Alex Yao Alex Yao

From IT operations to risk governance

I am a Business Information Security Officer (BISO) working in cybersecurity governance, risk, and compliance (GRC) for a global, APAC-regulated financial institution. My day-to-day sits at the intersection of regulatory expectation, operational risk, and technology change — translating frameworks such as ACSC Essential Eight, APRA CPS 234, and ISO 27001 into practical control programs that reduce risk without paralyzing the business.

My career path has been deliberate. I started as a business continuity intern, then moved into IT support, followed by first-line operational risk, before stepping into BISO / GRC. That progression means I understand the pressure on control owners, the language of regulators, and the reality of implementation in large, complex organizations.

I am particularly interested in automation-led GRC: using Power BI, Power Automate, VBA, and SQL to reduce manual assurance effort, improve control visibility, and give executives faster, better evidence. I also contribute to AI risk governance, helping shape how a regulated bank evaluates and oversees AI use cases.

Outside of work, I am a Mandarin and Cantonese speaker with experience working across APAC and global stakeholder groups. I was recognized as Employee of the Year 2025 and selected for both global and regional talent programmes.

Career path

  1. Business Continuity Intern

    Financial services

    Coordinated Business Impact Analysis across business lines and developed a BIA user manual to reduce repetitive training.

  2. IT Help Desk Analyst

    Financial services

    Provided IT hardware and software support to internal users, resolving issues quickly and improving employee satisfaction.

  3. Operational Risk Control Officer (LoD 1)

    Global bank

    Coordinated RCSA and first-line control tests, tracked incidents, followed up audit findings, and produced operational risk reports for executives.

  4. Business Information Security Officer (GRC)

    APAC-regulated financial institution

    Lead local cybersecurity GRC topics including security risk management, cyber hygiene, ACSC Essential Eight alignment, AI risk gap analysis, and application security reviews.