The ISO will be responsible for working with business and Technology stakeholders to balance real-world risks with business drivers such as speed, agility, flexibility and performance.The ISO must be able to translate the IT-risk requirements and constraints of the business into technical control requirements and specifications, as well as develop metrics for ongoing performance measurement and reporting.
The Global Cyber & Information Security function is a part of the Global Technology department. The Global Technology Group function provides IT services to the Fidelity International business. These include the development and support of business applications that underpin our revenue, operational, compliance, finance, legal, marketing and customer service functions. The broader organisation incorporates Infrastructure services that the firm relies on to operate on a day to day basis including data centre, networks, proximity services, security, voice, incident management and remediation.
Global Cyber & Information Security is made up of the following functions;
- Application Security (through secure coding practices, penetration testing, and developer training)
- Centralised Access Management - working to principles of least privilege, access appropriate to role, and Role Based Access Control
- Infrastructure Security
- Security Engineering and Architecture
- Security Application Support
- Cyber Defence Operations (CDO)
- Information Security (and the ISO function)
Purpose of your role
The Information Security function at Fidelity International is part of the Global Cyber & Information Security (GCIS) group, reporting to the Head of Global Cyber & Information Security. The function includes the Information Security Office, and Information Security Management. The Information Security function works with business partners and channels to balance their strategies with reducing risk to the organisation, supporting those partners to manage data risk within the firm's risk appetite. The Information Security function acts as the business engagement point, providing a bridge between business, technology and Cybersecurity. The Information Security function takes in business requirements, but also delivers back key control requirements and supports the business in achieving the required control targets and behaviours.
The ISO will also be responsible for working with business and Technology stakeholders to balance real-world risks with business drivers such as speed, agility, flexibility and performance.The ISO must be able to translate the IT-risk requirements and constraints of the business into technical control requirements and specifications, as well as develop metrics for ongoing performance measurement and reporting. The ISO will support their aligned region/business channel by taking in business requirements, but also delivering back key control requirements and supporting the business in achieving the required control targets and behaviours through ISO scorecards. The ISO will have in depth knowledge of the Information Security regulatory requirements affecting their aligned channel, and be able to guide the channel on appropriate compliance measures.
This ISO role requires an individual with an ability to work with the Technology organisation and business management to align priorities and plans with key business objectives. The ISO will act as an empowered representative of the Information Security lead during business planning initiatives to ensure that security measures are incorporated into strategic business plans.
The ISO must be able to prioritise work efforts - balancing operational tasks with longer-term strategic security efforts. Documentation and presentation skills, analytical and critical thinking skills, and the ability to identify needs and take initiative are key requirements of the position.
- Operate as an ISO for Asia Pacific
- Establish and maintain relationships with senior executive stakeholders as appropriate across Asia Pacific
- Work with the Information Security lead to develop a security program and security projects that address identified risks and business security requirements.
- Provide support to key Fidelity business units including board reporting and presentations
- Understand the Information Security regulatory requirements affecting their aligned channel and be able to guide the channel on appropriate compliance measures.
- Support the aligned business channel in understanding the appropriate application of Information Security policies and standards
- Directs an ongoing, proactive risk assessment program for all new and existing systems and remains familiar with the business channels goals and business processes so effective controls can be put in place for those areas presenting the greatest information security risk
- Works with business partners to manage security risks in line with risk appetite
- The ISO defines, contributes and uses the ISO scorecard for their business channel
- Monitor and report on compliance with security policies, as well as the enforcement of policies within the IT department.
- Propose changes to existing policies and procedures to ensure operating efficiency and regulatory compliance.
- Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
- Participate in problem and change management forums.
- Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
- Serve as an active and consistent participant in the information security governance process.
- Work with IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
- Provide support and guidance for legal and regulatory compliance efforts, including audit support.
- Consult with IT and security staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software.
- Work with the enterprise architecture team to ensure that there is a convergence of business, technical and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.
- Develop a strong working relationship with the security engineering team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.
- 8+ years' experience in Information Security preferably within an international Financial Services firm
- The ability to build strong relationships at all levels and across all business units and organizations, and understand business imperatives.
- A strong understanding of the business impact of security tools, technologies and policies.
- Capability to work with minimal supervision.
- Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, project and application development teams, management and business personnel; in-depth knowledge and understanding of information risk concepts and
- Experience working with legal, audit and compliance staff.
- Experience developing and maintaining policies, procedures, standards and guidelines.
- Experience with common information security management frameworks, such as International Standards Organization (ISO) 27001, the IT Infrastructure Library (ITIL) , NIST, Cloud CSA and CIS
- Familiarity with applicable regional legal and regulatory requirements, including, but not limited to the HK SFC, HK EDSP, Singapore MAS, GDPR, China cybersecurity laws, etc
- Proficiency in performing risk, business impact, control assessments, and in defining treatment strategies.
- Flexible and enthusiastic approach
- Related graduate degree
- Certified ISO 27001 lead implementer or auditor
- Qualifications such as CISSP, CISA, CRISC, CISM etc are an advantage