Chief Security Officer

Key Responsibilities

As the top security leader of the company, the CSO is fully responsible for formulating and implementing the company's overall security strategy, building a comprehensive, systematic, and compliant security system covering digital currency exchange, payment business, and global operations. This role will lead the security team to identify, assess, and mitigate all types of security risks (cyber security, physical security, data security, operational security, compliance security), ensure the company's business complies with global security-related regulatory requirements, respond to security incidents efficiently, and maintain the company's security reputation and user trust.

Key Responsibilities

1. Security Strategy & Governance

Develop the company's long-term and short-term security strategy, security roadmap, and risk appetite, aligning with business development goals and global regulatory requirements.

Establish and improve the company's security governance system, including security policies, standards, processes, and operating procedures, and promote the implementation and supervision of the entire company.

Lead the formulation of security assessment indicators, conduct regular security risk assessments, security audits, and compliance reviews, and issue security reports to the CEO and board of directors.

Coordinate cross-departmental security work, promote the integration of security into product design, technology development, business operations, and other full business links (Shift-Left Security).

2. Cyber Security & Technical Defense

Lead the construction and operation of the company's cyber security system, including network security, application security, endpoint security, cloud security, and blockchain security (on-chain security, wallet security).

Manage the Security Operations Center (SOC), establish real-time monitoring, threat detection, and emergency response mechanisms, and promptly respond to cyber attacks (such as phishing, DDoS, ransomware, data breaches, and on-chain attacks).

Promote security technology research and application, including AI-driven threat intelligence analysis, automated vulnerability scanning, penetration testing, and security automation and orchestration (SOAR).

Responsible for the security of the company's core systems (trading system, payment system, wallet system, user data system) to prevent system loopholes, data leaks, and malicious attacks.

3. Asset & Physical Security

Formulate and implement the company's asset security strategy, including the security management of digital assets (cold/hot wallet security, private key management, fund isolation, and anti-theft mechanisms).

Establish and manage the company's physical security system, including office areas, computer rooms, and data centers, covering access control, video surveillance, fire protection, and anti-theft measures.

Coordinate with third-party security service providers (such as security guards, security technology companies) to ensure the physical security of the company's premises and assets.

4. Security Compliance & Regulatory Alignment

Ensure the company's security work complies with global regulatory requirements related to digital currency and payment services, including FATF recommendations, MiCA, local regulatory requirements for major markets (such as Hong Kong SFC, US regulatory requirements), and data protection laws (GDPR, etc.).

Cooperate with the compliance team to complete security-related compliance filings, audits, and inspections, and respond to regulatory inquiries and requirements.

Establish security compliance training and awareness promotion mechanisms to improve the security compliance awareness of all employees.

5. Security Incident Response & Crisis Management

Develop and improve security incident emergency response plans, lead the handling of major security incidents (such as data breaches, cyber attacks, asset theft, and security compliance incidents), and minimize losses.

Conduct post-incident reviews, root cause analysis, summarize experience, and optimize security systems and processes to prevent similar incidents from recurring.

Manage security crisis public relations, coordinate with relevant departments to release information, and maintain the company's brand reputation and user trust.

6. Team Building & Talent Development

Build, manage, and develop the security team, formulate team OKRs and performance assessment systems, and cultivate a professional security talent echelon.

Guide the professional growth of team members, organize security training and technical exchanges, and improve the team's overall security capabilities.

Establish cooperative relationships with industry security organizations, security vendors, and regulatory authorities to track the latest security trends and technologies.

7. Security Collaboration & Ecosystem Construction

Collaborate with product, technology, operations, compliance, customer service, and other departments to integrate security requirements into business processes and product iterations.

Establish security cooperation mechanisms with partners (such as payment channels, liquidity providers, and custodians) to ensure the security of the entire business ecosystem.

Participate in industry security exchanges and standards formulation, and enhance the company's influence in the digital currency security field.

Requirements

• Experience: 10+ years of information security and risk management experience, 5+ years of CSO or equivalent senior security management experience in compliant digital currency exchanges, payment institutions, or financial technology companies; deep understanding of the digital currency trading and payment business model, full business links, and security pain points.
• Professional Expertise: Proficient in cyber security, network security, application security, data security, blockchain security, and digital asset security management; Familiar with global digital currency and payment security regulatory frameworks (FATF, MiCA, SFC, etc.) and compliance requirements, with experience in handling security compliance audits and regulatory inspections; Rich experience in security incident response, crisis management, and security system construction, able to handle complex security incidents independently; Understand security technologies and tools (such as SOC, SIEM, vulnerability scanning, penetration testing, encryption technology, and wallet security technology), and have the ability to guide technical team implementation.
• Regulatory & Compliance Awareness: Strong sense of compliance and risk control, able to accurately grasp global security regulatory trends, and ensure that the company's security work meets regulatory requirements.
• Leadership & Management: Excellent leadership and team management capabilities, able to build and lead a high-performance security team; strong cross-departmental coordination and resource integration capabilities.
• Communication Skills: Excellent oral and written communication skills in both Chinese and English, able to effectively communicate with regulatory authorities, partners, and internal teams.
• Education: Bachelor's degree or above in Computer Science, Information Security, Cybersecurity, Finance, Law, or related fields; professional certifications such as CISSP, CISM, CISA, CRISC, or ACAMS are preferred.

Preferred Qualifications

• Has experience in license application and compliance operation for digital currency exchanges and payment institutions in major global markets (such as Hong Kong, the United States, the European Union).
• Rich experience in on-chain security analysis, DeFi risk control, digital asset custody security, and anti-money laundering (AML) practice in the crypto industry.
• Has experience in leading the handling of major cyber security incidents (such as on-chain attacks, data breaches) in the crypto industry and has a complete incident handling and Review system.
• Familiar with the latest global cyber security technologies and threat trends, and has experience in promoting the application of innovative security technologies (such as AI security, zero-trust architecture).