Security Operations Manager - VP - Wealth Management IT

As the leading European Union bank, and one of the world’s largest financial institutions with an uninterrupted presence in the region since 1860, BNP Paribas offers a wide range of financial services for corporate, institutional and private investors spanning corporate and institutional banking, wealth management, asset management and insurance. 

We passionately embrace diversity and are committed to fostering an inclusive workplace where all employees are valued and encourage applicants of all backgrounds, including diversity of origin, age, gender, sexual orientation, gender identity, religion applicants who may be living with a disability. We have a number of internal employee networks in place to empower our staff to act and challenge the status quo.

•    BNP Paribas PRIDE is highly active in favour of the LGBTQIA+ community
•    BNP Paribas MixCity which fosters better representation of women at all levels of the organization
•    Ability, the mutual aid network for employees with a disability or a disabling or chronic illness
•    BNP Paribas CulturAll which celebrates diverse backgrounds

BNP is committed to financing a carbon-neutral economy by 2050. The Group is a founding member of the Net-Zero Banking Alliance and has set up its own Low Carbon Transition Group to support its clients through their energy transitions.

https://careers.apac.bnpparibas/

More information 

Award Obtained
BNPP has won Top employer Europe award in a 10th consecutive year

Main Scope
Role of Wealth Management APAC Chief Information Systems Security Officer, being understood this role includes delegations from WM CISO for the team located in Asia Pacific territory and fully participates in overall WMIS Cybersecurity and IT Risk objectives.

Main Responsibilities

WM APAC CISO

• Manage the WM IT Risk and Security local team in APAC by managing the recruitment, performances review as well as training and career-path development
• Coordinate with APAC WM security actors, including India-based resources
• Coordinate with APAC WM IT teams on risk and security topics, while promoting a secure development and deployment culture
• Assist for a Risk Treatment for any APAC WM issue, based on the WM GAIM generic process
• Contribute to the IT Risk and Cybersecurity Governance including procedural framework, Cybersecurity awareness and communication for the APAC scope.
• Periodic reporting of security status to WM Global CISO as well as APAC Management

IT security compliance

• Ensure the alignment with the Group and WM GAIM security policies, for IT production assets including the security hardening, vulnerability and patch management.
• Ensure the protection of WM business data with an adequate security level of WM assets, based on project assessment and production review processes
• Ensure the compliance with regulatory bodies requirements, including for APAC (HKMA, MAS), EU (GDPR), Switzerland (FINMA)
• Leveraging on a deep knowledge of Security standards such as NIST, CIS,ISO2700x , ensure the compliance with the IT security requirements
• Identify the process gaps and provide solutions

Production Security oversight  (delegation on WM APAC scope)

• Identify the production security requirements and ensure a smooth integration of WM assets within APAC IT Production, including network security such as flow opening and Application Zoning compliance
• Identify the compliance level of the production environment and contribute to remediation actions definition while keeping the oversight on actions progress
• Keep an overview and ensure the adequate Vulnerability Management at the server and middleware level leveraging on production scans and liaising with relevant production stakeholders
• Contribute to the management of Cybersecurity incidents

Application Security Testing Factory

• Ensure the effective implementation of Secure SDL including the DevSecOps platform and Threat modelling practices.
• Identify and implement the latest security standards for internet facing and internal assets 
• Improve the Vulnerability Management at the application level by managing the platforms or services with providers (including Static Acceptance Security Testing – SAST, Dynamic Acceptance Security Testing – DAST and Software Composition Analysis – SCA).
• Perform Security risk assessments and reviews to be presented to respective committees
• Ensure the adequate security level for all WM GAIM applications, whatever the IT project manager’s location and hosting provider

CyberSecurity Program (delegation on WM APAC scope)

• Contribute to the security initiatives expected by the WM Cybersecurity Program

Coordination with IT Security actors

• Reporting line to the WM GAIM Global CISO: alignment on the objectives and means, contribution to the different global reporting (WM Cybersecurity Committee, Wholesale Application Security Dashboard…)
• Coordination and control of security activities performed by APAC CIB Business Information Security and Production Security teams, including project assessment from production point of view, production security review, user security awareness for the WM scope.
• Coordination with the Swiss Security team concerning integration of WM assets within Swiss IT production
• Keeping  abreast of initiatives by the IT Security community within the Group and other IT Security stakeholders within the Group

Essential Banking Knowledge

Banking Knowledge and understanding of Wealth Management specificities

General Knowledge

International and APAC banking regulations

Deep Knowledge

Essential Technical Knowledge

Program/Project Management

Deep Knowledge

Knowhow of ASIA regulatory requirements

Deep Knowledge

Knowledge of standard IT Security concepts and methodologies

Deep Knowledge

Deep understanding of cybersecurity threats and remediation options

Deep Knowledge

IT Security Risk Assessment and Risk Management

Deep Knowledge

Knowledge of understanding digital transformation and mobile technologies and Cloud (Containers Docker, Kubernetes).

Good Knowledge

Knowledge of emerging technologies (NFT, encryption)

Good Knowledge

Essential Personal Skills

Communication skills – Ability to interact throughout oral and written communication skills

Deep Knowledge

Knowledge of emerging technologies (NFT, encryption)

Deep Knowledge

Knowhow of ASIA regulatory requirements

Deep Knowledge

Must be motivated, and able to work independently as well as part of a team

Deep Knowledge

Must demonstrate ethical responsibility, maturity, and discretion

Deep Knowledge

Qualifications and Experience

• 10 years' experience in information security evaluation and design of technical architectures
• Functional as well as technical knowledge of the applications used within BNP Paribas
• Knowledge of the Norms and Standards of the BNP Paribas Group, in particular with respect to ITRM & IT Security Norms and Policies
• Team management experience is a must
• Preferred Master level in Computer science and Information Security

Cybersecurity / Technical Value-added Competencies

-  Cybersecurity Governance: framework (NIST / CIS framework), Security incident management, Logging & Detection (SIEM – ELK products)

-  DevSecOps: CI/CD toolchain knowledge of various tools

o   Source code management: sonarQuabe, bibucket, github/gitlab

o   Security application scanning (e.g. Sonatype/NexusIQ, Fortify, AppSpider, Qualys, DTR scan…)

o   Automation/orchestration: Ansible tower, Jenkins

Application Security: Threat modeling, Security architecture key concepts, exposure to various development framework and applicative landscape (Java/Web, Mobile applications, containerization/docker, kubernetes, API management, Cloud security)

Vulnerability management

• Nexpose, Nessus

Other Value-added Competencies

• Advanced IT security certifications may be advantageous (such as CISM, CCSP, CSK, CEH, CISSP…).
• Operational Risk and Permanent Control
• Data Analytics solutions (Tableau, PowerBI)and strong expertise in Dashboard/reporting