VP, Technology Risk - Threat Research (Red Team)

Responsibilities:

• Plan and execute periodic in-house and external red-team exercises, and oversee the implementation of rectification measures.
• Evaluate existing cyber defenses against MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework.
• Plan and perform security tests regarding trading and clearing-related environment, systems, products and applications upon request.
• Monitor and analyse emerging cyber risks in the region, having regard to cyber intelligence and threat landscape related to relevant Group entities.
• Escalate major cyber risks and coordinate measures to address the potential impact to the operational resilience of the Group to senior management and relevant stakeholders in a timely manner.
• Conduct 2nd line specialist investigation and follow-up into significant cybersecurity incidents to identify potential root causes and improvement opportunities.
• Provide specialist support to the delivery of effective governance and monitoring on cyber risk and technology risk, based on strategic and tactical threat intelligence analysed and selected by the team.

• 8-10+ years of relevant experience in cyber risk management, preferably in financial services sector or professional services for clients in financial services industry
• Solid experience in monitoring and analyzing cyber risk and intelligence, planning and delivering red-team exercises (e.g. Bank of England CBEST, CREST STAR, HKMA iCAST) and overseeing cyber incident management, conducting cyber security reviews and tests, cyber forensic practices, cyber awareness training and phishing tests
• Hands-on security operations, threat intelligence, incident response, malware reverse engineering and other related experience would be beneficial
• At least one of the relevant certification/accreditations in offensive security, cyber defense and threat intelligence, including but not limited to CREST (CCSAS/CCSAM/CCT), OSCE3 (OSWE/OSED/OSEP), OSCP, GIAC (GXPN/GCPN/GPEN/GCTI/GDAT)