Overview

Third‑Party Cyber Risk Governance, Cloud & Third-Party Cyber Risk, Group Cyber & Technology Risk, Group Risk Jobs in Federal Territory of Kuala Lumpur, Malaysia at Maybank

Title: Third‑Party Cyber Risk Governance, Cloud & Third-Party Cyber Risk, Group Cyber & Technology Risk, Group Risk

Company: Maybank

Location: Federal Territory of Kuala Lumpur, Malaysia

Job Responsibilities:

This role provides independent second‑line cyber risk oversight, governance, and assurance over third‑party engagements involving technology, data, and cloud services. It supports a federated operating model where first‑line ownership remains with business, procurement, and technology teams, while the role defines cyber risk standards, provides independent challenge, and delivers management and regulators with a clear view of third‑party cyber risk exposure. This role operates in alignment with Group Third‑Party Risk Management and Enterprise Risk frameworks, focusing on cyber risk governance rather than end‑to‑end third‑party risk ownership.

Third‑Party Cyber Risk Governance & Standards

  • Define and maintain cyber and technology third‑party risk standards aligned to Group TPRM and enterprise risk frameworks.
  • Provide oversight and challenge on how standards are applied by first‑line teams.
  • Identify systemic, concentration, and supply chain cyber risks for governance visibility and escalation purposes, without assuming responsibility for first line mitigation activities.

Third‑Party Due Diligence & Risk Challenge

  • Provide independent cyber risk challenge on Third‑Party Risk Assessments (TPRA) performed by first‑line owners.
  • Review cyber, data protection, and cloud‑related contractual risk considerations.

Continuous Oversight & Assurance

  • Independently review and challenge continuous monitoring outputs produced by first‑line teams, vendors, or risk platforms, without performing operational monitoring activities.
  • Escalate systemic or high‑impact third‑party cyber risks to governance forums.

Third‑Party Cyber Risk Reporting & Metrics

  • Define and report cyber third‑party KRIs and risk insights.
  • Track audit and regulatory issues related to third‑party cyber risk.

Second‑Line Advisory Independence & Scope Boundaries

  • Provide independent second‑line cyber risk governance and oversight over third‑party engagements without owning vendor onboarding, due diligence execution, or remediation activities.
  • Operate within a federated third‑party risk model aligned to Group Third‑Party Risk Management and Enterprise Risk

Job Requirements:

  • Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Risk Management, or related discipline.
  • Master’s Degree or postgraduate qualification in Information Security, Technology Risk, or Enterprise Risk Management.
  • Experienced in third‑party cyber risk, technology risk, cybersecurity, or assurance roles.
  • Having any of these certifications is a plus (but not mandatory): CISM, CISSP, CRISC, CISA, any related Third-Party certifications.
  • Demonstrated experience operating in a second‑line risk or governance function
  • Experience engaging with regulators, auditors, procurement, and senior stakeholders.
  • Strong knowledge of international standards (NIST, ISO 27001, CIS) and regional regulatory requirements (e.g., BNM RMIT, MAS).
  • Deep expertise in concentration risk, and systemic third-party risk.
  • Proven ability to work cross-functionally with stakeholders across risk, procurement, legal and business functions.
  • Experience designing and scaling third-party risk assessment methodologies.
  • Strong executive communication skills, including Board and regulator engagement.
  • Familiarity with GRC and Cyber Risk Management platforms.
Upload your CV/resume or any other relevant file. Max. file size: 800 MB.