Member of the Month | Andrew Pang: Bridging Governance, Technology, and Innovation in an AI-Driven Risk Landscape

This month, HKCNSA is pleased to feature Andrew Pang as our April Member of the Month.

Andrew is a seasoned cybersecurity and technology risk professional with over 15 years of experience across IT governance, audit, cloud security, data privacy, and regulatory compliance. He currently leads global information security and privacy management at Lalamove as Head of Cybersecurity and Principal Consultant at HKCNSA.

Navigating Risk in the Age of AI and Global Complexity

Andrew observes that today's technology risk landscape is shaped by the convergence of rapid innovation and growing complexity. As organisations race to adopt AI and digital capabilities, threat actors are evolving just as quickly—leveraging automation, supply chain vulnerabilities, and AI-enabled social engineering to increase the scale and precision of attacks.

At the same time, regulators across jurisdictions are introducing overlapping and highly specific requirements on data security, cross-border transfers, algorithmic transparency, and third-party oversight. This creates significant compliance complexity for multinational and platform-based organisations.

Against this backdrop, Andrew emphasises that organisations should not treat governance and compliance as constraints, but rather as an integral part of innovation. In his view, a risk-aware, business-aligned approach should focus on several practical priorities:

• Embed security-by -design and privacy-by-design early in development life cycles

• Leverage threat intelligence to anticipate evolving risks across industries

• Prioritise controls based on impact, particularly around data protection and service availability

• Strengthen collaboration across technical, legal, and business teams

According to Andrew, organisations that treat technology risk as a strategic enabler, supported by strong governance, forward-looking insights, and shared accountability, are better positioned to innovate with confidence while maintaining resilience and trust.

A Career Shaped by Multiple Perspectives

Andrew's approach to risk management has been shaped by his experience across internal audit, consulting, and in-house leadership roles. These transitions have given him a perspective that combines assurance, solution design, and operational execution.

From an audit standpoint, he developed a focus on whether controls are effective, sustainable, and defensible against regulatory expectations. His consulting experience strengthened his ability to design pragmatic, scalable, and business-aligned controls. His in-house leadership roles required him to balance risk frameworks with operational realities and the pace of technological change.

His audit background also continues to influence his work today. When designing governance frameworks, he emphasises clarity, measurability, and evidence—ensuring that controls are not only compliant on paper but also verifiable and effective in practice.

From Gatekeepers to Strategic Enablers

Looking ahead, Andrew sees a clear evolution in the role of IT GRC and technology risk professionals. As organisations accelerate digital transformation and scale AI adoption, these roles are shifting from traditional gatekeepers to strategic enablers.

This evolution requires professionals to operate at the intersection of regulatory expectations, technical realities, and business strategy—translating complex requirements into practical, measurable controls that support innovation rather than slow it down.

To succeed in this environment, Andrew highlights the importance of combining technical understanding, regulatory awareness, and the ability to translate risk into business-relevant actions. Professionals must also be able to collaborate effectively across teams and continuously adapt to evolving technologies and threat landscapes.

Ultimately, Andrew notes that those who can bridge regulatory insight, technical knowledge, and practical execution will play a key role in enabling organisations to innovate confidently while maintaining trust, resilience, and compliance.

HKCNSA is pleased to recognise Andrew Pang as our April Member of the Month and looks forward to his continued contributions to the cybersecurity and technology risk community.