The Apex Group was established in Bermuda in 2003 and is now one of the world’s largest fund administration and middle office solutions providers.

Our business is unique in its ability to reach globally, service locally and provide cross-jurisdictional services. With our clients at the heart of everything we do, our hard-working team has successfully delivered on an unprecedented growth and transformation journey, and we are now represented by over circa 13,000 employees across 112 offices worldwide.Your career with us should reflect your energy and passion.

That’s why, at Apex Group, we will do more than simply ‘empower’ you. We will work to supercharge your unique skills and experience.

Take the lead and we’ll give you the support you need to be at the top of your game. And we offer you the freedom to be a positive disrupter and turn big ideas into bold, industry-changing realities.

For our business, for clients, and for you

Regional Information Security Manager – APAC

Location: Melbourne

Lead the APAC regional technical risk team to govern, monitor, and continuously improve information security and cyber risk exposure in alignment with Cyber Strategy and Group CISO expectations. Own region-wide KRIs/KPIs, RCSA, issue remediation, and assurance cycles for banking, capital markets, payments, and hedge fund businesses. Ensure conformity and risk alignment with APEX Gold standard, NIST CSF 2.0, ISO/IEC 27001:2022, ISO 31000:2018, COBIT 2019, PCI DSS v4.0/v4.0.1, and APAC-specific regulatory frameworks (e.g., MAS TRM, HKMA technology/cyber guidance, APRA CPS 234) and applicable global obligations (e.g., SOX where relevant to listings).

Job Responsibilities:

• Define/maintain APAC KRIs/KPIs mapped to risk appetite; implement MQA checks (accuracy, timeliness, completeness), trend monitoring, and breach handling across business services and platforms. Align with NIST CSF 2.0 outcomes (Govern/Identify/Protect/Detect/Respond/Recover) and ISO/IEC 27001:2022 ISMS control environment

• Lead multi-tower RCSA; calibrate inherent/residual risk to ISO 31000 principles; drive remediation with owners; manage risk acceptances with timebound treatment plans

• Apply TRM governance ( e.g., Board/Senior Mgmt oversight, incident notification timelines, RTOs for critical systems) for Singapore

• Follow HKMA supervisory cyber approach/circulars and RegTech guidance on cyber risk management and e-banking security enhancements for Hong Kong

• Ensure board accountability, control testing, asset classification, and 72-hour material incident notification to APRA for Australia

• Globally maintain conformity with PCI DSS v4.0/v4.0.1 timelines

• Host regional information security forum, review & management of all regional information security, Compliance risk with regional leads

• Execute delegated tasks as deemed appropriate by the Group CISO and other empowered Group Cyber leadership authorities, ensuring timely and effective completion in alignment with organizational priorities

• Support the Group Cyber Strategy end-to-end, driving alignment of all activities, decisions, and deliverables with strategic objectives and business outcomes

• Deliver Monthly APAC posture, KRI/KPI trends, thematic issues, incident learnings, and decision requests. Feed clear, decision-ready inputs to the Technology Risk Forum; coordinate with application/infra/service owners to turn metrics green

• Orchestrate communication across application/platform owners, SOC, IT Ops, Risk/Compliance, auditors/regulators; present complex topics clearly to senior leadership

• When metrics are persistently red/non-actionable, perform RCA and cutover to improved definitions/thresholds consistent with Cyber Strategy and Group CISO guidance

• Partner with BI/GRC teams to embed dashboards and evidence repositories

• Govern regional KRIs/KPIs and ensure fit-for-purpose metrics mapped to risk appetite

• Lead annual RCSA with ISO 31000 risk principles: close remediation actions

• Maintain compliance to APEX Gold standard, NIST CSF 2.0, ISO/IEC 27001:2022, COBIT 2019; sustain PCI DSS v4.0/v4.0.1 for payments

• Drive a Metric Rewrite Protocol for persistently failing metrics (RCA → redesign → pilot → cutover)

• Ensure SOX 404 (where applicable) alignment for ICFR/ITGCs; coordinate management assessment and external audit readiness

Skills Required:

• 5–10 years in information security, cyber risk assurance, or GRC within financial services; proven APAC regulatory delivery (MAS/HKMA/APRA)

• NIST CSF 2.0, ISO/IEC 27001:2022, ISO 31000, COBIT 2019, PCI DSS v4.0

• Strong stakeholder management and executive presentation skills

• Preferred certs: CISM / CRISC, ISO 27001 LA, ISO 31000; cloud security (AWS/Azure/GCP)

What you will get in return:

· A genuinely unique opportunity to be part of an expanding large global business;

· Competitive remuneration commensurate with skills and experience;

· Training and development opportunities

Additional information:

We are an equal opportunity employer and ensure that no applicant is subject to less favourable treatment on the grounds of gender, gender identity, marital status, race, colour, nationality, ethnicity, age, sexual orientation, socio-economic, responsibilities for dependants, physical or mental disability. Any hiring decision are made on the basis of skills, qualifications and experiences.

We measure our success as a business, not only by delivering great products and services and continually increasing our assets under administration and market share, but also by how we positively impact people, society and the planet.

For more information on our commitment to Corporate Social Responsibility (CSR) please https://www.apexgroup.com/corporate-social-responsibility/

“Personal data provided by job applicant(s) will be used for recruitment purposes only and will be treated strictly confidential. Such personal data can be accessed by different Apex stakeholders within and out of country for the consideration of the job application hereunder. Application made by the job applicant(s) constitutes the irrevocable consent of the job applicant for her/his personal data to be used by Apex stakeholders within or outside country for the purpose of this recruitment.”

Disclaimer: Unsolicited CVs sent to Apex (Talent Acquisition Team or Hiring Managers) by recruitment agencies will not be accepted for this position. Apex operates a direct sourcing model and where agency assistance is required, the Talent Acquisition team will engage directly with our exclusive recruitment partners.