Chief Information Security Officer

Job Summary

Our GCIO organisation plays a critical role for the bank. This team partners with the businesses to build the platforms, systems, and products that our customers use everyday. We keep people’s money and data safe and are at the forefront of driving innovationfor our businesses, customers, and colleagues. Within GCIO, our cybersecurity team designs, implements, and operates controls to manage risk. This team provides local inputs to define our group cyber security standards, oversee the security of our network,applications, and infrastructure, provide round-the-clock monitoring and security incidentresponse services.

People responsibility: Y

Report to: Chief Information Officer (CIO)

Role Purpose -Responsible to drive the execution of the Global & Regional Information Security and Cybersecurity strategy within the market, providing a two ways communication to ensuremarket level regulatory requirements are considered and fulfilled. -Key responsibilities include, managing governance and reporting, information security andremediation, secure business transformation, compliance to local regulations and reportingthe cyber risk posture to the regional / local boards, senior management, and risk management forums.

In this role, you will: Job contents -Be responsible for formulating and overseeing the Bank’s overall information security policies and protection strategies, leading the cyber security department in daily operations and information security risk management, along with managing, supervising,and identifying issues related to the Bank’s information security incidents. -Support the ASP Regional Cybersecurity team to implement locally those regional programs that provide a strategic core for the market, and which may also be leveraged by other ASP regions. -Collaborate with Global, Regional and market stakeholders, including Technology and peermanagers, to implement the Cyber team's goals around entity policy, expense policy andregulatory requirements. -Lead and support peers in developing, implementing, and monitoring a strategic, comprehensive enterprise cyber security management program.

-Assist the ASP Region with overall business technology planning by providing current knowledge and a future vision of cyber technology and systems and contribute to the ASPRegion's Cybersecurity strategy of securing the bank's technology from the inside out, while maintaining, protecting and enhancing HSBC's values, reputation and stakeholder value. -Provide/organize Cybersecurity related training sessions to improve the awareness levelof staff members, setting performance targets of direct reports and contributing to employees' professional development.

-Assist business stakeholders and second line of defense (2LOD) in the market to raise awareness of risk management concerns and educate market management about local specific cybersecurity risk level and actions required to mitigate/control existing risks. Supporting the market business for local specific initiatives related to cybersecurity delivery, consultancy and country augmentation, as required.

-Carefully consider the security requirements of the market organization and market business requirements in order to address security risks while satisfying the organization’sbusiness goals. Keeping abreast of developing security threats and helping the market Board understand the Bank's security posture and awareness of the threat landscape andevents impacting the industry.

-Brief market senior management about ongoing Cybersecurity improvement projects' benefits, status and challenges which require their attention and/or involvement to make itsuccess. Providing guidance and ensuring market regulatory requirements related to Cybersecurity are addressed in a timely fashion, including the implementation of relevantcontrols and the development/amendment of policies/standards to comply with the requirements.

-Provide assistance in market Governance related matters, ensuring consistency with Global key messaging and exercising formal governance through appropriate governanceforums.

-Be responsible for co-signing the internal control statement with CEO, Chairman, Head ofAudit, and Compliance Head and ensure the implementation of internal controls in line with the three lines of defense model.

Experience / Skills

-Minimum Bachelor’s Degree with some years’ experience in IT security governance and operational processes, preferably in the Financial Services industry or global corporate service provider.

-Understanding of Financial services cybersecurity related regulations and experience facing and engaging with regulators. -Desirable but not essential (background): experience in one or more of risk management,Audit, ISR (qualifications) one or more industry

-recognized cybersecurity-related certifications including ISO270001, CISA, CISM, CISSP, CRISC..etc -Availability to travel (if required) for this role, i.e. travel within the market as well as occasional international travel

-Positive and professional attitude, team player, flexible and adaptable, open to change(s);confident and takes responsibility and ownership for work and personal development

-Good spoken and written communication and ability to adapt style based on audience (Fluent in spoken / written English and Chinese), along with ability to communicate technical subject matter to non

-technical stakeholders and to engage with local and regional senior stakeholders. -GPAD (Group Personal Account Dealing) Covered

 -To be fulfilled after onboarding: 每年⾄少應接受⼗五⼩時以上資訊安全專業課程訓練或職能訓練 (資訊安全專責單位⼈員)

※ Applicants passing resume screening will be notified for interview and next steps. There will be no further notification or message for applicants either not qualifying for or not being selected for the position applied.