KEY ACCOUNTABILITIES :

Technology Risk Management Framework:

• Establish IT risk management framework to identify, analyse, mitigate, manage, monitor, and communicate IT risks.
• Ensure adherence to Group Security policies and standards for effective implementation of security controls within GIT.
• Contribute towards maintenance of standard technology risk and control library.
• Implement the cyber risk assessment model and analysis approaches.
• Understand how cyber risk fits into overall Technology Risk Management and ensure integration.
• Identify, agree and manage various assurance initiatives and internal reviews across GIT

Cloud Management

• Ensure due diligence of cloud service providers and oversee ongoing cloud service providers security assessments.
• Evaluate cloud solutions and determine risk of technology architecture, implementation, and suitability for the organization.
• Ensure cloud service providers contracts are compliant to Group policies/processes and relevant controls are considered in the contract with cloud service providers.
• Assess the risk implications of digital innovation and its impact on technology risk profile of the bank. Provide recommendations to optimize the risks and ensure technology policy and process alignment.
• Support and maintain risk assessment capabilities to review and assess digital business models end to end.
• Work with business and technology teams to better understand digital business risk and facilitate a balance between the need to protect the organization and the need to optimize customer experience.
• Conduct in-depth technical security reviews, risk assessments, and architecture reviews for Cloud based technologies and solutions to ensure alignment with information security policies and technology guidelines.
• Provide risk management guidance and advice to technology teams on cloud technologies and digital solutions.

DevOps/DevSecOps/Agile Practices

• Provide inputs to development and maintenance of policies, frameworks, methods and standards for the DevOps and agile practices.
• Work with technology teams to embed automated controls across delivery pipeline. Collaborate with service teams to ensure CI/CD pipeline delivers faster time-to-market for the product and positive customer experience.
• Monitor and support integration and standardization of related development methodologies across Technology service lines.
• Facilitate the “shift to the left” approach of moving a task to an earlier stage in the development cycle to ensure the risk and security standards are met from the beginning
• Advocate adaptation of continuous feedback loop mechanisms and ensure team members are regularly prompted to improve the development and maintenance of the solutions.
• Coach agile teams in the methodology and ensure training is provided to employees on the agile practices.
• Evaluate possible bottlenecks of running the application in production and suggest service improvement plans.
• Ensure compliance and security best practices are incorporated throughout the development process.

Technology Risk Identification & Assessments:

• Ensure timely identification and assessment of IT risks throughout software development / acquisition lifecycle.
• Ensure IT risks are managed as per the agreed IT risk appetite, tolerance levels and in accordance with remediation plans and target dates defined in alignment with Group Policies.
• Support and help technology teams on various risk and control assessments activities.
• Participate in Project & Change reviews to ensure appropriate treatment of technology risks.
• Work with technology teams to ensure implementation of comprehensive solutions to protect organization information assets.
• Manage periodic risk assessment activities to identify vulnerabilities, threats and control effectiveness.
• Periodically identify the risks that might compromise cyber security.
• Analyse the severity of each risk by assessing likelihood and impact. Agree with stakeholders on the residual risk ratings and potential risk exposure.
• Qualify/quantify exposures and vulnerabilities on a big-picture scale to create a thorough understanding of the risk environment.

 Technology Risk Treatment & Review:

• Oversee development of risk treatment strategies to maintain the bank’s risk posture at the desired level.
• Engage with various IT teams to review risk profile, risk treatment strategies and action plans.
• Ensure proper implementation of risk treatment options such as mitigation, transfer, acceptance etc. and help IT teams in closure of risks/issues.
• Regularly review current risk measures and ensure implementation of adaptive approach to manage evolving cyber risks.

Technology Risk Monitoring & Reporting:

• Identify and define Key Risk Indicators (KRI) to monitor high risk areas.
• Deliver periodic risk profile reports and KRI reports to senior management.
• Review Major incident Reports and ensure proper risk/control measures are identified to prevent incident reoccurrence.
• Manage Technology risk committee meetings and ensure closure of action items.

Knowledge, Skills & Experience :

Knowledge & Experience:

• 10 or more years of working experience in IT Security, Risk and Governance practices.
• 3+ years of experience working in leadership role IT Security, Risk and Governance.
• Knowledge and expertise in virtualization and cloud computing environments (different cloud models and types).
• Hands on experience in using various Cloud Security best practices such as Cloud Security Alliance (CSA) guidelines and National Institute of Standards and Technology (NIST) guidelines.
• Demonstrated experience in conducting technical risk assessments for various Cloud platforms.
• Good understanding of process models and industry standards relating to IT Security, Risk and Governance.
• Good understanding of security and risk management in financial institutions.
• Excellent knowledge all aspects of technology: infrastructure; operations, security, development, change/transformation, support, innovation, vendor management etc., and banking related processes especially risk management. Should have demonstrable experience of working in many of these domains.
• Strong analytical capabilities and knowledge of related tools and processes.  Proven ability to handle volume detail and summarize effectively.
• Good understanding of banking related environments – especially around high availability, data confidentiality, security etc.
• Evidence of influencing senior stakeholders and dealing with external auditors and regulators.
• Excellent interpersonal skills and good oral and written communication skills.
• Achievement of industry recognized certifications such as CISSP, CRISC, CCSP, CCSK, CISA etc.
• Achievement of AWS and Azure cloud certifications is preferable.  

SKILLS :

• Relationship management
• Influencing skills
• Big picture thinker with attention to details
• Strong change and communication skills
• Strong analysis skills
• Strong interpersonal skills
• Resource (time and people) management skills