Head of Web Application and API Protection

Some careers have more impact than others.

If you're looking for further opportunities to develop your career, take the next step in fulfilling your potential right here at HSBC. 

HSBC is one of the largest banking and financial services organizations in the world, with operations in 58 countries and territories. We aim to be where the growth is, enabling businesses to thrive and economies to prosper, and, ultimately, helping people to fulfil their hopes and realize their ambitions.

We are currently seeking an experienced professional to join our team in the role of Head of Web Application and API Protection.

Location: Pune / Hyderabad / Bangalore

Department Background:

Our Cybersecurity team helps maintain a strong, secure technology and data infrastructure – using industry leading techniques, real-time data analytics and controls to enhance protection against cyber-attacks.

The Opportunity:

• Our Technology teams work closely with HSBC's Global Businesses and Markets to design, build and run digital services that allow millions of our customers around the world to bank quickly, simply and securely. We run and manage Technology infrastructure, data centers and core banking systems that power the world's leading international bank, with one of the largest technology estates in the industry.
• We are looking for a Cybersecurity leader to join us to shape our long-term strategy, and turbo-charge delivery, as the accountable owner for Web Application Security & Protection (WASP) across the bank. This senior role reports directly to the Global Head of Network Security. 

What you'll do:

• Strategy: Define and maintain our global strategy for WASP, supported by engineers, platform owners, architects and Control Owners, enabling business success, meeting regulatory expectation and best practice, whilst responding to current and likely threat actor evolution.
• Delivery: Own the investment roadmap for WASP and its successful delivery across multiple partners. Ensure the transparent prioritization of a common backlog to drive risk reduction, simplification and wider strategic needs. Ensure risk-risk trade-offs are managed, particularly risk mitigation and operational needs.
• Innovation: Empower HSBC to successfully navigate cyber risk with innovative, responsive and frictionless technologies and services, both those delivered in-house and from external partners. Foster and empower a culture of innovation, experimentation, and continuous improvement.
• Partnership: Develop with colleagues throughout technology and the business innovative technical solutions that meet both current and future business needs, ensuring the bank's infrastructure remains scalable and resilient. Drive the shift-left of WASP in partnership with DevOps. Partner with external technology providers and security specialists to integrate best practice and leverage or build cutting-edge tooling.
• Services: define, operate and mature a business service supporting adoption and tuning of protections, as well as being a trusted advisor and point of escalation for technical and business teams managing online services, ensuring security requirements are understood and effectively implemented.
• Oversight: Ensure WASP is overseen end-to-end, robustly and throughout the organisation: from platform acquisition, service deployment through to federated operation. Drive a data-centric approach to observability and assessment, wherever possible supported by automation, measures and analytics.
• Accountability: Ensure regulatory and risk management outcomes are being maintained or robustly managed. Ownership of High-Risk Audit, Regulator and self-identified issues. Ownership of the capability budget, balancing run and change investment. As a senior leader, contribute to and champion change across both Cybersecurity and Technology, occasionally outside of your primary remit.
• Talent: Lead, manage, invest in, recruit and inspire a team of highly skilled and performant SMEs across the globe. A culture driven by empowerment, experimentation, learning, partnership and delivery. A place where colleagues thrive, solving meaningful problems that keep the bank and its customers safe.

Qualifications - External

• Overall experience of 18+ years with relevant experience in Cybersecurity.
• Hands-on experience in designing and implementing web application protection strategies, leveraging tools and frameworks to secure and optimize resilient network infrastructures. 
• Robust understanding of common industry cyber security frameworks, standards, and methodologies, including PCI DSS, FFIEC guidelines, CIS and NIST standards.
• Expertise in web application security including implementing application-layer firewalls in a large-scale, complex, and global organization. Familiarity with leading WAF solutions (e.g. AWS WAF, Akamai Kona, Cloudflare etc).
• Designing and implementing web application protection strategies, leveraging tools and frameworks to secure and optimize resilient network infrastructures.
• Expertise in API security including hardening, authentication (OAuth, token-based, etc) and gateway security. Understanding of vulnerability scanning tooling and integration with WAFs for automated protection.
• Deep understanding of web application vulnerabilities and attack patterns, include OWASP, CRS and their mitigations, and of cloud environments (e.g., AWS) and associated network security challenges and solutions
• Ability to escalate, drive relationships and delivery across multiple regions & teams.
• Awareness of advanced techniques for defending against modern threats, such as bot mitigation, automated attack prevention, and anomaly detection.
• Strong analytical skills to identify and resolve complex problems, often with risk-risk trade-offs.
• Proven experience in technology leadership roles, running high performing technology teams and experience working in a large scale, multi-national and technologically diverse environments.
• Knowledge and exposure of the application of Risk and Control Management and associated frameworks, preferably from a multi-market institution.

You'll achieve more when you join HSBC.

HSBC is an equal opportunity employer committed to building a culture where all employees are valued, respected and opinions count. We take pride in providing a workplace that fosters continuous professional development, flexible working and, opportunities to grow within an inclusive and diverse environment. We encourage applications from all suitably qualified persons irrespective of, but not limited to, their gender or genetic information, sexual orientation, ethnicity, religion, social status, medical care leave requirements, political affiliation, people with disabilities, color, national origin, veteran status, etc., We consider all applications based on merit and suitability to the role.

Personal data held by the Bank relating to employment applications will be used in accordance with our Privacy Statement, which is available on our website.

***Issued By HSBC Technology (India) Private LTD***