Job Description

COMPANY DESCRIPTION
About the Company JERA Global Markets (JERAGM) is a leading utility-backed seaborne energy trader specialising in LNG, coal and freight. A joint venture between majority shareholder JERA Co., Inc. and EDF Trading, JERAGM\xe2\x80\x99s shareholders are among the world\xe2\x80\x99s largest utilities. JERAGM operates one of the largest energy portfolios in the world which gives it an in-depth understanding of the way local, regional and international energy markets behave. These insights enable it to help its customers increase security of supply, optimise their portfolios and improve the risk management of their assets. JERAGM LNG team manages the flexibility of over 35 million tonnes of supply each year, with structural access to both the European and North American gas markets. The coal team manages 60 million tonnes of supply each year for its shareholders and third-party customers and operates a major coal terminal in the Netherlands. Headquartered in Singapore, JERAGM has a global talent pool of more than 250 people across offices located in four strategic locations: Singapore, Japan (Tokyo), the UK (London) and the US (Baltimore). JERAGM is strongly capitalised with over US$500 million in paid up capital and a total equity of US$3 billion. JERAGM has retained its A+ Stable rating from R&I, attributable to a robust business model and solid financial base.
DESIGNATION : Cyber Security Manager, SG

RESPONSIBILITIES




Position Description: To build and manage the cyber security function with blend of in-house skills and managed partner ecosystem towards managing the level of acceptable cyber risk exposure for JERAGM. Minimise the impact of security incidents by maintaining an effective response capability, collaborate and ensure alignment with JERA and EDFT Trading security policies and directives, support and enable secure business and IT-led change and lead the security teams across all JERAGM office locations.


Main Responsibilities: Risk Management

• Maintain awareness of threat actor tools, techniques and procedures (TTP\xe2\x80\x99s)

• Regularly assess the risk of cyber-attacks by leveraging industry frameworks (e.g., Mitre ATT&CK) and \xe2\x80\x98Adversary Simulation/ Red Team\xe2\x80\x99 assessments

• Maintain the Risk Register and Risk Treatment Plan

• Collaborate with Subject Matter Experts to research, develop and implement risk-mitigation strategies (people, process and technology) to counter current and emerging threats

• Perform architecture reviews, risk and vulnerability assessments on systems, applications, third party and cloud hosted services

• Deliver and/ or coordinate regular phishing simulations and cybersecurity awareness campaigns for JERAGM staff, contractors and consultants.

Incident Response

• Maintain an effective incident response capability comprising a Managed Detection and Response (MDR) service, incident response plan and procedures

• Manage security incidents in accordance with established procedures and industry best practices, working closely with a broad range of stakeholders including internal first responders, subject matter experts (e.g., IT, Legal, Compliance), senior management, specialist forensic investigation providers and the JERA and EDF Trading Group companies as appropriate

• Coordinate regular incident response exercises

• Respond and manage the remediation of suspicious email reported by employees

Governance

• Maintain the JERAGM Information Security policies and collaborate with JERA and EDF Trading counterparts for alignment opportunities.

• Maintain and enforce the company\xe2\x80\x99s security policies, directives and standards

• On a risk based and practicable basis, implement mechanisms to measure compliance (and address non-compliance) with security controls

• Coordinate and/ or perform periodic user access reviews

• Define and report cybersecurity key performance indicators on a monthly basis

• Support internal and external audits and the development of remediation plans

• Assist in developing automation/controls/processes to remediate audit findings

• Provide security governance as part of change control process

Team Management

• Maintain a documented service catalogue with defined roles and responsibilities

• Proactively manage team resources to balance new demands whilst also delivering the agreed security strategy, services and compliance mandates

• Monitor/review/evaluate staff performance, develop staff (skills/competencies as well as mentoring/coaching), delegate and empower team members to achieve their objectives

• Manage the performance of security operations activities to within agreed targets and budget

• Provide thought-leadership and direction (both technical and people-focussed) for seeding and growing a DevSecOps culture within the organisation.

Programme Management

• Manage a continual improvement programme that reduces cyber risk, increases effectiveness and efficiency. Leverage agile methods such as Scrum/Kanban to manage tasks

• Sponsor, build the business case and drive delivery of security change

• Provide trusted information and expertise on cybersecurity by applying a pragmatic "Security by Design" approach

• Co-develop continuous integration and continuous delivery strategies ensuring security is embedded in the development and deployment of cloud services/solutions

• Manage the relationship between the security function and various stakeholders including but not limited to IT, HR, Compliance, Regulatory, Internal Controls, Group companies and third-party service providers

Security Operations

• Evaluate, implement or oversee the implementation of security tools and services

• Keep abreast of new developments in the cybersecurity space and improve our security portfolio with the latest technology as appropriate.

• Contribute to the selection and on-boarding of new security automation tools and cloud security technologies/services, challenging existing designs or implementations where necessary.

QUALIFICATIONS




Experience Required: The successful candidate can demonstrate that they have:

• Strong grasp and experience in applying cloud security principles and risk assessment methodologies in cloud native, borderless and zero-trust architectures.

• Experience in evaluating, onboarding and managing 3rd party partner capabilities, complemented with inhouse skills in building an effective and right-sourced information security framework.

• Domain expertise of cloud infrastructure compute, network and storage as well as the cloud control plane. Experience of working within a DevOps environment including agile, CI/CD, and embedding security within the software development lifecycle (i.e., \xe2\x80\x9cSecurity Shift-Left\xe2\x80\x9d)

• Experience developing security management tools on, or hardening of cloud platforms (preferably Azure)

• Familiarity with cloud security solutions/tools (e.g., CASB, SASE, SAST, CSPM, CIEM etc.)

• Awareness of continuous security monitoring in a cloud context, for automating security management (e.g., vulnerability detection, monitoring cloud configurations, identities and their entitlements, and data security etc)

• Utilised vulnerability assessment tooling to identify vulnerabilities in Windows client and server OS, applications, network, storage and cloud infrastructure

• Performed architectural level security risk assessments of systems/ applications, provided solutions to mitigate risks and managed the treatment of risks through to completion

• Implemented or worked hands on with common security technologies including but not limited to firewalls, anti-malware, email security, intrusion prevention systems, application whitelisting and log monitoring. Must be capable of analysing and proposing improvements to security configurations

• Has implemented or supported the delivery of operating system and application hardening

• Has scoped, managed and coordinated penetration tests or red team engagements, and can demonstrate knowledge of penetration testing methodologies

• Developed cybersecurity incident use cases and response processes and procedures

• Managed and/ or provided the lead for security incident investigations

• In depth knowledge and strong experience in managing, controlling and securing access to business-critical applications

• Experience of IT operational security, data protection and legal requirements around all aspects of security, including CCTV, physical and logical security, cybercrime, leakage protection, monitoring and surveillance

• Proven capability to develop enterprise security strategies, policies, guidance and procedures

• Strong experience in representing the security needs of an organisation in IT projects with regards to system access security issues

• Demonstrable understanding of current security issues, latest security concerns and market trends, potentially gained through membership of or affiliation with information security organisations / groups

• Direct line management experience, ideally with oversight of Information Security, including running information security operations

• Have exposure to and utilised project management methodologies (e.g., Scrum/Kanban)

• Ideally the above knowledge and experience will have been gained in a financial environment using both third party and in house developed software solutions

Technical Requirements:

• Bachelor\xe2\x80\x99s degree, ideally in Computer Science or an equivalent combination of training and professional working experience

• Has considerable experience in the application security controls to mitigate specific risks or issues based on best practice control frameworks including Mitre ATT&CK, ISO 27001, CIS or NIST and how to apply in the context of cyber defence

• Proven professional experience with operational security of server and network operating systems/technologies (Azure Active Directory, Microsoft 365, Microsoft Exchange Online, Mimecast, Microsoft Intune, Microsoft Azure, Cisco Meraki, SD-WAN/SASE, IP and Application Firewalls, IDS, Digital Certificates, and Azure SQL database security, DLP, Log Management/SIEM)

• CCSP, CISSP or CISM Certification would be preferable

Person Specification:

• Ability to work with demanding users in a fast-paced trading floor environment

• Ability to lead and inspire direct reports to deliver high quality results.

• Able to delegate tasks and assign responsibilities

• An advocate for DevSecOps practices and security standards in the organisation

• Capacity to drive change to business practices by working effectively with all levels of stakeholders in a high-pressure environment

• Committed to continuous improvement.

• Ability to communicate complex concepts to non-technical staff

• Highly motivated to deliver results and \xe2\x80\x98go the extra mile\xe2\x80\x99 to meet deadlines

• Hands-on approach, flexible with a positive outlook

• Ability to understand business processes quickly

• Excellent interpersonal / relation building skills and ability to successfully manage client relationships

• Attention to detail and strong focus on accuracy of information