Chief Information Security Officer - APAC

Job Summary

The Regional CISO - APAC serves as the primary security leader for the APAC region, reporting to the Group CISO and with a cross-functional reporting line to the APAC CIO. This role is responsible for governing and overseeing the implementation of Group security policies and programs across APAC, ensuring adherence to global standards while meeting local regulatory obligations. The Regional CISO will govern the five security domains at the regional level, facilitate regulatory compliance, streamline reporting into the Group CISO governance framework, and coordinate with local security leaders, including the Local CISO in India. Additionally, the role ensures readiness for audits, regulatory reviews, and incident response, acting as a trusted advisor to regional leadership on cybersecurity risk and resilience.

Context

The Group Information Security function is dedicated to protecting the organization's information assets through a unified, risk-based approach to cybersecurity. The function operates across five core domains: Security Governance, Security Architecture, Operations Security, Identity & Access Management (IAM), and Data Protection & Privacy. Each domain is managed centrally by specialized teams under the Group CISO, ensuring global consistency and compliance. Regional CISOs play a critical role in extending this governance model to their respective geographies, ensuring alignment with Group standards while addressing local regulatory and business requirements. They act as the bridge between global strategy and regional execution, enabling effective risk management and regulatory compliance.

Key duties and responsibilities

Security Governance & Strategic Alignment:

• Act as the regional ambassador for Group Information Security policies, standards, and frameworks.
• Govern locally the core security domains managed centrally by the Group CISO teams.
• Ensure consistent implementation of security programs across APAC entities and sites.
• Facilitate the adoption of Group and regulatory requirements, policies, and controls.
• Streamline reporting into the Group CISO centralized governance and reporting framework.

Regional Oversight & Coordination:

• Oversee and coordinate with the Local CISO in India, ensuring alignment with Group standards and collecting consolidated reporting.
• Facilitate the rollout of global security initiatives and projects within the region.
• Support regional business units in security-related decision-making and risk management.

Operational Security Governance:

• Oversee governance of security operations in APAC
• Ensure BCP/DR plans coverage and alignment with Group.
• Track implementation of security awareness programs adapted to APAC cultural and regulatory contexts.

Compliance & Regulatory Engagement:

• Maintain a regulatory watch for APAC jurisdictions (e.g., MAS, IRDAI, CBIRC, APRA).
• Facilitate internal and external audits, regulatory questionnaires, and ensure timely remediation of findings.
• Prepare and coordinate responses for local and regional regulatory inquiries and inspections.
• Ensure timely coordination with the group incident manager and CISO for reporting of critical incidents to regulators as required by local laws.

Risk Management & Third-Party Security:

• Facilitate regional risk assessments and integrate results into the Group risk framework.
• Oversee the integration of third-party security risk management for vendors operating in APAC.
• Support secure architecture reviews for regional projects.

Reporting & Communication:

• Support the security team in the implementation of regional security KPIs, risk dashboards, and compliance status and reporting to the Group CISO.
• Provide regular updates to APAC leadership on security posture and risk exposure.
• Represent APAC in global security working groups and forums

Required experience & competencies

• 10+ years in cybersecurity, with at least 5 years in a leadership role covering multiple geographies.

• Strong understanding of APAC regulatory frameworks (e.g., MAS TRM, IRDAI, CBIRC, APRA CPS 234).

• CISSP, CISM, or equivalent knowledge of ISO 27001, NIST CSF.

• Ability to influence stakeholders and manage cross-functional teams in a matrix organization.

Required Education

• Bachelor's degree in Information Security, Computer Science, or a related field.

• Professional certifications such as CISSP, CISM, CRISC, or ISO 27001 Lead Implementer/Auditor are highly desirable.