The Department

Security, Integrity and Information Security (SIIS) are responsible for the preservation of integrity by combatting criminality and corruption risks that can threaten horse racing, betting, and membership at the Club. The maintenance of a secure environment and integrity is key to our business. Not only is it important to ensure horse racing in Hong Kong is fair, it is also of paramount importance to the Club that there is governance and fair opportunities in all bet-placements. The department consists of Corporate Security, Racing Security & Integrity Assurance, Integrity & Financial Crime Risk (FCR) and Information Security Risk and Assurance (ISRA) teams.

As customer turnover continues to grow and the Club becomes more customer focused, the IT platform becomes even more critical in facilitating the Club meeting its strategic objectives. Many initiatives are running concurrently, from the development of customer applications, to the migration of the data center to the development of a centralized database accessible by all departments.

Legacy systems, ad hoc operating practices, unstructured architecture, and lack of Governance and Internal Controls all heighten technology risk that could disrupt business. These include hardware and software failure, human error, vulnerability of systems, and cyber-attacks. Given this, there is an increasing need to have robust management of technology risk for all mission critical and lifeblood systems to avoid disruption of business operations.

As such, ISRA focuses on technology risk as a second line function to review and design the Information and Security Risks and Control framework, set policies based on industry best practices, conduct periodic risk assessments, and establish regular reporting and governance on technology and cyber risks with associated remedial plans

This particular role requires the candidate to strong technical and operational IT knowledge and experience in information security, enterprise architecture and digital transformation projects. This includes a deep understanding of data centers, networking and applications. The function is a second line function where assessment and monitoring are critical as distinct from technical implementation.

Reporting to the Executive Manager, Information Security Risk and Assurance, the role will be responsible for the second line technology risk assessment for the Club.

The Job

You will:

• Assist the Executive Manager, ISRA to establish the second line of defence (2LOD) technology risk management and information security assurance functions.
• Create and maintain the technology risk management policy and framework as well as technology risk and information security controls library.
• Review and recommend improvement on technology risk management methodologies and risk treatment practices, to ensure reliability, resilience, availability and disaster recovery for Mission Critical Systems.
• Define Key Risk Indicators (KRI) to measure and monitor technology risk exposure of individual business lines
• Identify top technology risks for the Club and individual business lines and monitor changes in their risk posture based on KRIs, Control Assurance Assessment results, audit issues and IT/cyber incidents.
• Manage internal and external resources to maintain the second line of defence capability and activities.
• Maintain internal and external communications to support the objectives of the second line of defence function.
• Create regular technology risk monitoring metrics and information security maturity assessment scorecards to inform management and stakeholders of the Club’s current technology risk and information security posture.
  
  
  

About You

You should have:

• A Bachelor and / or Post Graduate degree from a highly accredited University in the discipline of Information Technology, Information Systems or similar.
• A minimum of 8 years’ experience related fields.
• In-house second line information security or technology risk experience in large organizations, as well as big 4 IT audit or technology risk advisory experience highly preferred.
• Proven track record in leading technology risk and cyber security maturity assessments
• Knowledge and experience in large scale IT systems, technology risk management frameworks and information security practices.
• Certification in CISA, CISM, CISSP or risk management will be advantageous.
• Professional/Industry body membership/affiliation is an advantage.
• Capable to assess and quantify technology, cyber and IT operational risks, assess mitigation measures, and provide practical recommendations on risk mitigation controls when needed.
• Capable of analysing and solving complex problems.
• Willing to learn and understand industry best practices and trends on risk management.
• Knowledge and experience in design, migration and modernization of in-house developed mission-critical applications
• Technical knowledge on data centre, networking, application architecture, IT operations and technical security controls design and implementation.
• Exposure to legacy and modern platform technologies.
• Proficient in Microsoft Office, PowerBI and/or Tableau
• Fluency in written and spoken English (Fluency in Chinese is a plus) with the ability to clearly communicate with key stakeholders
  
  
  

Terms of Employment

The level of appointment will be commensurate with qualification and experience.

Enquiries

We are an equal opportunity employer. Personal data provided by job applicants will be used strictly in accordance with the Club's notice to employees and prospective employees relating to the Personal Data (Privacy) Ordinance. A copy of which will be provided immediately upon request.