Business Information Security Officer
Role details
Job location
Tech stack
Job description
The firm's ability to keep our clients' data secure is a bedrock for our reputation as a trustworthy professional services partner to many of the world's large and prestigious organisations. Information security is not an afterthought; it is core to all that we do, to protect not only our data but that of our clients, and has the unwavering support of the Board. The in-house Information Security team is a core part of our technology services structure with mature or evolving capability across all areas of digital security and cyber defence. We align our efforts to the NIST framework and other recognised certifications including ISO27001 and SOC2 and strive to keep pace with the continually evolving threat landscape, in support of A&O Shearman's strategy to lead where global complexity creates opportunity. In addition, you will have the opportunity to share and gain intel from the firm's cybersecurity lawyers. The global team have experience advising clients on hundreds of incidents. Leveraging this experience, they feedback practical lessons learned into clients' cyber risk management and incident response programmes.
Role purpose The APAC Business Information Security Officer (BISO) is responsible for aligning and implementing the firm's global information security strategy across the Asia-Pacific region. Acting as a trusted liaison between the global information security leadership and regional stakeholders, the BISO ensures that global directives are effectively executed while addressing region-specific challenges. The role supports both global and regional teams by identifying solutions that balance local constraints with global security objectives.
What you will do APAC Regional Advocacy and Strategic Alignment:
- Act as the primary liaison between the Global CISO and regional leadership, IT, and information security teams, ensuring that directives and initiatives are implemented at the regional level across all business units in the APAC region.
- Build and maintain a strategic roadmap for the region which aligns with both business and client priorities, making use of an intimate understanding of the regional business.
- Ensure regional understanding and alignment with the firm's global information security strategies, goals, and objectives.
- Advocate for global security initiatives and secure buy-in from regional business and IT stakeholders.
- Serve as a trusted advisor to APAC Partners and business units on:
- Global security strategy
- Emerging threats in the legal sector
- Security initiatives in other regions
- Other relevant developments
APAC Regional Compliance and Policy Development:
- Assist in developing and maintaining global information security policies, incorporating region-specific requirements where necessary.
- Ensure compliance with local regulations (e.g., GDPR) and industry standards (e.g., ISO 27001, NIST CSF).
- Monitor and enforce compliance with global policies across regional business units.
- Provide compliance guidance to regional stakeholders.
- Develop and maintain regional security performance metrics and dashboards for leadership reporting.
APAC Regional Support and Implementation:
- Support global and regional teams in overcoming region-specific barriers to initiative delivery.
- Communicate regional concerns to global leadership and facilitate mutually acceptable solutions.
- Lead the implementation of region-specific security initiatives aligned with global strategy.
- Advise stakeholders on regional and global security threats and risk levels.
- Maintain a regional risk register and report key risks to the Global CISO and regional leadership.
- Enhance security awareness across APAC business units.
- Collaborate with HR and Learning & Development to deliver targeted training and capability-building programs.
Operational Oversight:
- Act as the regional escalation point for security incidents and coordinate with global incident response teams.
- Oversee third-party vendor assessments to ensure compliance with security standards.
- Contribute to regional security budgeting and resource planning to ensure adequate support for regional strategic initiatives and operational resilience, without undermining the plans and objectives of the global firm.
Requirements
Do you have a Bachelor's degree?, * Minimum 8 years of experience in information security, with a strong focus on risk management and compliance.
- Proven experience in a global organisation, ideally within the legal or professional services sector.
- In-depth knowledge of data protection regulations (e.g., GDPR) and industry standards (e.g., ISO 27001, NIST CSF, SOC 2).
- Strong leadership, communication, and interpersonal skills with the ability to influence stakeholders at all levels.
- Ability to manage multiple priorities in a fast-paced, dynamic environment.
- Industry-recognised certifications such as CISSP, CISM, CRISC, or CISA.
Desirable :
- Bachelor's degree in Computer Science, Information Security, or a related field.
- At least 2 years of leadership experience in the legal sector.
- Proficiency in one or more APAC regional languages in addition to English.
- Ability to communicate complex cybersecurity concepts to non-technical audiences.
- Experience leading cyber risk transformation initiatives in matrixed organisations.
- Broad cyber security knowledge across people, processes, technology, and incident management
Benefits & conditions
We recognise that our people are our most valuable asset, which is reflected in the wide range of benefits that are available to our employees. Some of these benefits include: our occupational pension scheme, group income protection cover, private medical insurance, mental health resources and free apps, health and wellbeing services encompassing GP service, emergency back-up care support, parental and special leave, holiday entitlement increasing with length of service, holiday trading, online discounts and lifestyle management services.
