakeholders
• Previous experience of delivering an excellent customer service
• Ability to quickly develop good working relationships with stakeholders and self motivation to learn and pick things up quickly

As an HSBC employee, you will have access to tailored professional development opportunities to ensure you have the right skills for today and tomorrow. We offer a competitive pay and benefits package including a robust Wellness Hub, all in a welcoming and inclusive work environment. You will be empowered to drive HSBC’s engagement with the communities we serve through an industry-leading volunteerism policy, a generous matching gift program, and a comprehensive program of immersive Sustainability and Climate Change Initiatives. You’ll want to join our Employee Resource Groups as they play a central part in life at HSBC, including the development of our employees and networking inside and outside of HSBC. We value difference. We succeed together. We take responsibility. We get it done. And we want you to help us build the bank of the future!

Your final fixed pay offer will depend on the candidate and several variables, including but not limited to, role responsibilities, skill set, depth of experience and education, licensing/certification requirements, internal relativity, and specific work location. 

All qualified applicants will receive consideration for employment without regard to age, ancestry, color, race, national origin, ethnicity, disability or medical condition, genetic information, military or veteran service, religion, creed, sex, gender, pregnancy, childbirth, caregiver status, marital status, citizenship or immigration status, sexual orientation, gender identity or expression or any other trait protected by applicable law.