Chief Information Security Officer

Job Summary

Our GCIO organisation plays a critical role for the bank. This team partners with the businesses to build the platforms systems and products that our customers use everyday. We keep peoples money and data safe and are at the forefront of driving innovationfor our businesses customers and colleagues. Within GCIO our cybersecurity team designs implements and operates controls to manage risk. This team provides local inputs to define our group cyber security standards oversee the security of our networkapplications and infrastructure provide round-the-clock monitoring and security incidentresponse services.

People responsibility: Y

Report to: Chief Information Officer (CIO)

Role Purpose -Responsible to drive the execution of the Global & Regional Information Security and Cybersecurity strategy within the market providing a two ways communication to ensuremarket level regulatory requirements are considered and fulfilled. -Key responsibilities include managing governance and reporting information security andremediation secure business transformation compliance to local regulations and reportingthe cyber risk posture to the regional / local boards senior management and risk management forums.

In this role you will: Job contents -Be responsible for formulating and overseeing the Banks overall information security policies and protection strategies leading the cyber security department in daily operations and information security risk management along with managing supervisingand identifying issues related to the Banks information security incidents. -Support the ASP Regional Cybersecurity team to implement locally those regional programs that provide a strategic core for the market and which may also be leveraged by other ASP regions. -Collaborate with Global Regional and market stakeholders including Technology and peermanagers to implement the Cyber teams goals around entity policy expense policy andregulatory requirements. -Lead and support peers in developing implementing and monitoring a strategic comprehensive enterprise cyber security management program.

-Assist the ASP Region with overall business technology planning by providing current knowledge and a future vision of cyber technology and systems and contribute to the ASPRegions Cybersecurity strategy of securing the banks technology from the inside out while maintaining protecting and enhancing HSBCs values reputation and stakeholder value. -Provide/organize Cybersecurity related training sessions to improve the awareness levelof staff members setting performance targets of direct reports and contributing to employees professional development.

-Assist business stakeholders and second line of defense (2LOD) in the market to raise awareness of risk management concerns and educate market management about local specific cybersecurity risk level and actions required to mitigate/control existing risks. Supporting the market business for local specific initiatives related to cybersecurity delivery consultancy and country augmentation as required.

-Carefully consider the security requirements of the market organization and market business requirements in order to address security risks while satisfying the organizationsbusiness goals. Keeping abreast of developing security threats and helping the market Board understand the Banks security posture and awareness of the threat landscape andevents impacting the industry.

-Brief market senior management about ongoing Cybersecurity improvement projects benefits status and challenges which require their attention and/or involvement to make itsuccess. Providing guidance and ensuring market regulatory requirements related to Cybersecurity are addressed in a timely fashion including the implementation of relevantcontrols and the development/amendment of policies/standards to comply with the requirements.

-Provide assistance in market Governance related matters ensuring consistency with Global key messaging and exercising formal governance through appropriate governanceforums.

-Be responsible for co-signing the internal control statement with CEO Chairman Head ofAudit and Compliance Head and ensure the implementation of internal controls in line with the three lines of defense model.

Experience / Skills

-Minimum Bachelors Degree with some years experience in IT security governance and operational processes preferably in the Financial Services industry or global corporate service provider.

-Understanding of Financial services cybersecurity related regulations and experience facing and engaging with regulators. -Desirable but not essential (background): experience in one or more of risk managementAudit ISR (qualifications) one or more industry

-recognized cybersecurity-related certifications including ISO270001 CISA CISM CISSP -Availability to travel (if required) for this role i.e. travel within the market as well as occasional international travel

-Positive and professional attitude team player flexible and adaptable open to change(s);confident and takes responsibility and ownership for work and personal development

-Good spoken and written communication and ability to adapt style based on audience (Fluent in spoken / written English and Chinese) along with ability to communicate technical subject matter to non

-technical stakeholders and to engage with local and regional senior stakeholders. -GPAD (Group Personal Account Dealing) Covered

-To be fulfilled after onboarding: 每年少應接受五時以上資訊安全專業課程訓練或職能訓練 (資訊安全專責單位員)

Applicants passing resume screening will be notified for interview and next steps. There will be no further notification or message for applicants either not qualifying for or not being selected for the position applied.