The Apex Group was established in Bermuda in 2003 and is now one of the world’s largest fund administration and middle office solutions providers.
Our business is unique in its ability to reach globally, service locally and provide cross-jurisdictional services. With our clients at the heart of everything we do, our hard-working team has successfully delivered on an unprecedented growth and transformation journey, and we are now represented by over circa 13,000 employees across 112 offices worldwide.Your career with us should reflect your energy and passion.
That’s why, at Apex Group, we will do more than simply ‘empower’ you. We will work to supercharge your unique skills and experience.
Take the lead and we’ll give you the support you need to be at the top of your game. And we offer you the freedom to be a positive disrupter and turn big ideas into bold, industry-changing realities.
For our business, for clients, and for you
Role Overview:
This role governs, monitors, and continuously improves IT & Cyber risk metrics so they are
fit for purpose, aligned with Cyber Strategy, and meet expectations set by the Group CISO.
Operating within Banking, Finance, and Hedge Fund environments, the role ensures metrics
reflect financial risk exposure, operational resilience, and compliance with global regulatory
frameworks. The role leads the annual Risk & Control Self-Assessment (RCSA) and provides
strategic inputs to the Technology Risk Forum.
Key Responsibilities:
• Metrics Governance & Cyber Strategy Alignment: Define, review, and maintain IT &
Cyber KRIs/KPIs in line with Cyber Strategy and Group CISO directives; map to risk
appetite thresholds and business services.
• Continuous Improvement & Remediation: Monitor failing metrics; lead root cause
analysis and remediation plans. Implement a Metric Rewrite Protocol for metrics that
consistently fail or are misaligned.
• RCSA Execution: Lead annual RCSA across technology domains; ensure residual risk
remains within appetite and align methodology with Group CISO expectations.
• Strategic Reporting & Governance: Provide decision-ready inputs to the Technology
Risk Forum: posture, trends, material events, remediation, and asks.
• Compliance & Regulatory Alignment (Global): Maintain cross-framework control
mapping and evidence across ISO/IEC 27001:2022, NIST CSF 2.0, COBIT, ISO 31000;
and regulations/obligations including SOX 404, GDPR, DORA (EU), PCI DSS v4.0, and
applicable regional rules (e.g., FFIEC/US, UK PRA/FCA, MAS TRM, HKMA, APRA CPS
234).
• Stakeholder Engagement: Liaise with Application, Infrastructure, Service Owners, SOC,
IT Ops, Risk, Compliance, and external auditors/regulators. Influence remediation and
strategic risk initiatives.
• Automation & Reporting: Partner with BI/GRC teams to deliver automated dashboards
and single source of truth for metric definitions, thresholds, owners, and evidence.
• Execute delegated tasks as deemed appropriate by the Group CISO and other
empowered Group Cyber leadership authorities, ensuring timely and effective
completion in alignment with organizational priorities.
• Support the Group Cyber Strategy end-to-end, driving alignment of all activities,
decisions, and deliverables with strategic objectives and business outcomes.
Candidate Profile:
Experience:
• 10–15+ years in IT/Cyber Risk, GRC, or Technical Assurance within financial services.
• Hands-on designing/operating KRIs/KPIs and turning failing metrics green.
• Led RCSA and audit/regulator engagements across multiple regions.
Skills:
• Technical: vulnerability and patch governance, IAM/PAM, cloud security, incident
response, DR/BC, change risk.
• Risk & Compliance: appetite, control frameworks (ISO 27001, NIST CSF, COBIT, ISO
31000), SOX 404, DORA, GDPR, PCI DSS.
• Tooling: GRC platforms (ServiceNow/Archer), dashboards (Power BI/Tableau), CMDB,
ticketing (ServiceNow/Jira).
• Soft Skills: communication, articulation, presentation, stakeholder influence, executive
narratives.
Preferred Certifications:
• - CISM / CRISC
• - ISO 27001 Lead Auditor
• - ITIL
• - Cloud security certs (AWS/Azure/GCP
Disclaimer: Unsolicited CVs sent to Apex (Talent Acquisition Team or Hiring Managers) by recruitment agencies will not be accepted for this position. Apex operates a direct sourcing model and where agency assistance is required, the Talent Acquisition team will engage directly with our exclusive recruitment partners.
