Our technology teams in the UK work closely with HSBC’s global businesses to help design and build digital services that allow our millions of customers around the world, to bank quickly, simply and securely. We also run and manage our IT infrastructure, data centres and core banking systems that power the world’s leading international bank.

Our multi-disciplined teams include: DevOps engineers, IT architects, front and back end developers, infrastructure specialists, cyber experts, as well as project and programme managers.

We work in small, agile DevOps teams with colleagues around the world.

Following extensive investment across our Technology and Digital domains, we are currently seeking a number of experienced Secure Development Manager to join HSBC Technology.

Brief overview of the business areas

Global Cybersecurity is responsible for enabling businesses and functions to manage their information, technology and cybersecurity risks by ensuring these are well-understood, and that controls used the manage such events are defined, assessed and implemented appropriately. Cybersecurity deliver this via objective, independent, professional and specialized subject matter experts. The role forms part of the 1LoD in relation to risk management framework.

The Cybersecurity Assessment and Testing (CSAT) function, part of Global Cybersecurity, is accountable for Vulnerability Management, Secure Development, Threat and Controls Assessment (threat modelling) and Third Party Security Assessment. The function drives the identification, capture, assessment, testing and ultimately the remediation of security defects, gaps and vulnerabilities across HSBC’s estate in concert with business and technology teams – on-premise, within the Cloud and resulting from 3rd party engagements.

What you will be doing;

This global role directs activities and staff, and drives the continuous enhancement of our DevSecOps capability, as part of the Secure Development team. Four peer roles exist, which have additional accountability for secure development within their respective regions of the Americas, Asia, and Europe, with the Mexico role also leading secure development in cloud across the Group.

These roles report into the Global Head of Secure Development, closely collaborating with peers across the CSAT sub-functions, Cybersecurity business and regional leads, Technology development teams across different Business Line & Functions enabling rapid build of secure technology products and services thereby reducing the risk to the bank by enabling early identification and remediation of security vulnerabilities.

The candidate will be able to demonstrate: strong leadership and communication; experience in managing and influencing both teams and stakeholders from diverse backgrounds and cultures, often remotely, and; proven experience, skills and expert knowledge of DevSecOps practices, vulnerability management or similar (e.g. penetration testing). The role holder is required to engage with senior stakeholders including cybersecurity leadership, both globally and in regions, Technology teams including IT Operations, engineering and platform teams, change management, and cloud platform teams, stakeholders across all lines of defence: Chief Controls Office Technology, 2LoD Resilience Risk and 3LoD Internal Audit teams, and regulators.

Key Responsibilities:

• Lead and support peers within the function to define and implement an industry leading Cybersecurity Service that supersedes our constantly changing information security threats.
• Provides key representation for and source of expertise on all issues with relevant subject matter
• Ensure adherence to the three lines of defence organizational model with clear lines of responsibility, accountability and segregation of duties.
• Ensure compliance with internal audit and external regulators that any organizational changes are fit for purpose and meet their expectations
• Collaborate with relevant stakeholders to enhances the delivery of a Cybersecurity strategy to secure the bank’s technology from the inside out, whilst maintaining, protecting and enhancing HSBC’s values, reputation and stakeholder value
• Lead initiatives to develop and adopt security utilities and tools that will enable development teams to operate more efficiently and securely
• Stay up to date within the industry of new trends, and best practices
• Be "hands on" with technology and to contribute to the design, development and support development teams with security recommendations and adoption of tools.
• Maintain contact with relevant internal teams/forums and external regional associations, specialist interest groups, government agencies, forums, etc.
• Support the development and maintenance of the Pre-Deployment Security Assurance control (SECA.1) in the bank’s risk taxonomy and control library, including its control design, detailed operating instructions and key control indicators, to ensure it remains effective against an evolving threat and technology landscape. This responsibility is to be delivered in collaboration with the Cybersecurity Risk & Control Strategy function. 

Qualifications

What you will bring to the role; 

To be successful in this role you should have proven experience within the Technology sector with knowledge of the following skills:

• Proven experience in DevSecOps including Agile and Waterfall Software Development Life Cycle
• Proven experience working in a large scale, multi-national and technologically diverse environment
• Proven experience on integration & automation of various security technologies including SAST, DAST, IAST, container security tools within DevOps tooling pipeline (Jenkins, GitHub, Chef, Ansible, Nexus, etc)
• Excellent understanding of Security concepts and principles.
• Excellent understanding of platform-specific security risks, common vulnerabilities for web and mobile applications, microservices (REST, SOAP) architecture and their mitigations
• Knowledge and experience with network, host and application security practices
• Good understanding of security flaws in Java, J2EE, Objective C, Swift and Kotlin programming languages
• Understanding of common technologies, protocols and architectures that are commonly used by mobile application. (HTML, XML, JavaScript, JSON, REST, Microservices etc.)
• Understanding of emerging technologies and its corresponding security threats would be a plus
• Proven experience with common public cloud environment (including AWS, GCP, Azure, Alicloud)
• Hands on experience in implementing vulnerability identification tools within the development pipeline and strong technical understanding and experience of assessing vulnerabilities and identifying weaknesses in diverse enterprise IT assets
• Professional IT Security qualifications and/or certification
• Knowledge of Common Vulnerability Scoring System (CVSS)
• Proficiency with industry tooling, for example: Tenable.io, Nessus, Checkmarx, Netsparker, Kryptowire, IriusRisk, Aqua, etc.

• Knowledge of Vulnerability Consolidation Platforms (Kenna, Archer, etc.)
• An inquisitive approach, always asking how to achieve goals in a smarter and more effective way

• Knowledge and exposure of Risk and Control Management

This role will primarily be based in London or another UK base location, some travel may be required.

Come Power a Business that Defines How to Power the World

As a business operating in markets all around the world, we believe diversity brings benefits for our customers, our business and our people. This is why HSBC is committed to being an inclusive employer and encourages applications from all suitably qualified applicants irrespective of ethnicity, religion, age, physical or mental disability/long term health condition, marital status, sexual orientation, gender identity, gender expression, genetic information (including characteristics and testing), military and veteran status, and any other characteristic protected by local law in the jurisdictions in which we operate. Within the work place you will have access to various employee resource groups which aim to promote and achieve a healthy work / life balance and support our diversity ambitions.  HSBC has in place processes in order to avoid nepotism, which means to avoid creating circumstances in which the appearance or possibility of conflicts of interest may exist within the hiring process.

We want everyone to be able to fulfil their potential which is why we provide a range of flexible working arrangements and family friendly policies.

As an HSBC employee in the UK, you will have access to tailored professional development opportunities and a competitive pay and benefits package. This includes private healthcare for all UK-based employees, enhanced maternity and adoption pay and support when you return to work, and a contributory pension scheme with a generous employer contribution.

Personal data held by the Bank relating to employment applications will be used in accordance with our Privacy Statement, which is available on our website.