IT Cybersecurity Manager

Position Purpose

Provide a brief description of the overall purpose of the position, why this position exists and how it will contribute in achieving the teams goal.

Main Scope

Participate to IT project security reviews conducted both on a global and APAC basis across all platforms. Participate in the Security Operation meetings in APAC, EMEA CH regions. This requires the incumbent to foster close working relationships with other business areas and IT Development/Production/CSIRT/Production Security teams.

The incumbent will work hand in hand with the IT Dev, Prod teams and the business, as an enabler and a facilitator.

Responsibilities

WM IT Risk and Security Manager

o Manage the WM IT Risk and Security local team in India by managing the recruitment, performances review as well as training and career-path development.

o Coordinate with APAC WM security actors, including India-based resources.

o Coordinate with APAC WM IT teams on risk and security topics, while promoting a secure development and deployment culture

o Assist for a Risk Treatment for any APAC WM issue, based on the WM GAIM generic process.

o Periodic reporting of security status to WM CISO APAC and WM Global CISO

o Contribute to the IT Risk and Cybersecurity Governance including procedural framework, Cybersecurity awareness and communication.

o Ensure the regular reporting for management follow-up

IT Security Compliance (delegation on WM APAC scope)

o Ensure the alignment with the Group and WM GAIM security policies, for both project and production assets.

o Ensure the protection of WM business data with an adequate security level of WM assets, based on project assessment and production review processes.

o Ensure the compliance with regulatory bodies requirements, including for APAC (HKMA, MAS), EU (GDPR), Switzerland (FINMA)

o Leveraging on a deep knowledge of Security standards such as NIST, CIS,ISO2700x , ensure the compliance with the IT security requirements

o Ensure the compliance with the Third-party Technology risks and Cloud security.

o Identify the process gaps and provide solutions.

Application Security

o Ensure the effective implementation of Secure SDL including the DevSecOps and Threat modelling practices.

o Identify and implement the latest security standards for internet facing and internal assets.

o Improve the Vulnerability Management at the application level in terms of efficiency as well as effectiveness (including Static Acceptance Security Testing SAST, Dynamic Acceptance Security Testing DAST and Software Composition Analysis SCA).

Perform Security risk assessments and reviews to be presented to respective committees.

Ensure the adequate security level for all WM GAIM applications, whatever the IT project managers location and hosting provider.

Production Security Oversight (delegation on WM APAC scope)

o Identify the production security requirements and ensure a smooth integration of WM assets within APAC IT Production, including network flow opening and Application Zoning compliance.

o Identify the compliance level of the production environment and contribute to remediation actions definition while keeping the oversight on actions progress.

o Keep an overview and ensure the adequate Vulnerability Management at the server and middleware level leveraging on production scans and liaising with relevant production stakeholders. Contribute to the management of Cybersecurity incidents.

CyberSecurity Program (delegation on WM APAC scope)

o Contribute to the steering and driving of the security initiatives on the APAC scope expected by the WM Cybersecurity Program.

Coordination with IT Security actors

WM GAIM Global CISO

APAC CIB Business Information Security and Production Security

Swiss Security team

IT Security community within the Group

Cybersecurity / Technical Value-added Competencies

Cybersecurity Governance: framework (NIST / CIS framework), Security incident management, Logging Detection (SIEM ELK products)

DevSecOps: CI/CD toolchain knowledge of various tools

o Source code management: sonarQuabe, bibucket, github/gitlab

o Security application scanning (e.g. Sonatype/NexusIQ, Fortify, AppSpider, Qualys, DTR scan)

o Automation/orchestration: Ansible tower, Jenkins

Application Security: Threat modeling, Security architecture key concepts, exposure to various development framework and applicative landscape (Java/Web, Mobile applications, containerization/docker, kubernetes, API management, Cloud security)

Vulnerability Management

o Nexpose, Nessus

Ethical Hacking Knowledge

o Kali Linux knowledge (metasploit, nmap)

Qualifications and Experience

10 years' experience in information security evaluation and design of technical architectures

Functional as well as technical knowledge of the applications used within BNP Paribas

Knowledge of the Norms and Standards of the BNP Paribas Group, in particular with respect to ITRM Wholesale IT Security Norms and Policies

Team management experience is a must

Preferred Master level in Computer science and Information Security

Skills Referential

Behavioural Skills: (Please select up to 4 skills)

Communication skills - oral written

Ability to collaborate / Teamwork

Decision Making

Ability to deliver / Results driven

Transversal Skills: (Please select up to 5 skills)

Ability to set up relevant performance indicators

Ability to develop and adapt a process

Ability to manage a project

Ability to develop others improve their skills

Ability to manage / facilitate a meeting, seminar, committee, training

Education Level:

Master Degree or equivalent

Experience Level

At least 10 years

Other/Specific Qualifications

Other Value-added Competencies

Advanced IT security certifications may be advantageous (such as CISM, CCSP, CSK, CEH, CISSP).

Operational Risk and Permanent Control

Data Analytics solutions (Tableau, PowerBI) and strong expertise in Dashboard/reporting