Job Purpose
To ensure IT systems and applications adhering to security best-practices, compliance and regulatory requirements and driving to improve our security posture.
Key Responsibilities
- Develop, maintain, and enforce the organization's information security policies, standards, and guidelines to ensure IT systems and applications comply with security best practices, regulatory requirements, and internal compliance obligations.
- Govern and enforce cloud security controls, baseline configurations, and secure architecture patterns across cloud, on-premise, and hybrid environments.
- Supervise security assessments, including vulnerability assessments, penetration testing, and technical reviews; ensure remediation plans are defined, prioritized, and implemented in accordance with approved policies.
- Manage identity and access management controls, including privileged access, service accounts, and secure authentication mechanisms.
- Review and approve changes to security controls, including firewalls, VPNs, routing configurations, operating system hardening, and IDS/IPS rules.
- Collaborate cross-functionally with technology, operations, and business teams to identify security threats arising from day-to-day operations and propose appropriate security controls and risk mitigation measures.
- Drive a shift-left security approach by embedding security requirements early in Agile delivery, CI/CD pipelines, and infrastructure provisioning lifecycles.
- Review and validate risk assessments conducted by the First Line of Defense to ensure alignment with the organization's risk appetite and control requirements for IT vendors and partners.
- Act as a key contact for internal audits, external audits, and regulatory inspections; coordinate evidence collection, remediation tracking, and closure
- Conduct periodic and regulatory report to SBV/CIMB Group for security matters.
Job Specification
- Bachelor's degree in Computer Science, Cybersecurity, Information Technology or a related field.
- 3+ years of hands-on experience in IT security governance, policy management or comparable role (preferably in banking/financial services).
- Professional certification such as CISSP, CISM, or equivalent is highly desirable.
Technical & Functional Skills
- Deep understanding of network and host hardening, firewall/VPN architectures, IDS/IPS, hand-on experience in using source-code scanning tools.
- Familiarity with vulnerability-assessment frameworks, risk management methodologies (ISO 27001, NIST 800-53, CIS).
- Have capability to research, integrate new security solutions to current process/system.
- Working knowledge of regulatory guidelines (e.g. SBV Circular 09, 50, 13).
- Experience auditing security controls and reviewing technical change requests.
- Strong analytical skills to interpret risk reports and translate into clear policy requirements.
Personal skills
- Excellent stakeholder management and communication-able to present policy to both technical teams and senior management.
- Rigorous attention to detail and a methodical, compliance-driven mindset.
- Ability to influence without authority and drive policy adoption.
- Inquisitive approach to new threats and security technologies.
