Our technology teams in the UK work closely with HSBC’s global businesses to help design and build digital services that allow our millions of customers around the world, to bank quickly, simply and securely. We also run and manage our IT infrastructure, data centres and core banking systems that power the world’s leading international bank.

Our multi-disciplined teams include: DevOps engineers, IT architects, front and back end developers, infrastructure specialists, cyber experts, as well as project and programme managers. 

We work in small, agile DevOps teams with colleagues around the world.

Following extensive investment across our Technology and Digital domains, we are currently seeking a number of experienced Global Head of Secure Development to join HSBC Technology.

Brief overview of the business areas

Global Cybersecurity is responsible for enabling businesses and functions to manage their information, technology and cybersecurity risks by ensuring these are well-understood, and that controls used the manage such events are defined, assessed and implemented appropriately. Cybersecurity predominantly deliver this via objective, independent, professional and specialized subject matter experts. The role forms part of the 1LoD in relation to the risk management framework.

The Cybersecurity Assessment and Testing (CSAT) function, part of Global Cybersecurity, is accountable for Vulnerability Management, Secure Development (inc. DevSecOps), Threat and Controls Assessment (inc. threat modelling) and Third Party Security Assessment. The function drives the identification, capture, assessment, testing/verification and ultimately the remediation of security defects, gaps and vulnerabilities across HSBC’s estate in concert with business and technology teams – on-premise, within the Cloud and for those resulting from third party engagements.

What you will be doing;

Including, but not limited to:

• Global accountability for defining the strategic direction of HSBC’s Secure Development practise, and authoritive contribution to wider DevOps and Technology strategies and roadmaps.
• Lead the definition, implementation, continuous maintenance and oversight of a secure development practise that meets / supersedes expectations from our businesses, risk management, technology teams, regulators and industry best practise.
• Set and lead priority initiatives to enable effective shift-left security in partnership with various development, engineering and technology teams, including:
  • the continued adoption of automated/semi-automated/self-service security tools;
  • an enhanced data-led license-to-operate model, and;
  • minimum requirements for key roles (e.g. training) amongst others.
• Build and maintain a team of high-performing cybersecurity professionals, developing a culture of innovation and empowerment to deliver real change on a massive scale.
• Represent Cybersecurity and Secure Development in senior Management Committees and Regulatory exams.
• Ensure Cybersecurity is "hands on" with technology and to contribute to the design, development and support of development teams. This includes providing remediation consultancy.
• Support the development and maintenance of the Pre-Deployment Security Assurance control in the bank’s risk taxonomy and control library, including its control design, detailed operating instructions and key control indicators, to ensure it remains effective against an evolving threat and technology landscape. This responsibility is to be delivered in collaboration with the Cybersecurity Risk & Control Strategy function.
• Enable global business and functions to make informed risk decisions, especially when it comes to prioritised remediation of identified defects and gaps.
• Demonstrate that the underlying controls, service and resultant outcomes are maintained in-line with regulatory expectations, technical best-practise, internal customer requirements and HSBC’s strategy.
• Collaborate with relevant stakeholders to enhance the delivery of a Cybersecurity strategy to secure the bank’s technology from the inside out, whilst maintaining, protecting and enhancing HSBC’s values, reputation and stakeholder value. Partnership and close engagement with senior Technology leads is required.
• Maintain close engagement with external regional associations, specialist interest groups, government agencies, forums, etc.
• Constantly have the customer at the heart of all engagements, driving improvements in security assurance engagement and simplification of overlapping assessments, steps and customer touch-points.
• As a senior leader within both CSAT and Cybersecurity, the role-holder will be expected to contribute to, be an ambassador for, and to drive delivery of cybersecurity strategy. 

The role reports directly into the Global Head of Cybersecurity Assessment and Testing.

The candidate will be able to demonstrate: strong leadership and communication; experience in leading and influencing both teams and key stakeholders from diverse backgrounds and cultures, often remotely, and; proven experience, skills and expert knowledge of related security assessment practice. The role holder is required to engage with senior stakeholders including Technology and Cybersecurity leadership, both globally and in regions; stakeholders across all lines of defence: Chief Controls Office Technology, 2LoD Resilience Risk and 3LoD Internal Audit teams, and will be required to support regulatory examinations.

Qualifications

What you will bring to the role; 

Successful candidates have proven experience, knowledge and skills similar to the below:

Mindset

• An inquisitive approach, always asking how to achieve goals in a smarter and more effective way
• An ability and interest to learn and experiment with new approaches to achieve business and cybersecurity outcomes, in different and often challenge contexts.
• Proven ability to forge innovative approaches to complex and complicated problems, including the use of research and/or experimentation, in-role or via academia.

Strong Risk and Controls understanding

• Knowledge and exposure of the application of Risk and Control Management and associated frameworks, preferably from a multi-market institution
• Fluent ability in articulating technical threats, scenarios, controls and risks to both technical and business stakeholders.

Strong Technical background

• Proven experience in senior/leadership roles in security development, application security and/or security architecture
• Proven experience in DevOps / DevSecOps including Agile and Waterfall Software Development lifecycles
• Proven experience working in a large scale, multi-national and technologically diverse environment
• Proven experience on integration of various security technologies (e.g. SAST, DAST, IAST, container security) and practises (e.g. Policy-as-Code) within DevOps pipelines (Jenkins, GitHub, Chef, Ansible, Nexus, etc)
• Expert understanding of Security concepts and principles.
• Excellent understanding of platform-specific security risks, common vulnerabilities for web and mobile applications, micro-services (REST, SOAP) architecture and their mitigations
• Good understanding of security flaws in common programming languages
• Knowledge and experience with network, host and application security practices
• Understanding of emerging technologies and its corresponding security threats would be a plus
• Proven experience with common public cloud environment (e.g. AWS, GCP, Azure, Alicloud)
• Strong technical understanding and experience of assessing vulnerabilities and identifying weaknesses in diverse enterprise IT assets

Strong stakeholder management and communications skills

• Ability to engage with and influence executive leadership
• Experience in managing, developing and retaining high-performing individuals in different geographies, often remotely
• Experience in engaging with business, technology, regional and regulator stakeholders
• Ability to prepare concise presentations, reports and updates for senior management

Effective Leadership

• Possess strong leadership skills to bring out the best in a team. This includes both direct leadership and cross-functional capabilities
• Experience within fast-moving, complex and demanding corporate environments and able to provide appropriate direction to the team whilst dealing with ambiguity and change
• Act as a role-model for more junior members of Cybersecurity and Technology

This role will primarily be based in London or another UK base location, some travel may be required.

Come Power a Business that Defines How to Power the World

As a business operating in markets all around the world, we believe diversity brings benefits for our customers, our business and our people. This is why HSBC is committed to being an inclusive employer and encourages applications from all suitably qualified applicants irrespective of ethnicity, religion, age, physical or mental disability/long term health condition, marital status, sexual orientation, gender identity, gender expression, genetic information (including characteristics and testing), military and veteran status, and any other characteristic protected by local law in the jurisdictions in which we operate. Within the work place you will have access to various employee resource groups which aim to promote and achieve a healthy work / life balance and support our diversity ambitions.  HSBC has in place processes in order to avoid nepotism, which means to avoid creating circumstances in which the appearance or possibility of conflicts of interest may exist within the hiring process.

We want everyone to be able to fulfil their potential which is why we provide a range of flexible working arrangements and family friendly policies.

As an HSBC employee in the UK, you will have access to tailored professional development opportunities and a competitive pay and benefits package. This includes private healthcare for all UK-based employees, enhanced maternity and adoption pay and support when you return to work, and a contributory pension scheme with a generous employer contribution.

Personal data held by the Bank relating to employment applications will be used in accordance with our Privacy Statement, which is available on our website.