Principal Enterprise Architect, AppSec Vuln

Big Bank Funding. FinTech Thinking.

Join a digital-first bank that's powered by people. Our technology team builds innovative digital solutions rapidly and at scale to deliver the next generation of banking services for our customers around the world. Help shape the future of digital-first banking for our customers.

We are currently seeking an experienced professional to join our team in the role of Principal Enterprise Architect for Application Security, Threat and Vulnerability Management.

You'll partner with leaders across Technology to define the Application Security, Threat and Vulnerability Management strategy that will define the future technology state to enable our business strategy. You'll manage the Application Security, Threat and Vulnerability Management Architects to deliver the strategy, fostering an inclusive culture of collaboration, innovation, and excellence; whilst improving the customer experience.

You'll be responsible and accountable for directing the operation of the global architecture practice for Application Security, Threat and Vulnerability Management, including design choices, ensuring they are aligned with group standards, and business strategy; meeting business objectives; and satisfy all relevant regulatory and operational risk controls.

You'll manage the Application Security (including Software Development Life Cycle), Threat and Vulnerability Management functional areas, but also support the Security Assurance areas.

Principal responsibilities

Impact on the Business/Function

• Define, maintain, and own the Application Security, Threat and Vulnerability Management architecture strategy and roadmap, incorporating ZeroTrust as appropriate, ensuring alignment to other HSBC technology strategies and providing Design Authority sponsorship for major Application Security, Threat and Vulnerability Management initiatives across the Group.
• Provide assurance of the solutions designs produced within Cybersecurity and support the Engineering teams in the production of execution plans in executing the Strategies.
• Delivering strategic thought-leadership to the Cybersecurity Architecture Practice as well as across the Architecture and Cybersecurity functions through the production of architecture strategies for Application Security, Threat and Vulnerability Management and associated architecture artefacts (e.g. principles, standards, patterns and roadmaps) aligned to organisational needs and priorities.
• Introduce new practices, processes, operating model, techniques, products, services, technologies, and standards where needed against identified use cases, via the appropriate governance bodies and in collaboration with the Application Security, Threat and Vulnerability Management Security Engineering function

Customers / Stakeholders

• Customer focused (primarily internal but with indirect external impacts): creates a customer-centric culture; sponsors and drives the development of a competitive, commercially attractive, and sustainable customer proposition. Builds sustainable customer strategies based on customer insight and regional markets .
• Builds and maintains strategic stakeholder relationships at all levels: across Global Businesses and Technology; and key strategic partnerships with third parties.
• Working alongside the CISO and the Cybersecurity executive team to drive strategic and investment planning ensuring alignment to our overall organisational strategy and priorities.

Leadership & Teamwork

• Enable the Cybersecurity Architecture organization to achieve business outcomes by empowering developers with world-class technology and practices. Adopt open source / inner sourcing for reuse, rendering standards and controls as code. Own the design authority for technology outcomes.
• Co-manage the Cybersecurity Architecture hiring strategy to ensure we are attracting, mentoring, and growing diverse high-performing architects and architectural talent.
• Create an architecture culture that fosters experimentation and learning; but also focuses on financial discipline, delivering on commitments, reducing of technical debt and appropriate risk management.

Operational Effectiveness & Control

• Ensure adherence to, and manage effectively against HSBC's Operational Risk Management Framework, HSBC's Controls, Functional Instruction Manual (FIM) and external regulatory requirements.
• Ensures Architecture adheres to ethical behaviour / HSBC's values.
• Build key relationships with Risk stewards, 2 nd and 3 rd line of defense (inc. Audit, Compliance and Regulatory Affairs) to ensure close and continuous management of strategic transformation.
• Manage architecture reviews through the appropriate governance mechanisms ensuring peer review of all activities

Requirements

Functional Knowledge

• Demonstrate knowledge of financial services, with a particular focus on the implications of Application Security, Threat and Vulnerability Management for HSBC's three global businesses and supporting functions. Able to translate business needs into appropriate technology solutions.
• Extensive experience in senior Architecture / Cybersecurity roles within large scale, complex and international organisations.
• Knowledge of the external environment and drivers - regulatory, political, competitor and market.
• Experience of managing within a complex matrix environment, globally across cultures.
• Excellent people, communication and leadership skills and ability to establish effective collaborative relations with senior stakeholders across multiple functions.
• Proven track record driving complex enterprise-wide programmes critical to business performance.
• Experience in planning and managing significant expenditure in a complex organisation , with deep financial and commercial awareness.
• Have an Architecture, Cybersecurity and system engineering background; and the ability to compare and contrast different solutions to meet a business requirement.
• Provide technical thought leadership in evaluation of new technologies to meet business requirements and influence key stakeholders through to adoption.
• Strong analytical and troubleshooting skills - desire to solve complex problems at scale. Provide expert knowledge & expertise in design of the following key application security and vulnerability management capabilities:
  • Proven experience in driving an SDLC and DevSecOps shared responsibility culture
  • Proven experience in migrating away from Agile/Waterfall to a practice of integrating security testing at every stage of the software development process, including tooling and processes that encourage collaboration between developers, security specialists, and operation teams to build software that is both efficient and secure.
  • Proven experience of integration (e.g. SAST, DAST, IAST, container security) and practices (e.g. Policy-as-Code) within DevSecOps pipelines (Jenkins, GitHub, Chef, Ansible, Nexus, etc)
  • Excellent understanding of platform-specific security risks, common vulnerabilities for web and mobile applications, micro-services (REST, SOAP) architecture and their mitigations
  • Good understanding of security flaws in common programming languages
  • Demonstrate effective treatment strategies to minimize the likelihood that malicious actors can gain unauthorized access to applications or its data
  • Expert awareness of appropriate techniques for security in the Public cloud (eg GCP, AWS, Azure)
  • Expert awareness of appropriate techniques for application security of mobile and web application security
  • Proactively identifying, monitoring and managing application vulnerabilities.
  • Threat modelling applications against their own security profile to counteract appropriate malicious events including denial of service attacks, unplanned events and failure of a storage device.
  • Leveraging industry best practice of application security weaknesses including leveraging
  • Expert knowledge of the Common Vulnerability Scoring System (CVSS). Experience with developing enhanced scoring away from severity alone, using contextual information.
  • Expert knowledge of vulnerability management tools (e.g. Tenable, Qualys, Kenna, RiskIQ) and vulnerability Consolidation Platforms (Kenna, Archer, etc.).
  • Expert knowledge of application security testing and tools across secure development platforms, code scanning tools, application testing tools and application shielding tools.
  • Deep knowledge across application, infrastructure, and data technologies enabling business outcomes.
• Expertise and knowledge of technology trends and how these can be leveraged by HSBC.
• Significant expertise in: APIs; Cloud computing (GCP and AWS); Event Streaming (Kafka); AI / Machine Learning / GenAI; Platform Engineering; and DevSecOps.
• Hands-on expertise of multiple coding languages e.g., Java, Python, Rust; & software development frameworks.
• Strong strategic thinking and problem-solving abilities with a track record of driving innovative technical solutions and continuous improvement.
• Experience of applying modern architecture: APIs, micro services, data foundation, advanced analytics / Machine Learning and directing Cloud provider capabilities.
• Recognised expertise through Industry qualifications such as CISSP, CISM, ISSAP, CCSP, etc., contributions in the scientific community, speaking experience, or contributions to the open source community.

This role is based in London / Hybrid.

Opening up a world of opportunity

Being open to different points of view is important for our business and the communities we serve. At HSBC, we're dedicated to creating diverse and inclusive workplaces. Our recruitment processes are accessible to everyone - no matter their gender, ethnicity, disability, religion, sexual orientation, or age.

We take pride in being part of the Disability Confident Scheme. This helps make sure you can be interviewed fairly if you have a disability, long term health condition, or are neurodiverse.

If you'd like to apply for one of our roles and need adjustments made, please get in touch with our Recruitment Helpdesk:

Email:
Telephone: