Job Description

Job Category: Risk
:
Job Purpose:

• The Head of Technology Risk Specialist is responsible for driving the enforcement of security policies, standards, and procedures across the organization.
• This role will lead the identification and implementation of new security controls to ensure CIMB operates in a secure and compliant manner aligned with regulatory expectations and best practices.
• The incumbent will also lead root cause analysis of security incidents and play a key governance role over critical security compliance domains.

Key Responsibilities:

• Identify and define appropriate security controls to address emerging risks and support secure technology adoption.
• Lead root cause analysis (RCA) and post-mortem reviews of security incidents to ensure systemic issues are addressed and lessons learned are documented.
• Provide guidance and support across architecture, software development, and engineering teams to embed security-by-design principles into technology solutions.

Job Specification:

• Lead and embed risk-focused architecture reviews into project and change processes, covering infrastructure, cloud services, and critical systems.
• Assess cloud security designs and controls across public, private, and hybrid deployments to ensure compliance with internal policies and regulatory requirements.
• Evaluate AI/ML security risks, including model integrity, data privacy, and algorithmic transparency, and provide advisory for secure integration.
• Establish and maintain disaster recovery governance frameworks, including recovery objectives, failover strategies, and testing assurance.
• Monitor and assess emerging technologies (e.g., GenAI, edge computing, quantum, etc.) for operational risk, cyber risk, and compliance impact.
• Collaborate with Enterprise Architecture, NFRM, IT Operations, and Cybersecurity teams to align security-by-design principles and risk mitigations.
• Provide technical risk input into investment decisions, technology onboarding, and IT strategy alignment.
• Support regulatory submissions and audits related to cloud, AI and resilience controls, particularly under Bank Negara Malaysia RMiT and other relevant guidelines.
• Maintain documentation of risk assessments, decisions, and recommendations aligned to technology governance.
• Manage the process of identifying, analysing, and assessing current and emerging threats including cloud and AI adoption.
• Recommend and coordinate the implementation of technical controls aligned with defined security policies.
• Lead day-to-day threat and vulnerability management activities, assess risk tolerances, recommend treatment plans, and communicate residual risks.
• Collaborate closely with the Technology & Cyber Security Management team.
• Conduct in-depth post-mortem reviews of security incidents with IT Security Operations support.
• Ensure root causes are documented in the problem management log for future reference.
• Research, evaluate, test, and recommend new or updated security technologies (including cloud platforms), and assess their impact on the current environment.
• Provide both technical and managerial support for the administration of security tools.
• Foster strong collaboration with Infrastructure, IT Security Operations, and development teams to implement controls aligned with policies and regulatory/audit requirements.
• Review and evaluate policy exception requests, ensuring that sufficient mitigating controls are in place.

Qualification: Bachelor's Degree or Professional Qualification in the relevant disciplines.
Professional Qualification and/or Regulatory, Licensing requirements:
Relevant Certifications, e.g.:

• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
• Certified in Risk and Information Security Control (CRISC)
• ISO 27001 Lead Auditor

Relevant Work Experience - Preferably in Banking:

• Technology Risks, Compliance or Audit
• Project Management
• Fraud Investigation
• Third Party
• Cyber Security

Required Competencies and Skills

• Technology Risk, Audit and Compliance
• Computer Forensics Technology & Social Engineering
• Technology Risk Assessments
• Good communication skills both, verbal and written.
• Proficient in risk assessment practices, IT security/control (e.g. COBIT, NIST, ISO 27001)
• Strong analytical and problem solving skills.
• Practical experience in conducting independent assurance.
• Analytical skills to correlate Risk Appetite, KPIs to KRIs.
• Able to work independently as well as an effective team player.
• Lead and direct a small team.

Skills Required