Job Purpose :
The Senior Manager, Cybersecurity is responsible for establishing, maintaining, and continuously improving the company's information security framework to protect critical systems, data, and digital assets. This role oversees both 1st Line of Defence (Operational Security) and 2nd Line of Defence (Tech Risk Oversight) functions, ensuring that cybersecurity risks are effectively managed, security operations are robust, and regulatory compliance is maintained.
The position requires strong leadership in security operations, governance, risk management, compliance, and vendor management while supporting the company’s digital transformation initiatives and ensuring compliance with HKIA GL20 requirements.
Main Responsibilities :
1. Cybersecurity Operations & Incident Response (1st Line of Defense)
- Lead the Security Operations Center (SOC) service provider, ensuring effective security monitoring, incident detection, and response.
- Oversee firewall rule changes, access controls, audit logging, and security event reporting.
- Collaborate with the SOC team to review system logs, alerts, and threat intelligence reports to detect and mitigate cyberattacks and insider threats.
- Conduct and oversee vulnerability scanning, penetration testing, and system hardening to strengthen cyber resilience.
- Manage security tools and technologies, including next-generation firewalls, WAF, IDS / IPS, email gateways, proxies, and DLP solutions.
- Perform day-to-day security risk control reviews, particularly for change requests affecting security policies (e.g., firewall rule modifications).
- Ensure effective incident response planning and execution, including coordination of annual cybersecurity drills with the SOC vendor.
2. Cybersecurity Governance, Risk & Compliance (2nd Line of Defense)
Develop and maintain the company’s cybersecurity risk management framework, ensuring alignment with industry standards (ISO 27001, NIST, CIS) and regulatory requirements (HKIA GL20).Establish and enforce security policies, standards, and guidelines to maintain compliance with internal policies and external regulations.Oversee security control effectiveness across IT systems, conducting periodic risk reviews and recommending improvements.Lead and coordinate internal and external cybersecurity audits, ensuring compliance and facilitating remediation efforts.Conduct functionality and gap analyses to evaluate business areas and IT infrastructure compliance against statutory and regulatory requirements.Evaluate and recommend new security technologies and strategies to counter cyber threats and enhance protection.Ensure continuous monitoring of cyber risks, tracking Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for cybersecurity.Perform regular reviews and updates of security policies, guidelines, and procedures to ensure compliance with GL20 requirements.3. Security Oversight, Reporting & Management
Provide regular cybersecurity risk reports to senior management, risk committees, and audit committees.Act as an independent advisor to business units, guiding them on cybersecurity risks and regulatory compliance.Oversee SOC vendor performance, ensuring high-quality service delivery and incident management.Coordinate third-party risk assessments and ensure vendor security compliance.Conduct regular cybersecurity awareness training programs for employees to strengthen internal security culture.Prepare and present security updates and risk assessments in Information Technology Steering Committee meetings.Support internal and external audits, ensuring compliance with GL20 and other regulatory requirements.Lead and contribute to ad hoc security projects as assigned by management.Incumbent Requirements :
Qualifications & Certifications
Bachelor’s degree in information technology, Computer Science, or a related discipline.Professional certifications such as CISA, CISM, CISSP are preferred.Work Experience
8+ years of experience in information security & cybersecurity roles.Strong expertise in vendor management, including security system setup, security monitoring, and managed security services.Proven experience in developing security policies and guidelines for insurance, banking, or financial institutions.Hands-on experience with cybersecurity tools, including next-generation firewalls, WAF, IDS / IPS, DLP, and email security solutions.Experience in vulnerability scanning, penetration testing, and system hardening is preferred.Technical & Soft SkillsStrong knowledge of cybersecurity, cryptography, network security, cloud security, and threat intelligence.Excellent analytical, problem-solving, and risk assessment skills.Strong leadership, communication, and stakeholder management abilities.Fluency in English and Mandarin (both written and spoken) is required.