Application Security Officer

Role Summary

The Wealth Management Security Officer will participate of the lifecycle of the Applications and Projects within Wealth Management in order to ensure the adequacy of the security using a risk-based approach.

Participate to IT project security reviews conducted both on a global and local basis across all platforms. This requires the incumbent to foster close working relationships with other business areas and IT Development/Production teams.

The incumbent will work hand in hand with the IT Dev, Prod teams and the business, as an enabler and a facilitator, in an Agile mindset.

Main Responsibilities

Manage the risks of the Cloud related projects

• Assist of the WM Risk Assessment process in collaboration with the different stakeholders (Métier, Business, Security Team, Architects, Data office, Vendor management, Legal, Compliance etc.)
• Bring subject matter expertise on Cloud Technologies, especially on Data protection linked to the Group Standards and the different Regulator.
• Ensure the conformity of the security deliverables as part of the Security into projects.
• Identify application-level vulnerabilities, exceptions, non-conformity and assess their related risks.
• Assess IT Risks, identify remediation plan, follow up and track their deployment.
• Assist and coordinate on the Cloud related committee (preparation/presentation of the deck, reporting and follow up on actions).
• Maintain the process documentation linked to Cloud.

IT Risk, Continuity & CyberSecurity Lead on Strategic WMIS Program

• Assist on the Group CyberSecurity Program deployment.
• Lead the Wealth Management IT Transformation program from IT Risk, Continuity & Cyber perspective by participating and preparing the different Steerco, follow-up on the progress of the security reviews of the migration project, track the list of open points and their remediation plan.
• Act as a subject matter expert on different security topics linked to the transformation project.

IT Security architecture

• With a thorough understanding of the organization's technology and IT systems, planning, researching, and designing security architectures.
• Reviewing, and approving the security requirements for applications and IT setup.
• Ensure the compliance level of the applications with the Security architecture standards including Third-party and cloud security risks.
• Ensure the protection of WM business data with an adequate security level of WM assets based on review processes.
• Identify the IT security risks in advance, record, and follow-up on them.
• Ensure the regular reporting to the management.

Transversal Security Projects

• Participate and follow-up on different transversal initiatives to improve the security standpoint of WM.
• Ensure the progress and the follow-up of the different initiatives and report it to the management.
• Identify, record and report on IT Risks identified throughout the different initiatives.

IT security compliance

• Ensure the alignment with the Group and WM GAIM security policies, for both project and production assets.
• Ensure the compliance with regulatory bodies requirements, including for APAC (HKMA, MAS), EU (GDPR), Switzerland (FINMA).
• Leveraging on a deep knowledge of Security standards such as NIST, CIS, ISO2700x , ensure the compliance with the IT security requirements.
• Ensure the compliance with the Third-party Technology risks and the Cloud security.

IT Data Management and Data analytics/science technologies

• Keep up with the knowledge of Data security and protection regulatory landscape and related measures.
• Understand the Data analytics and data sciences technologies (data standard practices including products / cloud related solutions.
• Ensure the solutions of Data Management, Data analytics and data science solutions are implemented with the Group security architecture requirements (e.g. Tableau, PowerBI, AI and other Data analytics solutions). This would also include the development framework and environments highly used in DA landscape (R, Python, DevSecOps and API management).
• Identify the IT security risks in advance, record and follow-up them.
• Ensure the regular reporting to the management.

Coordination with IT Security actors

• Alignment on the objectives and means, contribution to the different global reporting (WM Cybersecurity Committee, WM Project Architecture and Security validation committees, Application Security Dashboard…).
• Coordination with the Global security teams concerning integration of WM assets within production sites.
• Keeping abreast of initiatives by the IT Security community within the Group and other IT Security stakeholders within the Group.

Participate in the evolution of Security Posture

• Participate in the deployment of new security practices and DevSecOps pipeline.
• Ensure that SSDLC practices are well followed.
• Take part in the awareness and training activities.
• Report on the risks and security deviations identified.

Qualifications & Experience

• Bachelor’s Degree in Information Technology or relevant fields.
• At least 5-8 years' experience in information security and IT risk management.
• Experience in evaluation and design of technical architectures and processes.
• Functional as well as technical knowledge of the common architecture and Cybersecurity frameworks and solutions.
• Strong knowledge in secure development and SSDLC processes.
• Knowledge of the Norms and Standards of the banking and cybersecurity industry.
• Advanced IT security certifications : CISSP / CISM / SANS Certification.
• Operational Risk and Permanent Control.

Essential Technical Knowledge

• Network protocols and network connectivity concepts; Firewall and Internet technologies.
• Secure application design and architecture principles – including DevSecOps tools and practices (CI/CD).
• Secure access control mechanisms: Encryption and Key Management techniques.
• Technical proficiency in various Operating Systems (Linux, Windows, AS400) and Databases (Oracle, MSSQL, PostGreSQL, MongDB).
• Knowledge of understanding digital transformation and mobile technologies and Cloud (Containers Docker, Kubernetes).
• Knowledge of emerging technologies (NFT, encryption).
• Knowledge in technologies like OAuth, Single Sign On, API based approach, TDD, BDD.
• Knowledge of standard IT Security concepts and methodologies.
• Deep understanding of cybersecurity threats and remediation options.
• IT Security Risk Assessment and Risk Management.

Essential Banking Knowledge

• Banking Knowledge and understanding of Wealth Management specificities
• International and APAC banking regulations

Essential Personal Skills

• Communication skills – Ability to interact throughout oral and written communication skills.
• Provide leadership to various stakeholders in proactive manner.
• Ability to provide an accurate reporting to the Management.
• Must be motivated, and able to work independently as well as part of a team.
• Must demonstrate ethical responsibility, maturity, and discretion.