Cyber Risk Senior Manager

Big Bank Funding. FinTech Thinking.

Our technology teams in the UK work closely with HSBC’s global businesses to help design and build digital services that allow our millions of customers around the world, to bank quickly, simply and securely. We also run and manage our IT infrastructure, data centres and core banking systems that power the world’s leading international bank.

Our multi-disciplined teams include: DevOps engineers, IT architects, front and back end developers, infrastructure specialists, cyber experts, as well as project and programme managers. 

We work in small, agile DevOps teams with colleagues around the world from our offices at the Bluefin Building in Southwark, our global headquarters in Canary Wharf, and multiple other locations around the UK including Sheffield, Leeds, Barnsley and Birmingham. 

Following extensive investment across our Technology and Digital domains and with plans for continued expansion throughout 2021 and beyond, we are currently seeking a Cyber Risk Senior Manager to join HSBC Technology.

Business area overview 

This role sits within HSBC’s 1LoD Cybersecurity Risk and Controls Strategy (CRCS) team; as such the role holder must possess significant cybersecurity experience as well as strong stakeholder management experience, in order to help deliver a unified approach to controls management across the Group. The CRCS team are responsible for:

1. Cybersecurity Risk Quantification (CRQ) – development, implementation and management of a mathematical model calculating the impact of improvements made to our control environment on risk exposure reduction. Providing an industry leading opportunity to translate complex cybersecurity concepts into business-friendly information allowing to make informed decisions in line with our risk appetite.
2. Cybersecurity Controls Design – starting with the current bank wide priority on Non-Financial Risk Optimisation (NFRO) programme, designing Procedures, Operating Instructions and Control Instances, expanding on the newly implemented Risk Taxonomy and Control Library. The efforts will continue to define and maintain a detailed Cybersecurity Controls Catalogue, continuously improving our controls design and implementation requirements.
3. Metrics & Reporting – definition and management of Key Control Indicators and providing a ‘front-door’ service to Global Businesses, Functions and Regions for any queries related to KCIs and output of the new Cybersecurity Metrics dashboard
4. Continuous Control Monitoring – developing the approach, implementing and maintaining a process for ongoing control monitoring. Designing an approach for automated evidence collation to facilitate reviews from Chief Controls Office, Resilience Risk and Audit. 
5. Risk & Controls Strategy – embedding CRQ into wider Operational Risk Management Framework and controls ecosystem. Tying together all other components of the function into a cohesive strategy to ensure robust end to end control management and risk quantification.

What you will be doing;

We are currently seeking an experienced Cyber Risk Senior Manager for the CRQ team, with responsibility for leading research and development into threat actors, cyber incidents, defensive controls, software and human vulnerabilities, and the overall digital exposure of the bank. This role will work closely with business stakeholders to embed the model into risk management processes.

The role presents a unique opportunity to work on novel modelling methods which will have a real world impact on how HSBC manages its cyber risk through quantification of the varied cyber risks in today’s world.

Key Accountabilities:

• Support the Deputy Head of CRQ in implementing the risk quantification strategy for Cybersecurity
• Work closely with senior stakeholders to validate and embed the model into the global business lines
• Lead Cyber SMEs in assessing technical vulnerabilities for use as parameters in the model 
• Work closely with our data scientists, modellers and analysts to assess the relevance and effectiveness of existing cyber controls and processes, in terms of data sources and threat modelling.
• Work with CRQ data scientists and modellers to determine the influencing attributes of technical controls that impact the likelihood of a vulnerability being exploited
• Work with Cyber Analytics, SOC and Incident Management teams to determine the correct control measures for the model
• Validate key findings with team members and stakeholders and provide insights to ensure high quality inputs to the model

Qualifications

What you will bring to the role;  

To be successful in this role you should have proven experience within the Technology sector with knowledge of the following skills:

• Very strong background in cybersecurity; particularly in risk and control management
• Demonstrable experience in working with, and influencing, senior business stakeholders
• Experience of threat management and/or threat modelling, particularly Mitre ATT&CK 
• Knowledge of adversarial tactics, techniques, and procedures (TTPs).
• Working knowledge of cyber-attack landscape and how attacks are carried out.
• Up to date knowledge of cyber threats and vulnerabilities.
• Analytical approach to understanding how security controls affect exploitation and reduce vulnerability.
• Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions or operations will affect these outcomes.
• Familiarity with the NIST Cyber Security Framework (CSF) would be beneficial
• Experience with working with cyber metrics and numerical data
• Ability to translate difficult IT concepts into business-friendly language
• Team-oriented mentality combined with ability to complete tasks independently to a high quality standard
• Influential, credible and persuasive, active listener, embraces HSBC Values, shows good judgement and demonstrating high level of communication skills in order to achieve effective stakeholder management.  
• Recognised qualifications beneficial: CISSP, CISM, CCSP, CRISC

This role will primarily be London based but some travel may be required. 

Come Power a Business that Defines How to Power the World

As a business operating in markets all around the world, we believe diversity brings benefits for our customers, our business and our people. This is why HSBC is committed to being an inclusive employer and encourages applications from all suitably qualified applicants irrespective of ethnicity, religion, age, physical or mental disability/long term health condition, marital status, sexual orientation, gender identity, gender expression, genetic information (including characteristics and testing), military and veteran status, and any other characteristic protected by local law in the jurisdictions in which we operate. 

Within the work place you will have access to various employee resource groups which aim to promote and achieve a healthy work / life balance and support our diversity ambitions.  

HSBC has in place processes in order to avoid nepotism, which means to avoid creating circumstances in which the appearance or possibility of conflicts of interest may exist within the hiring process.

Personal data held by the Bank relating to employment applications will be used in accordance with our Privacy Statement, which is available on our website.