Cyber Risk & Policy Owner

HOYA Group: Founded in 1941 in Tokyo, Japan, HOYA Corporation is a global technology and med-tech company and a leading supplier of innovative high-tech and medical products. HOYA’s divisions and business units research and develop products utilized in the healthcare and information technology fields. In the healthcare field, we provide medical device products such as eyeglasses, medical endoscopes, contact and intraocular lenses, orthopedic implants, surgical/therapeutic devices and medical device reprocessing and disinfection solutions. In the information technology field, we provide products such as optical lenses, photomasks and blanks used in the manufacturing process for semiconductor and LCD/OLED devices, text-to-speech, human resources and other software solutions and critical components for the mass memory and cloud storage industries. With over 150 offices and subsidiaries worldwide, HOYA currently employs a multinational workforce of 37,000 people.

The Cyber Risk and Policy Owner is accountable for establishing and operating the group cyber risk management and governance program. This role defines the security policy and control requirements, maintains a common controls structure that maps to regulatory and audit expectations, and drives a consistent risk and assurance posture across the enterprise. The role partners closely with technology and business owners to ensure security requirements are practical, measurable, and demonstrable through evidence. This position will be based in Singapore and reports to the Group CISO.

• Group CIO and security leadership
• Group Digital and technology owners
• Legal, privacy, and regulatory teams
• Internal audit and external auditors
• Procurement and vendor management teams

Cyber Risk Management

• Own the enterprise cyber risk management approach, including risk identification, assessment, treatment, acceptance, and reporting.
• Establish risk taxonomy, risk scoring methodology, and risk appetite aligned to leadership expectations.
• Maintain a group risk register for cyber and track remediation plans, owners, and timelines.
• Facilitate risk acceptance decisions with clear documentation, rationale, and approvals.

Policy, Controls, and Governance

• Own the security policy lifecycle including authoring, review cadence, approvals, exceptions, and communication.
• Define control objectives and control requirements and maintain a consistent structure that supports audits and compliance.
• Drive policy to standard to procedure alignment so requirements translate into actionable implementation expectations.
• Operate exception and waiver processes with time bounds, compensating controls, and tracking to closure.

Assurance, Compliance, and Audit Enablement

• Plan and run internal control assessments and maturity reviews, including evidence standards and sampling approach.
• Coordinate external audit readiness activities and act as the primary point for security control evidence coordination.
• Ensure controls and evidence mapping support key obligations such as J SOX, privacy requirements, and other applicable regulations.
• Create clear reporting for leadership on control effectiveness, gaps, and remediation progress.

Third Party Risk Management

• Own the third-party security risk program including due diligence, security requirements, onboarding controls, and periodic reassessments.
• Define minimum security standards for vendors and partners and ensure consistent application across procurement and business units.
• Support continuous monitoring and risk-based tiering for suppliers.

Metrics and Executive Reporting

• Establish a set of actionable metrics that connect cyber risk and control maturity to business impact.
• Produce regular reporting for leadership including trends, hot spots, audit readiness, and key decisions needed.
• Enable a common language across divisions by standardizing definitions, templates, and reporting formats.

• A single consistent cyber risk management approach adopted across the group.
• A clear, usable security policy and controls structure with mapped evidence expectations.
• Improved audit readiness with fewer surprises and faster evidence collection.
• A measurable reporting cadence that leadership trusts for decision making.
• A repeatable third-party security risk process embedded into procurement and onboarding.

Required Qualifications

• Bachelor's degree in Cybersecurity, Information Technology, or a related field.
• Certifications such as CISSP, CISM, CRISC, or ISO 27001 Lead Implementer or Auditor are beneficial.
• Experience owning enterprise cyber risk management and governance programs in complex environments.
• Strong background in security policy, control design, and audit evidence practices.
• Practical knowledge of control frameworks and mappings such as NIST 800-53, ISO 27001, SOC 2, and similar.
• Proven ability to translate requirements into implementable standards and measurable controls.
• Strong executive communication skills and comfort presenting risk and trade offs to senior leadership.
• Ability to work across global stakeholders and drive alignment without direct authority.

Preferred Qualifications

• Experience supporting publicly listed company controls or assurance expectations, including audit and regulatory coordination.
• Experience building or operating third party risk management at scale.
• Familiarity with security maturity models and control testing approaches.