Vice President/Assistant Vice President - Technology Risk Management - Group Risk Management (Cyber Threat Research and Simulation - Red Team)

Company Introduction: We're home to Asia's most dynamic and vibrant capital markets. Connecting capital, ideas, inspiration and innovation for deeper, more diverse and liquid global capital markets; providing greater choice and opportunity for our customers, each and every day. HKEX is a purpose-driven company. Our commitment to the long-term development of our business and our markets is articulated in our purpose: "To Connect, Promote and Progress our Markets and the Communities they support for the prosperity of all." Job Summary: Technology Risk Management (TRM) is responsible for establishing and maintaining a Group-wide technology risk management framework (including risk appetite statements and policies) and reporting key technology risks to governance committees. The team is also responsible for providing oversight to the second line of defense and challenge to the first line's management of technology risks under a risk-based approach, focusing on critical market systems and strategic projects that involved the use of technology. Job Duties: Key Responsibilities:

• The VP role will act as the Head of the Cyber Threat Research and Simulation Team of Group Risk Management to lead a specialist team to provide effective and independent advice and challenge to 1st Line functions.
• Plan and execute periodic in-house and external red-team exercises, and oversee the implementation of rectification measures.
• Evaluate existing cyber defenses against MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework.
• Plan and perform security tests regarding trading and clearing-related environment, systems, products and applications upon request.
• Monitor and analyse emerging cyber risks in the region, having regard to cyber intelligence and threat landscape related to relevant Group entities.
• Escalate major cyber risks and coordinate measures to address the potential impact to the operational resilience of the Group to senior management and relevant stakeholders in a timely manner.
• Conduct 2nd line specialist investigation and follow-up into significant cybersecurity incidents to identify potential root causes and improvement opportunities.
• Provide specialist support to the delivery of effective governance and monitoring on cyber risk and technology risk, based on strategic and tactical threat intelligence analysed and selected by the team.
• Foster and maintain effective relationships and collaboration with regulators, law enforcement, exchange peers and industry partners, such as to participate and provide feedback on industry drills and cyber information sharing initiatives.

Experience, Skills and Qualifications:

• A self-motivated, collaborative individual with highly effective communication skills for delivering cyber risk messages in English to a broad range of technical and non-technical audiences, including business users.
• Proficiency in Cantonese and Putonghua would be an advantage
• University degree in information security, computer science, or related fields of study
• At least 6-8 years of relevant experience in cyber risk management, preferably in financial services sector or professional services for clients in financial services industry
• Solid experience in monitoring and analyzing cyber risk and intelligence, planning and delivering red-team exercises (e.g. Bank of England CBEST, CREST STAR, HKMA iCAST) and overseeing cyber incident management, conducting cyber security reviews and tests, cyber forensic practices, cyber awareness training and phishing tests
• Hands-on security operations, threat intelligence, incident response, malware reverse engineering and other related experience would be beneficial;
• Demonstrate good knowledge in IT environment and cyber related controls from both a tactical and strategic viewpoint
• Proven track record in initiating and implementing significant changes or projects involving different stakeholders and aligning their interests.
• At least one of the relevant certification/accreditations in offensive security, cyber defense and threat intelligence, including but not limited to CREST (CCSAS/CCSAM/CCT), OSCE3 (OSWE/OSED/OSEP), OSCP, GIAC (GXPN/GCPN/GPEN/GCTI/GDAT)
• General knowledge of exchange business, stock market and regulatory practices is highly regarded
• Less experienced candidate may be offered an AVP role

HKEX is committed as an Equal Opportunity Employer. Diversity is one of our core values and we look to support, respect diverse perspectives, abilities, culture and experiences within our workplace. Location: HKEX - Exchange Square Shift: Standard - 40 Hours (Hong Kong SAR) Scheduled Weekly Hours: 40 Worker Type: Permanent