Assistant Vice President, Information Technology Risk (Security)

About Alliance Bank Malaysia Berhad

Alliance Bank Malaysia Berhad and its subsidiary, Alliance Islamic Bank Berhad, offers banking and financial solutions through its Consumer, SME, Commercial, Corporate and Islamic banking. The Bank provides easy access to its broad base of customers throughout the country via multi-pronged delivery channels that include retail branches, Privilege Banking Centres, Business Centres, and Digital banking services.

We are currently seeking a high caliber professional to join our Group Information Technology (IT) Risk department under Group Risk Management division as an Assistant Vice President, IT Risk (Security & Third-party Risk).

The Role

A successful candidate in this position will be accountable to support IT Risk Department and Group Risk Management for tasks related to management of enterprise-wide IT risk matters. These include:

• Manage the bank's technology and cyber security risks while meeting business service commitments
• Review Business Requests, Projects and Initiatives while ensuring technology and cyber risks are adequately assessed and mitigated
• Keep stakeholders abreast of technology and cyber security threats, effectiveness of current controls and priority of enhancement initiatives
• Assess technology and cyber risks, and oversight on the implementation of mitigating controls
• Monitoring and analyzing IT risk areas in bank's operations
• To develop and implement the appropriate framework and policies to mitigate technology & cyber risks for the group
• Ensuring the vision of the Group Chief Risk Officer (GCRO) and Group Chief Information & Security Officer (GCISO) is executed across the organization through individual portfolios
• Support Chief Information & Security Office (CISO) for the implementation of all Cyber Security Programmes

Job Description

Cybersecurity and Third-Party Risk

• Management of risk around Information Security, Cyber Risk and Third-party Risk
• Oversight of Third-party Risk Management from an IT perspective
• Evaluating design and the architecture of implementations / solutions from a security risk perspective
• Oversight on 1st Line of Defence security function
• Advice business and IT stakeholders on all matters relating to risk management around security and Third-party Risk (focused on IT)

Independent Risk Reviews

• To bridge the gap between Group Risk Management and business interests across all business functions with regards to IT matters
• Managing third-party risk across Outsourcing Service Providers (OSP) as well as Non-Outsourcing Service Providers (Non-OSP) from an IT Risk perspective.
• Participation and role play during simulated cyber-attacks/cyber drills to test the organization's cyber capacity by measuring its ability to detect and respond to a security incident
• To provide recommendations and feedback to business stakeholders on improving the capabilities to comply with BNM's Managing Customer Information and Permission Disclosure (MCIPD) controls from IT Risk perspective
• Conduct risk assessments via Independent Risk Reviews (IRR) to evaluate measures in place at various LOBs to safeguardIT assets and data as well as provide recommendations to mitigate any cyber / IT risks from the project implementations.
• Perform independent IT risk assessment on IT / Cyber related incidents to review the sufficiency of recovery actions and permanent corrective actions taken by respective stakeholders

Consultative and Advisory Role

• Provide consultative advice and guidance on IT and cyber security related risks, issues and incidents based on internal frameworks, policies and procedures as well as regulatory requirements, and ongoing industry related IT concerns
• Participate in IT projects and initiatives on an advisory capacity to assist in managing IT and cyber risk

Frameworks, Policies and Procedures

• Develop and review all frameworks, policies and procedures under the purview of Group IT Risk.
• Review all IT related frameworks and policies for consistent and synergetic implementation across the Group

Risk Appetite and KRI Monitoring

• Establish / develop and maintain IT and cyber risk metrics, Risk Appetite Statements (RAS) and Key Risk Indicators (KRI)
• Monitor IT and cyber risk RAS and KRI within the Group.
• Summarize the performance and trends of IT and cyber risk RAS and KRI for periodic reporting to management and board

Regulatory / Audit Requirements Follow-ups

• Understand the requirements from regulators / auditors and ensure compliance to such requirements
• Address queries and requests from all regulators and auditors in a timely manner
• Coordinate all activities related to addressing regulatory and audit requests / queries with all relevant stakeholders to provide the necessary information to regulators / auditors / stakeholders in a timely manner
• Ensure consistent and timely follow up on all regulatory and audit matters until resolution

Other BAU Activities as part of daily operations

• Assess / review the materiality of risk for IT related initiatives and provide feedback to business stakeholders on matters relating to risk materiality
• Where required, to perform business continuity management related activities within the remit of Group IT Risk.
• Daily Cyber Events review and reporting to BNM based on analysis of Security Operations Centre (SOC) that includes but is not limited to hacking attempts, malware as well as DDoS attempts
• Review and report IT and cyber incidents (where applicable) to relevant regulatory bodies.
• Participate in efforts around Information Technology and Cybersecurity risk related awareness initiatives
• Participate in the preparation of periodic Technology Risk Management Dashboards / Risk Reports for relevant committee reporting. Analysing the trends and addressing anomalies with regards to IT and security statistics cutting across key areas of infrastructure and security monitoring such as system availability and security alert notifications from SOC monitoring which feed into the risk report
• Assist in the implementation of any IT Risk related projects
• Leverage on enterprise and operational risk management tools to coordinate and manage IT Risk within the Group (e.g. RAS / RCSA / CSA / KRI)
• Reporting to management and board level committees on IT and cyber risk related matters via monthly risk reporting
• Independently review System Impact Analysis (SIA) produced by system owners and Group Digital Innovation
• Perform independent thematic reviews on a scheduled as well as ad-hoc basis to assess the design and effectiveness of controls in managing IT and cyber risk

Job Requirements

Skills

• Detail orientation and quality in work output
• Customer / stakeholder management
• Time management
• Understand business requests and provide value to business
• Communication skills
• Being organized and structured in carrying out tasks
• Flexibility to change and respond to changing requirements
• Proactive and independent in managing expected outcomes based on historical work practices

Knowledge

• Sound understanding of Information systems and security controls as well as relevant technology solutions which comply with regulatory and banking industry requirements.
• Manage information security and cyber-attack incidents according to industry standards.
• Develop technology and cyber security risk management related framework, policies and procedures
• Regulatory requirements for Financial Services Industry in relation to technology risk, cyber security risk and risks in managing customer information such as RMiT and MCIPD.
• Management of RCSA, KRI, LED, MCIPD, CSA in banking industry

Experience

• At least 5 years of working experience in IT Risk Management within the banking industry
• At least 2 years of working experience in the area of Third Party Risk Management, IT security management or IT Security Risk Management
• Relevant professional certifications will be advantageous. For example, CCSK, CISSP, CISM, CRISC, ISO 27001 Lead Auditor
• Experience in banking / financial industry will be advantageous