Information Security Risk Officer - Standard Chartered Bank

We’re an international bank, nimble enough to act, big enough for impact. For more than 160 years, we’ve worked to make a positive difference for our clients, communities, and each other. We question the status quo, love a challenge and enjoy finding new opportunities to grow and do better than before. If you’re looking for a career with purpose and you want to work for a bank making a difference, we want to hear from you. You can count on us to celebrate your unique talents. And we can’t wait to see the talents you can bring us.

Our purpose, to drive commerce and prosperity through our unique diversity,  together with our brand promise, to be here for good are achieved by how we each live our valued behaviours. When you work with us, you’ll see how we value difference and advocate inclusion. Together we:

• Do the right thing and are assertive, challenge one another, and live with integrity, while putting the client at the heart of what we do
• Never settle, continuously strive to improve and innovate, keeping things simple and learning from doing well, and not so well
• Be better together, we can be ourselves, be inclusive, see more good in others, and work collectively to build for the long term
• In line with our Fair Pay Charter, we offer a competitive salary and benefits to support your mental, physical, financial and social wellbeing.

ADVERTISEMENT - CONTINUE READING BELOW

• Core bank funding for retirement savings, medical and life insurance, with flexible and voluntary benefits available in some locations
• Time-off including annual, parental/maternity (20 weeks), sabbatical (12 weeks maximum) and volunteering leave (3 days), along with with minimum global standards for annual and public holiday, which is combined to 30 days minimum
• Flexible working options based around home and office locations, with flexible working patterns
• Proactive wellbeing support through Unmind, a market-leading digital wellbeing platform, development courses for resilience and other human skills, global Employee Assistance Programme, sick leave, mental health first-aiders and all sorts of self-help toolkits
• A continuous learning culture to support your growth, with opportunities to reskill and upskill and access to physical, virtual and digital learning
• Being part of an inclusive and values driven organisation, one that embraces and celebrates our unique diversity, across our teams, business functions and geographies – everyone feels respected and can realise their full potential.
• Recruitment assessments – some of our roles use assessments to help us understand how suitable you are for the role you’ve applied to. If you are invited to take an assessment, this is great news. It means your application has progressed to an important stage of our recruitment process.

Role Responsibilities 

• Review and alignment of country Information security program with the Group security strategy
• Effectively and collaboratively identify, escalate, mitigate and resolve risks associated with the bank’s information assets.
• Periodically inform the Board on latest developments in the cyber security universe
• Assure that process owners are escalating risks and control gaps when decommissioning of systems and data sanitization activities.
• Assure measurement of effective management of cyber threat intelligence by 1^st Line ICS team.
• Assure process owners are creating awareness among staff on cyber threats and their controls.
• Assure that business process owners are managing data centers as per standards.
• Assure that the process owners are escalating compliance matters to mitigate security aspects of networking devices (servers, routers, firewalls, etc.) under applicable policies, standards, and procedures.

Responsibilities

The Group Chief Information Security Officer (CISRO) organisation is instrumental in protecting and ensuring the resilience of Standard Chartered Bank’s data and IT systems by managing information and cyber security (ICS) risk across the enterprise. As a critical function reporting to the Group Chief Risk Officer (CRO), the Office of the Group CISRO serves as the second line of defence for assuring ICS controls are implemented effectively and in accordance with the ICS Risk Framework and for instilling a culture of cyber security within the Bank.

The Group CISRO is responsible for ICS governance, strategy, policy, awareness, training, risk assessments, red teaming, third-party security risk, industry partnerships, and regulatory engagement. In addition, a team of Information Security Officers (ISRO) reports to the Group CISRO and performs a pivotal role as an extension of the Group CISRO in supporting the ICS risk management strategy, governance, advisory and assurance roles that face-off to the Client Services, Regions, and Functions.

The Office of the Group CISRO is central to ensuring the Bank’s ability to meet its ICS commitments to internal and external stakeholders, including regulators, as well as maintaining an acceptable ICS risk profile that is regularly reported to the Board.

ADVERTISEMENT - CONTINUE READING BELOW

Strategy

The ISRO position is a permanent role that requires strong business acumen and deep knowledge and experience in the ICS field. The successful candidate will have a strong understanding of operating in a second-line capacity within an ICS or risk management organisation, and can respond flexibly and collaboratively to evolving business, regulatory and threat requirements.

The role reports to Head ISRO for AME. The ISRO will work closely with the CCRO, HICS & Group Chief Information Security Risk Officer and others to address ICS as a principal risk type for the Bank and support its integration into the Bank’s overall Enterprise Risk Management strategy.

The role will provide oversight and challenge of ICS risk management and control effectiveness as a risk partner to country leadership as defined in the Bank’s ICS Risk Type Framework and under delegation from the Group CISRO.

Business

The primary purpose of this position to ensure that the management of ICS risk is operating effectively and efficiently and to provide assurance that ICS risk is appropriately managed within the countries.

The role will support the Group Chief Information Security Risk Officer in their role as the Bank’s executive accountable for ICS risk. The successful candidate will work closely with the AME Region – ISRO Heads, the Security Technology Services team, and Country CRO, CIO, and Compliance Officers, as well as other key stakeholders to drive requirements and help set priorities for ICS strategy and investment based on acceptable risk tolerance and taking into account the evolving threat and regulatory landscape, policies and standards, and technology infrastructure. In addition, given the rapidly evolving ICS regulatory environment, successful candidate will have a strong acumen for working with regulators and understanding ICS policy with an ability to articulate new requirements into ICS risk management assessments and processes.

Processes

The major functional activities that the role will lead and manage are:

• Delegation of Authority from the Group CISRO for ICS risk management engagement with country
• Overseeing and challenging 1st line ICS risk proposals and risk-taking activities;
• Intervening in 1st line activities if they are not in line with existing or adjusted Risk Appetite;
• Monitoring of ICS risks and associated remediation plans across the country using the Group CISRO Governance Risk Type Framework;
• Assuring the 1st line implements controls to comply with applicable laws and regulations as defined by the Group CISRO Policy team and escalate significant regulatory non-compliance matters and developments to the Group CISRO;
• Conduct periodic information security assurance on the ICS risk profiles (including infrastructure) submitted by 1st line and suggest improvements.
• Promoting a healthy ICS risk culture and good conduct within the country.

People & Talent 

• Lead through example and operate with the appropriate culture and values.
• Uphold and reinforce the independence of the second line ICS Risk function.

Risk Management

• Deliver the defined aspects of the ISRO role to support the Group’s ICS risk management approach and objectives.
• Ensure that the Country role is managed in accordance with the defined Group CISRO Governance Risk Type Framework and associated Policy and Standards; and those issues are identified, escalated, and addressed as appropriate.

Governance 

• Establish strong ties into the relevant country leadership, governance, risk, and control committees to ensure adequate monitoring, tracking and governance of ICS risk.
• Drive integration of ICS Risk Type Framework into the country and utilize for the ongoing governance of country risk.

Regulatory & Business Conduct 

• Display exemplary conduct and live by the Group’s Values and Code of Conduct.
• Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across the countries. This includes understanding and ensuring compliance with, in letter and spirit, all applicable laws, regulations, guidelines and the Group Code of Conduct.
• Effectively and collaboratively identify, escalate, mitigate and resolve risk, conduct and compliance matters.
• Exercise authorities delegated by the Board of Directors and act in accordance with Articles of Association.

ADVERTISEMENT - CONTINUE READING BELOW

Key stakeholders

• ISROs
• Country CROs
• Country HICSs
• Country CIOs
• Country Compliance Officers
• Country CEOs
• Banking Regulators
• Global Head, Security Technology Services
• Head of ICS Governance
• Head of ICS Policy
• Group Internal Audit
• Head of ICS Assurance and Testing
• Head of ICS Training, Awareness & Exercises

Other Responsibilities

• Establish strong relationships with identified stakeholders across the country and understand their strategic goals, to ensure ICS alignment.
• Articulate the value of ICS controls and their bottom-line impact to Country’s security and resiliency.
• Prepare, present and challenge in a 2nd line capacity at relevant risk committees, steering groups and cross-business opportunities.
• Perform Delegation of Authority (DoA) responsibilities for Group CISRO as defined for the countries.
• Measure efficient and effective management of ICS risk for the countries.
• Validate the accuracy of KRI’s and KCI’s and other risk ratings, as well as process designs, to meet policy requirements.
• Ensure that Process Owners are escalating risk, control, and process deficiencies appropriately in accordance with the relevant risk frameworks.
• Build trusted working relationships with other security functional heads, risk and compliance counterparts, and country stakeholders.
• Utilize appropriate risk management tool(s) to manage, track and monitor ICS risks across the countries.
• Maintain sufficient and appropriate evidence of work performed for review by Group Internal Audit and others.
• Monitor, assess and advise countries on acceptable risk tolerances based on policy and control environment and the evolving regulatory and threat landscape. (Knowledge of Pakistan regulatory environment will be an added advantage)

Qualifications

Training, licenses, memberships and certifications

• Master’s in Information Technology / Cybersecurity
• Information Security certifications and courses
• Trainings & Courses attended on security audits
• Familiar with and hands on experience of working on Security best practices and frameworks.

Experience:

• Minimum 5 years of experience, having worked on similar roles.