Reports to: IT Risk and Security Manager

This role is responsible for developing and managing the security assessment and IT security testing to ensure that the initiatives , contracts and applications are properly assessed for any inherit risks and adhere to security standards. This role will require an ambitious individual that has proven ability to lead and manage a team, develop and enforce the implementation of clear guidelines and best practices for assurance, deliver engagements and manage a diverse set of stakeholders. 

Areas of Assessments

• Lead IT Risk and Security assessments and follow up mitigation items.
• Communicate to senior management concerning residual risk, vulnerabilities and other security exposures, including misuse of information assets and noncompliance
• Provide SME inputs in resolution of reported security incidents
• Evaluate risks and threats on exception-based security requests & advise BUs on required mitigation
• Proactively maintain up-to-date understanding of the latest threats, vulnerabilities, mitigation and industry best practices
• Mentor and manage team members
• Develop security frameworks to be used by IT Risk and Security Analysts (e.g. cloud Security assessment, contractual requirements, risk assessment methodology)
• Defining and maintaining assessments and testing procedures, guidelines, and frameworks
• Driving efficiencies in the assurance by industrializing the assessment of controls
• Monitor changes in security standards, frameworks, processes, and operating environment that implies changes on the assessment of controls or assurance approach
• Vendor Management
• Manage assessment and testing tools

Areas of Testing

• Empower testing discipline by driving and implementing security testing framework and process into project and BAU activities
• Oversee the security testing quality of the delivery, including but not limited to security test documents, test execution approaches, to ensure the security tests are fit-for-purpose across all key application and infrastructure
• Manage test vendors delivery quality including review of testing pass/fail criteria, ensuring standards for stakeholder acceptance is in place and ensuring that the defined security test scenarios are adequately cover the security non-functional requirements
• Accountable for ensuring all security requirements according to policies and guidelines are examined and feasible recommendations for any findings are provided by the relevant test vendor or internal resources
• Liaise and prioritize security testing resources to ensure multiple project and BAU security testing is delivered timely and effectively base on priority and criticality
• Manage and coach internal Security Testing team resources to ensure resources are properly utilized in projects and BAU testing
• Adopt risk-based approach to translate technology risk into actual business impacts and prioritized actions
• Prepare and propose any security tools to facilitate qualitative security testing
• Provide requirements to facilitate testing environment establishment that enable the successful completion of the security testing
• Report and record all findings and communicate any residual risk to the relevant teams
• Cross- team collaboration with test vendors and internal resources to improve the security testing methodology
• Keep abreast of the latest trends in cyberattacks and understand the implication to testing methods
• Cross- team collaboration with various internal security teams on developing new Security testing process to enhance CPA security assurance level
• Conduct training on security testing methodologies and techniques to IT teams and security testing team
• Drive to promote secure coding best practice to developers

• 10+ years’ experience relevant experience in assurances and security testing area
• Lead teams
• For assessments- Solid competencies in information security processes, framework and technologies, IT Risk Assessment and Certification in assessment and risk discipline such as CISSP, CRISC, CISM
• Knowledge of Information security standards (e.g. ISO27001) and Privacy Regulations
• Strong experience in vendor management
• For Testing - Solid competencies in Penetration Testing & Ethical Hacking, OWASP, NIST, OSSTMM, OSINT and Certification in assessment and risk discipline such as  OSCP, SANS-GWAPT, OSEP, OSWE, OSCE, CEH
• Expert level knowledge of security-related attacks, security testing methodologies, standards and assessment tools
• Expert knowledge on security solutions and tools
• Ability to listen and articulate ideas verbally and in written formats to a broad range of audiences; ability to ask probing questions and deliver presentations that have impact
• Strong interpersonal skills and able to maintain good relationship with others
• Proven management experience is a plus
• Proactive and willing to accept and drive changes to accomplish positive outcomes
• Well-developed analytical, problem-solving, and decision-making skills; strong troubleshooting skills; ability to identify patterns and generate ideas
• Focus on the end users or customers’ needs; ability to set expectations and understand end user behavior
• Demonstrable experience of successfully managing Assurance or operational activities within a Business Unit
• Understanding of Agile, Kanban and Scrum basics
• Good understanding of emerging technology risks e.g. cloud (SAAS, PAAS and IAAS), Automation etc
• Cyber – NIST, CSA
• High level of drive, initiative and self-motivation
• Understanding of Technology and User Experience
• Love for simplifying
• Growth Mindset
• Willingness to experiment and improve continuously
• Strong problem solving and analytical skills

Cathay Pacific is an Equal Opportunities Employer. Personal data provided by job applicants will be used strictly in accordance with our personal data policy and for recruitment purposes only. Candidates not notified within eight weeks may consider their application unsuccessful. All related information will be kept in our file for up to 24 months. A copy of our Personal Information Collection Statement will be provided upon request by contacting our Data Protection Officer.