IT Cybersecurity Manager

Position Purpose

Provide a brief description of the overall purpose of the position, why this position exists and how it will contribute in achieving the teams goal.

Main ScopeRole of Wealth Management India IT Risk and Information Systems Security Manager, being understood this role includes delegations from APAC WM CISO for the team located in India territory and fully participates in overall WMIS Cybersecurity and IT Risk objectives.

Participate to IT project security reviews conducted both on a global and APAC basis across all platforms. Participate in the Security Operation meetings in APAC, EMEA & CH regions. This requires the incumbent to foster close working relationships with other business areas and IT Development/Production/CSIRT/Production Security teams.

The incumbent will work hand in hand with the IT Dev, Prod teams and the business, as an enabler and a facilitator.

Responsibilities

Direct Responsibilities

WM IT Risk and Security Manager

o Manage the WM IT Risk and Security local team in India by managing the recruitment, performances review as well as training and career-path development.

o Coordinate with APAC WM security actors, including India-based resources.

o Coordinate with APAC WM IT teams on risk and security topics, while promoting a secure development and deployment culture

o Assist for a Risk Treatment for any APAC WM issue, based on the WM GAIM generic process.

o Periodic reporting of security status to WM CISO APAC and WM Global CISO

o Contribute to the IT Risk and Cybersecurity Governance including procedural framework, Cybersecurity awareness and communication.

o Ensure the regular reporting for management follow-up

IT Security Compliance (delegation on WM APAC scope)

o Ensure the alignment with the Group and WM GAIM security policies, for both project and production assets.

o Ensure the protection of WM business data with an adequate security level of WM assets, based on project assessment and production review processes.

o Ensure the compliance with regulatory bodies requirements, including for APAC (HKMA, MAS), EU (GDPR), Switzerland (FINMA)

o Leveraging on a deep knowledge of Security standards such as NIST, CIS,ISO2700x , ensure the compliance with the IT security requirements

o Ensure the compliance with the Third-party Technology risks and Cloud security.

o Identify the process gaps and provide solutions.

Application Security

o Ensure the effective implementation of Secure SDL including the DevSecOps and Threat modelling practices.

o Identify and implement the latest security standards for internet facing and internal assets.

o Improve the Vulnerability Management at the application level in terms of efficiency as well as effectiveness (including Static Acceptance Security Testing SAST, Dynamic Acceptance Security Testing DAST and Software Composition Analysis SCA).

Perform Security risk assessments and reviews to be presented to respective committees.

Ensure the adequate security level for all WM GAIM applications, whatever the IT project managers location and hosting provider.

Production Security Oversight (delegation on WM APAC scope)

o Identify the production security requirements and ensure a smooth integration of WM assets within APAC IT Production, including network flow opening and Application Zoning compliance.

o Identify the compliance level of the production environment and contribute to remediation actions definition while keeping the oversight on actions progress.

o Keep an overview and ensure the adequate Vulnerability Management at the server and middleware level leveraging on production scans and liaising with relevant production stakeholders. Contribute to the management of Cybersecurity incidents.

CyberSecurity Program (delegation on WM APAC scope)

o Contribute to the steering and driving of the security initiatives on the APAC scope expected by the WM Cybersecurity Program.

Contributing Responsibilities

Coordination with IT Security actors

o Reporting line to the WM GAIM Global CISO: alignment on the objectives and means, contribution to the different global reporting (WM Cybersecurity Committee, Wholesale Application Security Dashboard)

o Coordination and control of security activities performed by APAC CIB Business Information Security and Production Security teams, including project assessment from production point of view, production security review, user security awareness for the WM scope.

o Coordination with the Swiss Security team concerning integration of WM assets within Swiss IT production.

o Keeping abreast of initiatives by the IT Security community within the Group and other IT Security stakeholders within the Group.

Technical & Behavioral Competencies

Cybersecurity / Technical Value-added Competencies

Cybersecurity Governance: framework (NIST / CIS framework), Security incident management, Logging & Detection (SIEM ELK products)

DevSecOps: CI/CD toolchain knowledge of various tools

o Source code management: sonarQuabe, bibucket, github/gitlab

o Security application scanning (e.g. Sonatype/NexusIQ, Fortify, AppSpider, Qualys, DTR scan)

o Automation/orchestration: Ansible tower, Jenkins

Application Security: Threat modeling, Security architecture key concepts, exposure to various development framework and applicative landscape (Java/Web, Mobile applications, containerization/docker, kubernetes, API management, Cloud security)

Vulnerability Management

o Nexpose, Nessus

Ethical Hacking Knowledge

o Kali Linux knowledge (metasploit, nmap)

Specific Qualifications (if required)

Qualifications and Experience

10 years' experience in information security evaluation and design of technical architectures

Functional as well as technical knowledge of the applications used within BNP Paribas

Knowledge of the Norms and Standards of the BNP Paribas Group, in particular with respect to ITRM & Wholesale IT Security Norms and Policies

Team management experience is a must

Preferred Master level in Computer science and Information Security

Skills Referential

Behavioural Skills: (Please select up to 4 skills)

Communication skills - oral & written

Ability to collaborate / Teamwork

Decision Making

Ability to deliver / Results driven

Transversal Skills: (Please select up to 5 skills)

Ability to set up relevant performance indicators

Ability to develop and adapt a process

Ability to manage a project

Ability to develop others & improve their skills

Ability to manage / facilitate a meeting, seminar, committee, training

Education Level:

Master Degree or equivalent

Experience Level

At least 10 years

Other/Specific Qualifications (if required)

Other Value-added Competencies

• Advanced IT security certifications may be advantageous (such as CISM, CCSP, CSK, CEH, CISSP).
• Operational Risk and Permanent Control
• Data Analytics solutions (Tableau, PowerBI) and strong expertise in Dashboard/reporting