Lead Control Assurance Consultant

At HSBC, the health and well-being of our employees remains of utmost importance. Many of our roles are permitted to work from home (in states in which HSBC is licensed to operate) until further notice. Upon resumption of normal operations, this role may be performed at our Arlington Heights, Illinois office.

Big Bank Funding. FinTech Thinking.

Our Technology teams work closely with HSBC's global businesses to help design and build digital services that allow our millions of customers around the world; to bank quickly, simply and securely. We also run and manage our IT infrastructure, data centres and core banking systems that power the world's leading international bank.

Our multi-disciplined Technology teams include amongst others: DevSecOps engineers, IT architects, front and back-end developers, infrastructure specialists, cybersecurity experts, and delivery, project and programme managers.

Following extensive investment across our Technology and Digital domains and with plans for continued expansion throughout 2021 and beyond, we are currently seeking a Lead for "Threat and Controls Assessment", to join the HSBC Cybersecurity team within Technology.

Brief overview of the business areas

Global Cybersecurity is responsible for enabling businesses and functions to manage their information, technology and cybersecurity risks by ensuring these are well-understood, and that controls used the manage such events are defined, assessed and implemented appropriately. Cybersecurity deliver this via objective, independent, professional and specialized subject matter experts. The role forms part of the 1LoD in relation to risk management framework.

The Cybersecurity Assessment and Testing (CSAT) function, part of Global Cybersecurity, is accountable for Vulnerability Management, Secure Development, Threat and Controls Assessment (threat modelling) and Third Party Security Assessment. The function drives the identification, capture, assessment, testing and ultimately the remediation of security defects, gaps and vulnerabilities across HSBC's estate in concert with business and technology teams - on premise, within the Cloud and resulting from 3rd party engagements.

What you will be doing;

This global role directs activities and staff, and drives the continuous enhancement of our threat and controls assessment capability, as part of the Threat and Controls Assessment team. Five peer roles exist, which have additional accountability for threats and controls assessment within their respective regions of the Americas, China, India, UK and Europe.

These roles report into the Global Head of Threats and Controls Assessment, closely collaborating with peers across Penetration Testing; Secure Development, Third Party Security Assessment and Cybersecurity business and regional leads, enabling effective end-to-end vulnerability identification.

The candidate will be able to demonstrate: strong leadership and communication; experience in managing and influencing both teams and stakeholders from diverse backgrounds and cultures, often remotely, and; proven experience, skills and expert knowledge of vulnerability management or similar (e.g. threat modelling, penetration testing). The role holder is required to engage with senior stakeholders including cybersecurity leadership, both globally and in regions, Technology teams including IT Operations, engineering and platform teams, change management, and cloud platform teams, stakeholders across all lines of defence: Chief Controls Office Technology, 2LoD Resilience Risk and 3LoD Internal Audit teams, and regulators.

Key Responsibilities:
  • Drive holistic and effective threat and control assessment, ensuring the swift and continuous capture of all vulnerabilities within our internal, external and cloud estate.
  • Define, implement, operate and monitor threat and controls assessment of systems for pre-deployment and post production, both via manual, ad-hoc and automated capabilities. This includes but not limited to: on premise IT assets, cloud, infrastructure assets and business applications.
  • Collaborate with the Global, Regional and Country representatives of Technology plus other peer managers to implement the team's goals within entity policy, expense and regulatory constraints.
  • Lead and support peers within the Cybersecurity function to define and implement an industry leading Cybersecurity Service that supersedes our constantly changing information security threats.
  • Contribute to the Sub-function/Region Cybersecurity strategy to secure the bank's technology from the inside out, whilst maintaining, protecting and enhancing HSBC's values, reputation and stakeholder value
  • Responsible for ensuring effective engagement with GB/GF/Regions
  • Management responsibility for a team, providing clear direction, setting performance targets of direct reports and contributes to employees' professional development
  • Define, plan and lead change activities for driving capability uplift and process improvements.
  • Providing leadership to direct team on all threat and controls assessment services within region.
  • Lead initiatives to develop and build security processes to enable others to operate more efficiently and securely
  • Work with the other regions to ensure a consistent approach to Threat and Controls Assessment
  • Stay up to date within the industry of new trends, and best practices
  • Act as a point of contact and source of advice on issues relating to information security within the associated region


What you will bring to the role;

To be successful in this role you should have proven experience within the Technology sector with knowledge of the following skills:

  • An inquisitive approach, always asking how to achieve goals in a smarter and more effective way
  • An ability and interest to learn and experiment with new approaches to vulnerability management, in different contexts, across the amazing scale that HSBC brings.

Good Risk and Controls understanding
  • Knowledge and exposure of Risk and Control Management
  • Ability to understand and assess both threats, controls and vulnerabilities, articulating these to both technical and business stakeholders.

Strong Technical background
  • Proven experience in general security concepts and principles and application specific security concepts and principles
  • Proven experience working in a large scale, multi-national and technologically diverse environment
  • Hands on experience with threat modelling and strong technical understanding and experience of assessing vulnerabilities and identifying weaknesses in diverse enterprise IT assets
  • Strong understanding of applications design and architecture
  • Strong understanding of Software Development Life Cycle (SDLC) with a focus on security
  • Professional IT Security qualifications and/or certification
  • Knowledge of Governance, Risk & Compliance
  • Experience in continuous improvement and process optimisation.
  • Knowledge and experience with network, host and application security practices
  • Excellent analytical skills, organizational skills, ingenuity and the ability to work as part of a team
  • Have a minimum of 10 years in a Cybersecurity role
  • Have a minimum of 3 years leadership (projects, resource etc.)

Strong stakeholder management and communications skills
  • Experience of working in international and diverse environments
  • Experience in managing high-performing individuals in different geographies, often remotely
  • Experience in engaging with business, technology, regional and regulator stakeholders
  • Ability to communicate to executive leadership - effectively translating technical gaps into business risk
  • Ability to prepare concise presentations and updates for senior management

Effective Team Lead combined with ability to complete tasks independently to a high quality standard
  • Possess strong leadership skills to bring out the best in a team. This includes both direct leadership and cross-functional capabilities
  • Experience within fast-moving, complex and demanding corporate environments and able to provide appropriate direction to the team whilst dealing with ambiguity and change

Interpersonal Skills
  • Influential, credible and persuasive, active listener, embraces HSBC Values, shows good judgement and demonstrates high level of communication skills in order to achieve effective stakeholder management

Some travel will be required - expected once to twice a year.

Come Power a Business that Defines How to Power the World

As a business operating in markets all around the world, we believe diversity brings benefits for our customers, our business and our people. This is why HSBC is committed to being an inclusive employer and encourages applications from all suitably qualified applicants irrespective of background, circumstances, age, disability, gender identity, ethnicity, religion or belief and sexual orientation.

We want everyone to be able to fulfil their potential which is why we provide a range of flexible working arrangements and family friendly policies.

As an HSBC employee, you will have access to tailored professional development opportunities and a competitive pay and benefits package.

Personal data held by the Bank relating to employment applications will be used in accordance with our Privacy Statement, which is available on our website.

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.