Reports to: Head of IT Risk and Security

• Identify innovations in Cybersecurity products and work with architects to lead their adoption in Cathay
• Understand business requirements and use cases to deliver value using a pragmatic approach to various controls of information security. 
• Support creation of Cyber initiative roadmaps based on findings in Cybersecurity Maturity Assessments and Cybersecurity Control Gap Remediation covering the design and implementation of controls to address the people, process and technology risks. 
• Work closely with the cyber security program team to drive the security roadmap and deliver value
• Develop and drive a metrics driven reporting culture 
• Support maturity assessments, audits and compliance requirements
• Promote cyber awareness and culture in Cathay
• Managing and mentoring the reporting staff.

• Deliver cybersecurity engagements including security strategy, policy and architecture, information privacy and governance, certification and compliance, business and technology resilience and security testing.
• Communicate technical issues in business terms and deliver value using a pragmatic approach to the technical components of information security.
• Support Maturity Assessments and Cybersecurity Control Gap Remediation (covering the design and implementation of controls to address the people, process and technological risks).
• Technology risk assessment with respect to Cyber risks and identifying relevant mitigations
• Assess the IT security architecture across-application, database, operating system, hardware platforms (including web and mobile) and network infrastructure -for vulnerabilities to cyber-attack and provide comprehensive strategies to mitigate those risks
• Assessment of various controls and coverage of cybersecurity tools in Cathay group
• Assess the potential of security technologies and provide insights on automating, consolidating and operational efficiencies of the existing security tools
• Identify and communicate engagement findings to senior management and client personnel
• Develop spaneting and training materials to help develop staff awareness within Cathay group
• Ability to manage and handle multiple matters and reprioritization as required by operational and security needs
• Vendor management expertise, especially managing security vendors, and working closely with them to identify the roadmap and relevance to Cathay.
• Ensure setup of Daily, Weekly and Monthly reporting and sharing of such reports to management

• University graduate in IT
• 10 years within IT Security field and particularly in Security Architect or Strategist in last 3 years.
• Experience with common information security management frameworks, such as ISO 27001, CobiT, ITIL, PCI
• Knowledge of keys laws and regulations such as PDPO, PCPD, GDPR, Critical Infrastructure Services (HK CIO) and like wise
• Able to present and communicate with senior stakeholders
• Able to prepare and communicate Business Cases for initiatives under Cybersecurity roadmaps
• Professional qualification holder will be preferrable (e.g. GPEN, OSCP, CISSP, CRISC, CISA, or CISM, other relevant qualifications)
• Prior consulting experience in information security preferred, ideally within a professional services environment or internal consultancy function delivering cyber security related services will be an added advantage
• Excellent written and verbal communication skills in English and Chinese (Mandarin or Cantonese) preferred but not mandatory
• Interpersonal skills with a demonstrated ability to gain the confidence and respect of senior level executives
• Analytical skills and the ability to develop thought leadership
• Relevant experience on technologies involving enterprise cybersecurity and controls
• Experience on managing security operations and/or assurances will be an added advantage
• Knowledge of IT security vendor products is an advantage
• Knowledge on Cyber risks management

Cathay Pacific is an Equal Opportunities Employer. Personal data provided by job applicants will be used strictly in accordance with our personal data policy and for recruitment purposes only. Candidates not notified within eight weeks may consider their application unsuccessful. All related information will be kept in our file for up to 24 months. A copy of our Personal Information Collection Statement will be provided upon request by contacting our Data Protection Officer.