About the Role
The Information Security Lead is accountable for overseeing & coordinating the organization's information security initiatives to protect Sun Life systems, data & digital platforms. The role ensures effective implementation of security controls, supports regulatory compliance, manages cyber risks, and enables secure business operations while aligning with the company's strategic objectives.
Responsibilities
- Serve as the primary Information Security contact for the Business Unit.
- Coordinate with global and regional security teams to ensure effective rollout of security policies, controls, and tools.
- Work with the global security advisory team to support local risk assessments, audits, regulatory reviews, and third-party security due diligence.
- Support the global security advisory for local business initiatives, projects, and technology changes.
- Facilitate incident coordination with global SOC/SIRT teams and support post-incident actions.
- Collaborate with IT, Risk, Compliance, and Privacy functions to ensure regulatory alignment.
- Drive BU-level security awareness initiatives using global/regional content.
- Track and report BU security posture, risks, gaps, and remediation progress.
- Lead and manage day-to-day activities and development of IT security and governance team and working as subject matter expert in area of IT Security & Governance to provide high level consultation and guidance for IT team and/or business users.
- Formulate action plan, tracking, reporting and timely resolution of all relevant incidents / problems / audit findings.
- Lead the coordination and work closely with other IT team stakeholders to support External and Internal Audit related to IT General Control Audit (ITGC), ISO 27001 and Business Internal Audit, specifically in relation to Information Security area.
Qualifications
- 8–12 years of experience in Information Security, Risk Management, or Security Governance.
- Strong understanding of ISO 27001, NIST CSF, and general cybersecurity practices.
- Experience working in matrixed global–regional–local environments.
- Knowledge of data protection and cybersecurity regulations.
Required Skills
- Demonstrate strong background and fundamentals in general IT areas such as networking, operating systems, cloud platforms, identity and access management etc.
- Good understanding of security principles such as the CIA triad, zero trust, least privilege, threat modeling, risk and security governance concepts such as policies, standards and controls.
- Understanding of key technology and security processes such as incident response, security alerts and handling, patch and vulnerability management workflow, security change management and asset management practices.
- Excellent communication and stakeholder management skills; ability to influence without authority.
- Clear written communication skills – writing reports or user guidance or memos.
- Curiosity and willingness to learn.
- Ability to work under pressure during incidents.
- Fluency in English and Vietnamese.
Preferred Skills
- Certifications such as CISSP, CISM, CRISC, ISO 27001 LA/LI.
- Experience in insurance, BFSI, technology services, or other regulated industries.
- Exposure to cloud environments (AWS) is a plus.
- Strong sense of ownership and accountability.
- Work effectively both independently and as part of a team, self-motivated and deadline driven.
- Goal oriented and be able to work with other teams to achieve goals.
- Take a broad organizational view when solving problems.
- Build and maintain influential relationships with senior management (both Technology and business).
Communication scope
- Internal – works closely with senior management and respective stakeholders to enable communication. Foster interdepartmental cooperation.
- External – establishes and maintains working relationships with technology suppliers, outsourcing vendors. Develop industry-related professional contacts. Actively participates in industry-related seminars and workshops.
