Tech & Cybersecurity Risk Lead

 About the Team:

You will join the dynamic Tech and Cyber Risk Governance team, operating as a vital second line of defence (2LoD) function. We are the dedicated guardians of GXS Bank's digital resilience, responsible for establishing, maintaining, and overseeing robust governance frameworks to effectively manage technology, cybersecurity, and related third-party risks across the Bank and subsidiaries. With a footprint in the region, our team plays a pivotal role in identifying, assessing, mitigating, and monitoring technology and cyber risks, whether they originate from internal projects, existing systems, or external partnerships. We collaborate extensively across Technology, Operations, Business Units, and other control functions to ensure the Bank and subsidiaries operate securely, comply with regulatory requirements, and confidently pursue innovative goals. We champion a proactive risk culture and value deep expertise, critical thinking, continuous improvement, and technical proficiency in developing and enhancing our GRC capabilities.

Key Responsibilities:

As a senior member of the Tech and Cyber Risk Governance team, you will play a key role in shaping and executing the Bank's strategy for managing technology and cyber risk. Your expertise is crucial for safeguarding the Bank's resilience, ensuring regulatory compliance, and enabling secure innovation across the region, with a strong emphasis on technical risk assessment across diverse initiatives and developing our ServiceNow GRC platform.

1. Governance, Risk Framework & Acceptance:

• Develop, implement, and maintain the Bank’s comprehensive technology and cyber risk frameworks, policies, and standards, ensuring alignment with regulatory requirements (MAS TRM & Outsourcing Guidelines, etc.) and best practices.

• Drive adherence to these frameworks and standards across business and technology functions for both internal projects and third-party engagements.

• Oversee and perform formal risk assessments and manage the risk acceptance process according to Bank policies and risk appetite.

2. Risk Assessment & Management:

• Lead and conduct complex technical security risk assessments for internal systems, new bank-wide projects, applications, infrastructure changes, and third-party engagements (cloud, software vendors, etc.) throughout their lifecycle.

• Drive technology and cyber cyber key metrics (Key Risk Indicators (KRIs), etc.) definition and reporting against the Bank’s risk appetite.

• Contribute to and oversee aspects of the Third Party Risk Management (TPRM) process from a technical security perspective, as part of a holistic risk management approach.

• Assess the design and operating effectiveness of technology and cyber controls within internal environments and third-party services, determine residual risks arising from control failures, and recommend necessary remediation actions.

• Maintain a risk register of all residual risk acceptances with implications for technology and cyber risks.

• Proactively track and monitor the implementation of agreed-upon technology and cyber risk mitigation measures and conduct effectiveness reviews to ensure risk reduction to acceptable levels.

• Engage in technology and cyber risk governance activities through regular participation in and reporting updates to committees, managements, and working groups as required.

3. Technical Security Solutions & GRC Platform Development:

• Conduct in-depth technical validation of security controls, architecture, and evidence for both internal systems/projects and third-party solutions (SOC 2 & ISO reports, pen test reports, architectural diagrams, code review summaries etc.).

• Plan, lead, and execute technical security assessments, including potential onsite reviews for critical internal systems or third-party locations; document findings and drive remediation.

• Lead the design, development, configuration, and enhancement of GRC solutions, particularly within the ServiceNow GRC module (e.g., Policy and Compliance, Risk Management, Vendor Risk Management), to automate and improve risk management processes, reporting, and workflows.

• Utilize technical development skills (e.g., scripting, API integration, light development) to build and maintain custom GRC functionalities, integrations with other security tools, and dashboards within ServiceNow or other supporting platforms.

• Design and enhance technical assessment methodologies, tooling, and procedures; explore/evaluate GenAI tools to improve assessment efficiency and depth.

• Identify, analyze, document technical risks/gaps; collaborate on and track effective remediation plans.

4. Stakeholder Engagement & Regulatory Compliance:

• Serve as a key technical security SME for tech and cyber risk matters, providing pragmatic guidance to internal project teams, technology owners, and business units.

• Collaborate with stakeholders (Procurement, Legal, Technology, Business Units, etc.) to embed security requirements into project lifecycles, internal development processes, and third-party contracts.

• Manage tech/cyber regulatory obligations, track compliance, report non-conformities, and support incident reporting.

• Provide mentorship and uplift tech and cyber risk awareness Bank-wide.

Required Qualifications:

• 10+ years combined experience in banking or financial services.

• 5+ years direct, hands-on experience in technical security risk management, encompassing internal systems, IT projects, and third-party engagements, including leading diverse technical security assessments.

• Proven experience in ServiceNow GRC module development, configuration, and administration (e.g., creating workflows, custom tables, scripting, managing integrations).

• Demonstrable technical development skills, including proficiency in scripting languages (e.g., JavaScript for ServiceNow, Python), understanding of APIs, and experience with data integration relevant to GRC platforms.

• Deep technical security expertise across multiple domains (Cloud Security (AWS/Azure/GCP), Network Security, Application Security (AppSec), Identity & Access Management (IAM), Data Security, Vulnerability Management, Security Operations, etc.).

• Strong working knowledge of MAS regulations (TRM Guidelines, Outsourcing Guidelines, relevant MAS FSM notices).

• Familiarity with other global banking regulations (FFIEC, OCC, etc.) and security frameworks (NIST CSF, ISO 27001/2, CIS).

• Proven experience planning and conducting onsite vendor technical assessments.

• Possess excellent communication, exceptional analytical, critical thinking, and problem-solving skills.

• Strong stakeholder management, influencing, negotiation, and conflict resolution skills.

• Bachelor’s degree in a relevant technical field (CompSci, InfoSec, Engineering) or equivalent work experience.

Preferred Qualifications:

• Professional certifications (CISSP, CISM, CISA, CRISC, CCSP, Cloud certifications like AWS/Azure Security Specialty).

• ServiceNow Certified System Administrator (CSA) or Certified Implementation Specialist (CIS) in GRC, Risk, or Vendor Risk Management.

• Experience with secure software development lifecycle (SSDLC) principles and DevSecOps practices.