Senior Manager, Information Security Governance

At AIA we’ve started an exciting movement to create a healthier, more sustainable future for everyone.

As pioneering innovators for over 100 years, we’re now transforming our organisation to be faster, simpler and more connected. Because we want to be even better equipped to develop digital solutions and experiences that help more people live Healthier, Longer, Better Lives.

To get there, we need people with tech/digital/analytics expertise and passion to help develop positive, sustainable change through digitally enhanced experiences that will impact the lives of millions of people and create a healthier future for everyone.

If you believe in developing a better tomorrow, read on. 

About the Role

This role is responsible for delivering the AIA Singapore Line 1 GRC to the organisation, from coordination Governance reporting activities, Operational Technology Risk Management, Third Party Risk management and Compliance and Audit functions prescribed from AIA Group, industry regulations and the Monetary Authority of Singapore (MAS). This role is also responsible for AIA’s Cyber Security Awareness training.

This leadership role is instrumental in maintaining AIA external stakeholder relations, working directly to AIA Singapore Information Security Head, the individual must be an exceptional communicator on both technical and non-technical issues for Line 2, Audit, Executive Committee, Board and Regulator communications. The occupant needs to lead and mentor a team of Cyber GRC professionals as they navigate scheduled and ad-hoc inspections or audits of AIA’s controls by applying their professional and well-rounded experience as a Cyber Security Leader.

WHAT YOU’LL BE DOING :​

Information Security & Technology Risk Metrics

• Drive the management monitoring and reporting methodology for various key information security and security risk governance metrics, security incidents, policy/standards deviations, third party security assessments, etc.

• Prepare and present relevant technology and security risk indicators and updates to the quarterly security forums, Operational Risk Committees and/or the Board Risk Committees.

IT Risk and Compliance Management

• Drive organizational self-assessments against related technology and security regulatory advisories, circulars, guidelines and notices.

• Coordinate annual IT risk and control self-assessment exercises according to MAS regulatory notices/guidelines, internal enterprise IT policies, and standards and maintain the Group electronic Governance Risk and Compliance (eGRC) tool.

• Manage and follow through on the tracking of deviations and exemptions in the context of AIA’s technology and security policies and standards within the Group eGRC tool.

Third Party Security Risk Management

• Manage the security due diligence evaluations of the organisation’s third-party service providers, with a focus on protecting AIA’s data assets, and external access to our IT systems and databases.

• Reinforce the lines of accountability and responsibility between the contract owners and service providers in regard to cybersecurity risk management of third-party engagements.

Security and Policies Awareness

• Communicate material changes of internal policies/standards to internal staff and key stakeholders.

• Develop effective methods to deliver cybersecurity training to various groups of audiences, including but not limited to – staff, IT teams, management, third party service providers and our agency forces.

Specialized Areas Governance

• The role may be called upon to lead or be involved in ensuring governance of specialized areas under information security, such as the governance of operations in the areas of IAM, cloud security, application security, etc.

• Assist in enterprise-wide risk and compliance coordination for Technology division, where applicable.

Managerial Responsibilities

• Lead promotion of activities to increase information security within your teams to embed and continuously improve adherence to good practice.

• Drive a continues Learning and Development program for staff training. (with inhouse and external training programs).

WHAT WE ARE LOOKING FOR:

• Advanced degree in one of the following or related disciplines (Computer Science, Computer Engineering, Information Security, Information Systems).

• 10 years of experience in a combination of these roles:

  • Cybersecurity governance, monitoring and reporting of key security metrics and risk indicators, either in Line 1 or Line 2.

  • Leading responses to IT audits and regulatory inspections.

  • Managing IT risk and compliance assessments, including assessments on the cyber hygiene of third-party service providers

  • Development, review and management of deviations/exemptions to technology policies and standards.

  • Developing and driving the organisation-wide information security awareness programme.

• Substantial working experience from financial industry, big tech firms or established auditing firms will be considered favourably.

• Experience and exposure in information security standards such as ISO27001 and other relevant industry frameworks will be an advantage.

• Knowledge of tools such as PowerBI or JIRA would be advantageous, including the ability to implement automation.

• Preferably a holder of one or more of the following information security and audit qualifications: CISSP, CISA, CRISC, CCSP.

• Good communication, coordination, and interpersonal skills.

• Strong stakeholder management capabilities.

• High level of energy, professional integrity, and leadership demonstration.

• Ability to adopt a helicopter view context to problem solving.

Build a career with us as we help our customers and the community live Healthier, Longer, Better Lives.

You must provide all requested information, including Personal Data, to be considered for this career opportunity. Failure to provide such information may influence the processing and outcome of your application. You are responsible for ensuring that the information you submit is accurate and up-to-date.