This role is within the 1st Line of Defence and will play a key role in the development of new, data driven control environment that will provide the Business with better understanding of their exposure to risk and effectiveness of protective measures deployed by HSBC Cybersecurity. The role holder will be part of the team of experts working closely with the Control Owners and provide technical expertise in monitoring the overall controls environment and providing controls assessment of all Cybersecurity controls. They will also be part of Cybersecurity Risk and Controls Strategy (CRCS) Team and will be responsible for providing an overall guidance and ensuring that the Control Continuous Monitoring (CCM) Team deliverables supports other CRCS activities. This work will require the role holder to adhere to all applicable HSBC policies and a range of local regulations in the markets the firm does business.
Objectives of the role:
The Cybersecurity CCM Business Analyst will play a key role in the defining, designing and maintenance of the control environment for Cybersecurity. The role holder will be tasked with providing day-to-day management of the controls monitoring and assessment process for all Cybersecurity owned operational controls instances.
The ideal candidate will possess strong problem solving, communication skills and knowledge of the cybersecurity control environment, with the ability to present information at different organisation tiers. The role holder will be required to manage stakeholders including Cybersecurity Leadership and staff, Control Owners, Chief Controls Office, Audit (both internal and external) and 2LoD Resilience Risk teams.
- Maintenance and management of continuous control assessment process - the Team will support Control Owners in self-assessment of the existing control environment using the dedicated risk management tools (HELIOS, CCM Archer). The Team will perform spot checks on controls assessments on monthly basis in order to keep the high quality of assessment executions and verify if these are following the guidelines and industry best practices.
- Establishing guidelines for CCM and support Control Owners and Control Operators in implementing them into their work.
- Cybersecurity Control Maturity Assessment - the Team will maintain and refresh the mapping of HSBC controls to the NIST FSS framework, support Control Owners in reviewing controls maturity scoring, preparing maturity forecasts and collecting required evidence. The Team will work closely with 3rd Party engaged in independent assessment of the Bank's cybersecurity control environment maturity.
- Cybersecurity controls issue monitoring - the Team will take part in the triage of newly identified issues, findings (self-identified, audit, regulatory, red team findings) and other trigger events to estimate their impact on the current control effectiveness and take necessary actions to address them;
- Support Control Owners in drafting issues and Management Action Plans (MAPs) to address the gap and mitigate the emerging risk;
- Cybersecurity Control Instances Review - the Team will take part in reviewing an additional layer of operational controls (Control Catalogue), to improve the control environment and enable in depth risk management for both Cybersecurity and the Group;
- Ensuring adherence to HSBC policy, governance controls and design standards.
Who we're looking for?
- Significant, subject matter expertise in Control Management. This includes but is not limited to controls monitoring and implementation and control assessment;
- Experience with Technology risks and controls. Knowledge of Cybersecurity is a must.
- Understanding of Cybersecurity concepts such as threats, vulnerabilities, attack vectors, inherent/residual risk;
- Experience in control monitoring and control effectiveness assessment is a must;
- Familiarity with the NIST FSS Cyber Security Framework (CSF) is a must;
- Understanding metrics and measures in managing risks and controls (KPIs, KCIs, KRIs);
- Knowledge of Centre for Internet Security (CIS) Measures and Metrics is a plus;
- Experience working with high performing teams to plan and deliver complex projects;
- Experience in dealing with Senior Management, internal and external audit;
- Proven organisational, planning, interpersonal, managerial, analytical, problem-solving, decision-making, and team building skills.