J.P. Morgan is beefing up its technology risk team in Asia as cyber security becomes increasingly important to its business, according to Sophia Leung, the firm’s head of IT risk and security management for the region. But hiring is tricky due to a shortage of IT risk professionals who understand the complex needs of large banks.
Leung, who has a biochemistry degree and an executive MBA, joined J.P. Morgan in Hong Kong in September 2011. She started her career as an IT trainee at Morgan Stanley in New York and spent more than 19 years at the bank, most recently as head of IT risk and security management for Asia Pacific.
She spoke to eFinancialCareers about her ideal candidate, why IT risk is a stable career, and how she’s thrived in the male-dominated world of banking technology.
There are two main reasons. First, regulatory pressure is increasing in Asia, not only because of new financial regulations, but because the regulators are placing more intense scrutiny on whether banks' IT systems are complying with their rules. They conduct more frequent check-ups and demand clear evidence of compliance. Second, external threats to the business are growing. Cyber security isn’t just about small-scale fraud anymore; it can potentially cause a lot of damage to banks because we rely so much on technology. IT risk is a key area of focus in operational risk.
I can’t provide exact numbers, but we are hiring this year because IT risk is business critical. We’re recruiting three main types of risk managers [RMs]. Firstly, RMs who are aligned to a broad area of information security across the bank; second, location RMs who take an overview of one particular country/market; and third, RMs for different business lines, like investment banking or corporate banking. Last year in Asia, we made a couple of senior hires at executive-director level and we also continue to hire graduates.
You may have the relevant IT certificatifcations, CISSP and the like, but ultimately it’s risk experience that matters most. You need to draw on this experience to understand the practical implications of any IT issues that crop up, sometimes unexpectedly. I don’t want people who just administer company policies and can’t adapt to change. You also need to understand the technology to be credible in this job. Some of my staff have spent 20 years or more in IT.
Experienced IT risk managers are not very available, especially in Asia where the risk and security market is less mature than in the US or Europe. And not many people have experience at organisations that have technology on the scale and complexity of J.P. Morgan.
Ideally we want people from a bank of the same size, but that’s not always possible. So we consider professionals from large organisations that are, like us, heavily reliant on technology, for example non-banking financial firms, consulting firms, engineering companies, IT vendors and government defence departments.
We do, and not just because there’s a skill shortage in Asia. We’re a global firm and many of the regulations and threats we’re dealing with are global, so we benefit from getting the best global talent on board.
IT risk started to move up the agenda six or seven years ago as regulations like Sarbanes–Oxley and Basel II were having a major impact on IT. I made MD at my old firm on the back of heading up IT risk, which shows you how seriously banks have taken the function recently.
I stumbled upon it. After I finished my undergraduate degree with Barnard College, Columbia University in New York and completed my EMBA with HKUST/Kellogg University in Hong Kong in the early 90s, I considered going to grad school, but then I found out about these training programmes at the big Wall Street firms where you could learn on the job. It‘s like being paid to go to school, so I went for it. I’ve been in the industry ever since.
I don’t believe that being a woman has held me back. I’ve worked hard and been lucky to have great senior role models and managers in IT, including female ones. For banks to encourage more women to work for them, they need to offer a supportive and inclusive work environment to help women manage their work and personal needs.
Technology drives our firm, so top management have made IT risk a priority. There’s a lot of support above me, which makes my job easier. With the various compliance issues and IT threats only set to grow, I think demand for IT risk professionals will also grow for the foreseeable future. If you perform well, it can be a great career.