某外资知名公司
Cyber Security Manager – Risk Management and Data Security
零售批发
网络安全
上海
5-10年
本科
面议
职位描述
Risk Management & Lifecycle:
Lead the end-to-end risk lifecycle management, including identification, assessment, mitigation, monitoring, and reporting of cybersecurity risks.
Develop and implement risk management frameworks and policies aligned with industry standards such as NIST, ISO 27001, and COBIT.
Provide expert security recommendations and define requirements for projects, initiatives, and technologies to embed security by design.
Advise on best practices for threat modeling, vulnerability management, and incident response planning.
IT System Risk Assessment:
Conduct thorough risk assessments of IT systems, including infrastructure, applications, and cloud environments, to identify vulnerabilities and recommend remediation strategies.
Collaborate with IT teams to integrate risk assessments into system design, deployment, and maintenance processes.
Vendor Risk Assessment:
Oversee third-party vendor risk assessments, evaluating security postures, compliance, and contractual obligations to mitigate supply chain risks.
Manage vendor onboarding, ongoing monitoring, and offboarding processes with a focus on cybersecurity due diligence.
Data Security Risks:
Assess and manage risks related to data security, including data classification, encryption, access controls, and breach prevention.
Develop strategies to protect sensitive data across on-premises, cloud, and hybrid environments, ensuring compliance with regulations like CSL, PIPL, DSL, MLPS, etc.
Cybersecurity Performance Measurement:
Establish and monitor key performance indicators (KPIs) and metrics for cybersecurity governance, such as risk exposure levels, compliance rates, and maturity assessments.
Conduct regular governance reviews to measure the effectiveness of cybersecurity controls and programs.
Internal Portfolio Management and Leadership Reporting
Support the cybersecurity team's internal portfolio management, including prioritization of initiatives, expense management, project tracking to align with organizational goals.
Facilitate agile practices within the team to ensure efficient delivery of cybersecurity projects and programs.
Prepare comprehensive reports to executive leadership and boards, highlighting risk profiles, performance metrics, and strategic recommendations.
Translate complex technical risks into business-oriented insights to support informed decision-making.
职位要求
5-7 years in cybersecurity, with at least 3 years focused on risk management, data security and governance.
Proven track record in conducting IT system and vendor risk assessments, data security management, and performance measurement.
Experience in risk lifecycle management and providing security recommendations in diverse environments.
Strong knowledge of risk assessment tools and methodologies (e.g., FAIR, OCTAVE) and governance frameworks (NIST CSF, ISO 27001, COBIT).
Proficiency in data security technologies (e.g., Data classification, DLP, encryption tools)
Excellent communication skills for reporting to leadership and collaborating with cross-functional teams.
Familiarity with reporting tools (e.g., Tableau, Power BI) for performance metrics and dashboards.
Advanced Certification: CRISC (Certified in Risk and Information Systems Control), CISM (Certified Information Security Manager), or CISSP (Certified Information Systems Security Professional), additional certifications like CISA, GIAC, or ISO 27001 Lead Auditor.
Excellent analytical and problem-solving abilities to assess complex risks.
Bachelor’s degree in Cybersecurity, Computer Science, or a related field.
Familiarity with portfolio management tools (e.g., Jira, Microsoft Project) for cybersecurity initiatives.
Proficient in English and Mandarian
咨询顾问
Shawn Cong
团队经理-IT & Cyber Security
分享