Job Description

Position: Head, Group IT Security

Overall Responsibility

• Set the overall direction by formulating and executing a comprehensive Group IT Security strategy for RHB Banking Group (including regional offices), ensuring a secure, resilient, and risk‑minimised IT environment that supports business objectives and complies with all applicable regulatory, legal and industry requirements.
• The role is accountable for Group‑wide cyber security governance, technology controls, incident readiness, and security culture, while providing strategic advisory to the Board, senior management and regulators.

Key Responsibilities

2.1 Strategy, Governance & Leadership

• Define, own and continuously evolve the Group IT Security strategy, roadmap, and target maturity model, aligned with business priorities and regulatory expectations
• Provide independent, strategic IT security and risk advisory to the Group CTO, Senior Management, Board and relevant committees to enable informed risk‑based decisions
• Establish, maintain and enforce Group IT Security policies, standards, and frameworks, ensuring consistent adoption across Head Office and regional offices
• Champion and cultivate a strong security and compliance culture across technology and business stakeholders

2.2 Risk Management & Regulatory Compliance

• Ensure Group compliance with all applicable regulatory, statutory and supervisory requirements related to information security and technology risk
• Oversee IT security risk identification, assessment, treatment, and reporting, ensuring clear visibility of residual risk to senior stakeholders
• Act as the primary technology security liaison for regulators, auditors, and independent assessors, including audit issue remediation and closure

2.3 Cyber Security Operations & Incident Management

• Provide executive oversight of cyber security operations, including threat monitoring, detection, hunting and response capabilities.
• Serve as the primary control and escalation point for significant cyber and information security incidents, ensuring timely decision‑making, communication, and recovery.
• Ensure a robust, tested, and continuously improved Cyber Incident Response Plan, supported by 24x7 Security Operations Centre (SOC) capabilities

2.4 Security Architecture & Technology Controls

• Ensure the design, implementation and effectiveness of defence‑in‑depth security controls across network, endpoint, application, identity and data layers.
• Provide strategic oversight of security capabilities including (but not limited to):
  • Network and perimeter security (firewalls, IPS, WAF, NAC)
  • Endpoint and workload protection (EDR, XDR, anti‑malware)
  • Identity and access management (IGA, SSO, PAM)
  • Data protection (DLP, encryption, MDM)
  • Threat detection and response platforms (SIEM, SOAR)
• Act as the security gatekeeper for new systems and major changes, ensuring security‑by‑design through architecture review, assurance, and testing (VA/PT).

2.5 Regional & Group Oversight

• Provide governance, oversight and assurance to ensure regional offices’ security controls, operations, and maturity are aligned with Group standards and risk appetite.
• Drive consistency while accommodating justified local regulatory or operational requirements.

2.6 Financial, Vendor & Talent Management

• Accountable for IT Security budget planning and optimisation, ensuring effective use of CAPEX and OPEX to support strategic priorities.
• Maintain strong relationships with security principals, vendors, and partners to stay abreast of emerging threats, technologies, and industry trends.
• Lead resource planning, succession, and talent development, building a high‑performing and future‑ready IT Security organisation.

Key Interfaces

• Board and Board Committees
• Group CTO and Senior Management
• CISO
• Group Technology Leadership and Architecture Committees
• Regulators, auditors and external assessors
• Regional CIO / Technology Heads

Requirements (Qualification / Experience / Skills)

4.1 Education & Professional Certifications

• Master’s Degree or Bachelor’s Degree in Computer Science, Information Technology, or related discipline
• Professional certifications (mandatory / strongly preferred):
  • CISSP
  • CISM
  • CISA
  • ISMS / Information Security Management related certification

4.2 Experience

• Minimum 10 – 15 years of IT / Information Security experience, preferably within the Financial Services Industry
• At least 10 years in a senior leadership or management role overseeing enterprise‑wide security functions
• Proven experience engaging Boards, regulators, and senior executives on technology risk and cyber security matters

4.3 Skills & Competencies

• Strong enterprise‑level understanding of IT security, cyber risk, and regulatory compliance
• Excellent leadership, stakeholder management, and communication skills
• Strong analytical, decision‑making, and problem‑solving capabilities
• Ability to balance security, compliance, and business enablement in a complex, regulated environment