Country Information Security Head

Shanghai, ChinaShanghaiChinaAsiaJune 9, 2023

Job Description

The China Information Security Lead (CISO) is accountable for all IS activities including but not limited to oversight the IS and Cyber Risk Management to the Franchise and its processes and also support the APAC region when needed. The CISO will support the Country, APAC region and work closely with Business,  Operations & Technology teams and the overall ISO community to oversee and monitor adherence with Citi IS Policy and Standards, manage risk and provide Business advise on Information Security.

Reports to APAC Head of Information Security Services and Country O&T Head.

Key Responsibilities

Focuses on Key CISO activities:

  • Ensure IS Risk assessments (ISRA) is conducted for Projects, Applications, and Third Party Outsourcing arrangements in accordance to Citi Standards by partnering with Technology and the Business and determines the impact of control deficiencies
  • Participate in industry forums and stay close to evolving Chinese regulations to provide subject matter expert feedback. Ensure new and updated information and cyber security regulations are assessed for impact in a timely manner by partnering within ISO community, Technology and Business
  • Provides direction and guidance to the team to
    • Assist in the definition and implementation of IS standards at the business level to ensure that procedures and practices comply with Citi standards.
    • Develop corrective action language for all IS-related gaps and approves all closures by reviewing evidence to ensure the closure meets Citi requirements or industry best practices
    • Collaborate to create Risk Acceptances (RAs), Risk Exceptions (REs), and Corrective Action Plans (CAPs) in the appropriate tools
    • Support business on IS matters during audit reviews and regulatory inspections
    • Help security incident response teams resolve and close the investigation of incidents with proactive suggestions
    • Validate third party issues and ensure management’s awareness of the risk involved
  • Provide information and cyber security awareness training
  • Provides periodic IS risk management reports in business language and to business, highlighting key issues and corrective action plans
  • Lead the country Cyber exercise engagement along with the Cyber Exercise team and country business Subject Matter Experts (SME)
  • Ensures oversight and compliance  to the IS and Cyber security risks and controls within the business, including programs, policies, and related reporting

Acts as a business partner

  • Communicates and interacts regularly with employees and business management on IS related programs, policies, and standards
  • Communicates with the Business GISOs and business managers; escalates as appropriate
  • Actively support and manage any regulatory engagement and advocacy for the country along with the Country Officer (CCO) and other seniors, working in conjunction and advise of the global and regional teams
  • Provides general IS consulting services including interpretation and/or clarification
  • Participates in the IS community on committees and cross-business / functional opportunities
  • Enforces compliance; demonstrates extensive understanding of IS standards and best practices across multiple disciplines
  • Engages a Technical Information Security Officer (TISO), SME or another senior ISO where additional technical and/or Subject Matter knowledge is required
  • Educates and advises the business on safe IS practices and current, changing, and/or recommended IS requirements
  • Plans and executes the IS strategy
  • Articulates the value of IS controls and its bottom line impact
  • Partners with business coordinators in other disciplines; e.g., Business Continuity Management (BCM), Records Management, Fraud Management, etc.
  • Leverages the ISO network to pool resources, seek out best practices, and create efficiencies
  • Work with the regulator, Association of Banks, Compliance and other Financial Institutions as needed
  • Support business to address instances of non-compliance in business processes/procedures, applications and outsourcing
  • Integrates IS in the day-to-day operations and culture of the business
  • Exercises oversight of the IS programs within the business, including programs, policies, and related reporting.

Builds and maintains supportive networks with key stakeholders and colleagues

  • Partners with application manager, GIDA or TISO as needed to address specific technical needs or requirements
  • Participate and where needed lead regional IS initiatives
  • Assist Country O&T and Business in preparation of Audit Risk and Reviews, by identifying deficiencies against Information Security Standards, construction of remediation plans and adherence to issue management standards by way of ensuring that Corrective Action Plans and Risk Acceptances are in place, including ad-hoc IS Risk related initiatives and projects.
  • Communicate regularly with the Regional and Group Information Security Officer to implement global and regional IS initiatives within the business.


  • Solid risk management skills and Information Security knowledge
  • Knowledge of key government regulations and local laws
  • Excellent consulting and problem solving skills
  • Able to convey ideas, advice and resolution options to enable business to senior management and staff
  • Cyber and Information Security knowledge with a business acumen to be able to engage both business and technology teams.
  • In depth knowledge of IS programs and ability to influence stakeholders to execute on time
  • Able to work with senior business management to implement IS strategy.
  • Industry certifications: either one of CISA/CISSP/CISM preferred; the successful candidate will be expected to obtain an IS industry certification if not already held
  • Degree: at least a Bachelors’ degree in either Computer Science/Engineering/Business/Finance; Masters’ degree a plus Desired Work experience
  • At least 10 years in a similar ISO or risk and control role, or significant relevant business experience; total work experience of at least 15 years

Other Requirements

  • Excellent consulting and problem-solving/analytical skills.
  • Advanced presentation skills and program management
  • Good business communication skills
  • High integrity, team-player, proactive, service-oriented and has good people-skills.
  • Proven ability to manage multiple tasks and priorities.
  • Ability to manage tight time frames and communicate effectively with peers and management.
  • Flexibility to adapt to changing demands and priorities.

Education Level:  Bachelor's Degree

Primary Location: APAC-China

Job Category: Technology

Schedule: Fulltime


Job Family Group:



Job Family:

Information Security


Time Type:

Full time


Citi is an equal opportunity and affirmative action employer.

Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

Citigroup Inc. and its subsidiaries ("Citi”) invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.

View the "EEO is the Law" poster. View the EEO is the Law Supplement.

View the EEO Policy Statement.

View the Pay Transparency Posting

Cyber Security Jobs by Category

Cyber Security Jobs by Location

Cyber Security Salaries