Responsibilities

• Owner of the security risk register, ensuring that it is a "living" tools that accurately reflect the current threat landscape and project status.
• Owner of the Zero Trust Framework, setting the standards for identity-based security, micro-segmentation, and "never trust, always verify" architectures.
• Facilitate high-level risk conversations with Senior Management and CIOs, translating complex technical risks into clear business impacts to drive informed resource allocation and prioritisation.
• Establish a robust framework to guide consistent, high-quality risk analysis.
• Empower calculated risks for innovation rather than defaulting to "no" due to risk aversion.
• Oversee standards for conducting Threat Risk Assessments across diverse domains, including Cloud (GCC), Web Applications, and OT/ICS systems.
• Create SOPs to guide teams in identifying "Crown Jewels" (Critical Information Assets) and mapping comprehensive threat vectors.
• Specify common security configuration standards
• Ensure controls are technically effective in mitigating identified risks.
• Expert GRC input during the design phase of high-impact systems to ensure security-by-design.
• Review and suggest security technologies that effectively mitigate specific risks, ensuring that defensive layers remain relevant against modern threats.
• Implement a framework for managing risks across the software supply chain and IT vendors.
• Create standards for assessing the cyber-resilience of third-party partners
• Manage risks associated with software dependencies (Open Source libraries).
• Shift from a "reactive" audit preparation to a state of continuous compliance and readiness.
• Responsible for the closure of audit findings, ensuring implementation of substantive, effective technical fixes rather than surface-level measures.
• Deep dive into audit trends to identify and address systemic weaknesses before they can be exploited.
• Collaborate with CIOs, CISOs, and Project Owners to inculcate a proactive risk management mindset.
• Be up to date with evolving Actor TTPs (Tactics, Techniques, and Procedures) and technology changes.
• Review the relevancy of existing defences against the latest threats.

Responsibilities

• 10 years in Cybersecurity GRC, Information Security Risk Management, or Security Architecture.
• Highly advantageous to possess professional certifications such as CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), CISSP, OSCP or OSWE (Offensive Security Web Expert).
• Expert in risk assessment methodologies (TVRA)
• Experience in managing risks across IT and Cloud environments
• Able to translate technical vulnerabilities into business risk.
• Extensively familiar with Singapore Government security policies (Instruction Manual on IT Management) and international standards (NIST, ISO 27001).
• Sound technical understanding of various Zero Trust Architecture (ZTA) components and cloud security technologies (Firewalls, EDR, IAM, SIEM, CSPM, CWPP, CASB and secrets management).
• Skilled in manual and automated testing tools.
• Deep understanding of the MITRE ATT&CK framework and common TTPs and able to map technical controls to the MITRE ATT&CK framework to ensure defensive coverage.
• Able to "translate" deep technical issues (zero-day vulnerabilities, configuration drifts) into business risk for non-technical senior executives.
• Exposure to OT (Operational Technology) systems highly advantageous.
• Able to educate and persuade senior stakeholders (CIOs/Project Owners) on the importance of rigorous risk governance.
• Able to look past surface-level audit compliance to find and fix underlying systemic issues.
• Always staying updated on the latest security technologies and evolving cyber threat landscapes.

Ethos Search Associates Pte. Ltd.

EA License No: 13C6655

EA Reg No: R1988580 Jacky Chong