Job Summary

We have established a capability to successfully implement and embed the Information and Cyber Security (ICS) Risk Type Framework (RTF) across the Group and countries in the region/cluster to bring consistency in the identification and mitigation of ICS Risks.  The Malaysia CISO will continue to drive the adoption and implementation of the framework across the entities in Malaysia and GBS Malaysia.
This role will require hands on approach to understand, embed, and guide Malaysia on the ICS RTF to maximize risk reduction and capability improvement, while meeting compliance and legal obligations, and minimising client impact. The role will require to have end-to-end view of all ICS activities with regular risk assessment, tracking, follow up and reporting at the relevant forums.
The role will maintain highly constructive relationships with key stakeholder and regulators, and possess strong security risk framework knowledge to mobilize effort and commitment.
• He/she will execute a robust and efficient plan to rollout ICS RTF by working with key stakeholders including Country CTOOs/CIOs direct teams, Country Business and Function teams, ICS RTF Implementation Programme teams, CISO teams and Security technology teams. The plan will incorporate digital footprint discovery, risk assessment, definition and implementation of controls as guided by the ICS RTF and tailored to the relevant areas.
• CISO authority for countries in scope (Malaysia including GBS).
• Supporting Malaysia in the implementation of the ICS Risk framework including working with stakeholders to identify, assess and rate the information assets, build out the risk profile per the framework, initiate risk assessments and put together treatment plans.
• Deploy and implement Threat Scenario-based risk assessments in-country.
• Use qualitative and quantitative data sources to validate TSRA and associated controls, accelerate risk assessment process, validate business risk profile, and develop action plans to remediate to bring ICS risk back into appetite.

Key Responsibilities

• Follow up on identified thematic cyber issues, develop processes to address issues from re-occurrence and ensure cyber hygiene across the whole portfolio.
• Provide regular status updates including progress, top risks and issues to the respective country and cluster forums for the relevant domains. Track RAG status, key milestones, risks, dependencies, and issues.
• Interface into Technology forums to ensure security technologies are operating with input from countries and be actively involved in the roadmap of these technologies.
• Development of risk treatment plans for the assigned areas in conjunction with the business and technology teams. Interface with other areas to ensure dependencies are known and prioritised. Negotiate timelines to ensure proper remediation by maintaining support and organizational alignment.
• Adapt to emerging and horizon risks and address issues to maximize outcomes. Urgent and timely action for risks and issues which adversely impact cyber risk profiles.
• Re-planning and prioritising as required to maximise risk reduction.
• Coordinate and plan for cyber crisis management exercises, build response and recovery capabilities, workarounds, ensure up to date playbooks etc. Assist with other cyber activities underway.
• Manage all ICS-related regulatory requests and self-assessments. Certify or recertify audit requirements and standards by coordinating, participating, and reviewing relevant controls, where required to do so e.g. regulator inspection, internal/external audits, SWIFT, PCI-DSS, ISO 27001.
•  Build and maintain strong and sustainable relationships with key internal and external stakeholders, e.g. country Management Team, local regulators. 
•  Build a strong ICS risk culture and awareness for Malaysia including GBS, deliver country scorecard and management metrics, e.g. CISO MI, BRAM, Culture Quotient. 
•  Represent SCB for ICS related regulatory and industry forums.
•  Drive and support group and cluster ICS initiatives.

Risk Management

•    Responsible for monitoring and managing ICS Incidents for Malaysia. 
•    Responsible to represent Malaysia in the Cluster and Market Governance Forums and Risk Committees.
•    Responsible to remediate Audit/Regulator ICS Issues for Malaysia.
•    Drive the adoption of “lessons learnt” driving consistency and efficiency.
•    Drive compliance with Group policies standards, and local regulatory requirements.
•    Work closely with CISRO, Cluster ISRO, Country ISRO, Head of ICS Governance, Business and C-level Management to provide oversight, governance and monitoring, and work with various delivery owners to embed the ICS RTF.
•    Understand and assess the impact of changes in the policy or procedures on the respective business / function / cluster and engage with the respective business / function / cluster Heads to ensure the impact is understood.
•    Recommend additions/enhancements/changes to the ICS policy, procedures, and RTF.

Governance
•    Monitor ICS risk profile and posture and report any non-compliance to senior management or governance committees.
•    Participate and represent the respective business / function / cluster in Risk Committees, ICS working groups, Programme Steer Cos etc. to provide updates and influence positive outcomes for the Business/Function/Cluster/Country.
•    Validate the accuracy and consistency of KRIs, KCIs and other risk ratings/assessments, as well as process designs using available MI.
•    Support the Third-Party Security Assessment team during 3rd party reviews.
•    Help design and embed ICS RTF controls across the respective business / function / cluster.
•    Ensure key ICS risk and issues are monitored and appropriately addressed by key stakeholders.
•    Ensure adoption of the ICS controls across market.
•    Ensure ICS Controls are being adopted in new technologies and projects.

Regulatory & Business Conduct
•    Display exemplary conduct and live by the Group's Values, Valued Behaviours, and Code of Conduct
•    Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across the Bank. 
•    Effectively and collaboratively identify, escalate, mitigate, and resolve risk, conduct and compliance matters.

Key stakeholders
•    CISO, ASEAN Cluster & Singapore
•    Malaysia CEO and CTOO
•    Country C-level Management 
•    ASEAN Market CISOs
•    ICS Control owners
•    Banking Regulators
 

Skills and Experience

Strategy
•    Accountable for the Information and Cyber Security Strategy for Malaysia including GBS
•    Identify and independently drive strategic change initiatives to deliver on the ICS agenda with a forward-looking view.
•    Develop insightful strategies for engaging business on information security matters, ensure investments are prioritised and funding is approved.
•    Support delivery of the Bank’s enterprise wide risk management plan and strategy.
•    Work with application development organisations to assist in the development of strategies and plans for improving both Architecture and application security.

Business
•    Ensure ICS risks in the respective market are proactively managed and effectively controlled, mitigated and remediated with senior stakeholder’s support and buy-in, in line with Group, Cluster, Country, Business/Function risk appetite and regulatory driven requirements.
•    Be the focal point for ICS for Malaysia. Drive a strong engagement both with the country CEO and CIO
•    Educate Senior executives regarding ICS Risks to drive accountability 
•    Assist in establishing priorities in partnership with the cluster/country level Management and take responsibility for resolving security issues.
•    Ensure that the management of ICS risk is effective and operating efficiently in the respective business / function / cluster
•    Assist in driving security culture/awareness and help improve readiness for a cyber event.
•    Ensure information risks are identified, assessed, mitigated and controlled.
•    Ensure Critical Information Assets are identified and graded appropriately.  Monitor changes in the risk profile of the highly critical systems.
•    Work with IT to validate the resilience of data and IT systems.
•    Support Group initiatives ensuring the respective business / function / cluster needs are represented effectively.
•    Face off to the ICS subject matter experts in Group Business lines. 
•    Address GIA queries related to ICS and address GIA RFIs for ICS strategy, standards, controls and ICS tools

QUALIFICATIONS

• EDUCATION     Degree in Engineering, Computer Science/Information Technology or its equivalent.
• TRAINING     Strong knowledge of ICS products and operations will be preferred.
• Ability to articulate gross and residual risk with specific ability to communicate complex technology and process risk clearly, concisely and accurately to non-technical stakeholders in a lucid way.
• Strong interpersonal and stakeholder management skills, across various levels in the organization including senior leadership teams, in influencing key decisions taken in the business and in support teams.
• Strong communication skills – oral, written and presentation. Sound knowledge of MS-Excel, PPT, and Word.
• Must be a self-starter who is able to initiate and successfully drive programs and projects to completion with little or no management supervision.
• Strong analytical skills and ability to prioritise, make decisions, and work to tight timeframes.
• Strong business acumen and deep knowledge and experience in the ICS field.
• Proven ability to lead highly complex, global activities through influence and credibility rather than command and control.
• Ability to both assess strategic priorities and to focus on detailed aspects of a function in order to drive effective delivery.
• Strong integrity, independence, and resilience
• One or more of the following certifications will be preferred:
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
• SANS Global Information Assurance Certifications (GIAC)
• Certified in Risk & Information Systems Control (CRISC)
• Certified Information Systems Auditor (CISA)
• Payment Card Industry – Professional/ Internal Security Assessor (PCI-ISA, PCIP), etc.
• ISO 27001/22301 Lead Implementor or Lead Auditor
• Certified Information Systems Auditor (CISA)

Processes

•    Proven ability to lead highly complex, global, pan-bank, multi-year programmes by driving collaboration and participation by Clusters and countries. 
•    Drive the continuous improvement of practices.
•    Drive the implementation of the ICS agenda for the respective business / function / cluster by working with the respective Business/Function Heads, Cluster / Country Management Team, Cluster / country level Management /CIO teams, ISROs and senior ICS leadership.
•    Manage ICS risk remediation initiatives and activities including incident responses, crisis exercises, risk assessments, stress testing, regulator engagement.
•    Drive the implementation of the ICS RTF in in the respective business / function / cluster with a focus on key countries. The plan will incorporate digital footprint discovery, threat/risk assessment, definition and implementation of controls as guided by the ICS RTF.

People & Talent
•    Excellent organisation and leadership skills with ability to manage multiple deadlines and effectively prioritise, including strong collaboration with peers. 
•    Maintain strong stakeholder engagement and serve as the business-facing lead with Group, Cluster and Country IT, Business/Function, cluster/country Management, ISROs, Risk & Control stakeholders to bring alignment across stakeholder groups in conjunction with ICS risk management.
•    Collaborate with Corporate Communications, threat intelligence and other functions to lead and coordinate the information security change management effort around branding, communications, staff awareness and training.
•    Maintain relationships with key service and product owners within Security Technology Services / Cyber Security Services to keep abreast of changes that may affect ICS’s risk landscape.
•    Help to interpret and translate the ICS requirements of the ICS programmes into technical requirements when needed.
•    Engage external agencies / third parties to understand the threat environment and reported events; assess impact for the respective business / function / cluster.

About Standard Chartered

We're an international bank, nimble enough to act, big enough for impact. For more than 170 years, we've worked to make a positive difference for our clients, communities, and each other. We question the status quo, love a challenge and enjoy finding new opportunities to grow and do better than before. If you're looking for a career with purpose and you want to work for a bank making a difference, we want to hear from you. You can count on us to celebrate your unique talents and we can't wait to see the talents you can bring us.

Our purpose, to drive commerce and prosperity through our unique diversity, together with our brand promise, to be here for good are achieved by how we each live our valued behaviours. When you work with us, you'll see how we value difference and advocate inclusion.

Together we:

• Do the right thing and are assertive, challenge one another, and live with integrity, while putting the client at the heart of what we do
• Never settle, continuously striving to improve and innovate, keeping things simple and learning from doing well, and not so well
• Are better together, we can be ourselves, be inclusive, see more good in others, and work collectively to build for the long term

What we offer

In line with our Fair Pay Charter, we offer a competitive salary and benefits to support your mental, physical, financial and social wellbeing.

• Core bank funding for retirement savings, medical and life insurance, with flexible and voluntary benefits available in some locations.
• Time-off including annual leave, parental/maternity (20 weeks), sabbatical (12 months maximum) and volunteering leave (3 days), along with minimum global standards for annual and public holiday, which is combined to 30 days minimum.
• Flexible working options based around home and office locations, with flexible working patterns.
• Proactive wellbeing support through Unmind, a market-leading digital wellbeing platform, development courses for resilience and other human skills, global Employee Assistance Programme, sick leave, mental health first-aiders and all sorts of self-help toolkits
• A continuous learning culture to support your growth, with opportunities to reskill and upskill and access to physical, virtual and digital learning.
• Being part of an inclusive and values driven organisation, one that embraces and celebrates our unique diversity, across our teams, business functions and geographies - everyone feels respected and can realise their full potential.