We are seeking an experienced senior manager to lead our information security team, combining strong hands-on technical expertise as well as people management experience in the information security domain. They will lead a team to design and/or review application security including but not limited to penetration test, source code review, Cloud Security and various inter-connected application and infrastructures, especially in the area of authentication, authorization, information protection, and cryptographic controls for both on-premise and cloud environment. The role also has supervision of the AIA-SG IAM and Threat Intelligence Manager and their team.
This role is responsible for providing leadership in application security review for the strategic digital solutions across technology to ensure secure solutions for business growth. The person should have solid written and verbal communication skills.
WHAT YOU’LL BE DOING:
VAPT
Manage the AIA-SG Vulnerability Assessment and Penetration Testing team responsible for delivering the following services to AIA-SG, including Security Architecture:
Application Security
- Design and/or review application security architecture proposal for various security-driven initiatives or business-driven initiatives for on-premise and cloud environment.
- Manage external third-party for application penetration testing engagements.
Infrastructure Security
- Manage end-to-end infrastructure security activities, such as vulnerability management, servers’ security monitoring & hardening, infrastructure as a code, etc.
- Design and/or review infrastructure security architecture proposal for various security-driven initiatives for on-premise and cloud environment.
Cloud Security
- Manage compliancy level of AIA SG cloud security assets based on ongoing regular scanning according to the defined threshold.
- Evaluate the security aspect of new cloud-based solutions proposed by application development team, infrastructure team, or business users.
- Manage various cloud security BAU activities, such as assets provisioning, deprovisioning, hardening, etc.
Penetration Testing
- Manage end-to-end application security activities, including application penetration testing, authentication / authorization design / review, and DevSecOps design & roll out.
- Manage Third Party relationships with industry vendors who undertake security assessment services.
- Oversight of annual Pen testing schedule.
Information Security Architecture
- Lead a team to design and/or review application security architecture proposal for various security-driven initiatives or business-driven initiatives for on-premise and cloud environment.
- Design and/or review authentication and authorization flow of the applications, whether it is aligned with security best practices and organization's IT security technology policy & procedure in terms of the strength of access controls, session management, cache management, cookie management, token management, cryptographic algorithm, and information/data protection.
- Assess the security aspect of new proposed application tools / platforms from application team, and relevance/consequences to existing security architecture.
- Work closely with application development and infrastructure team to proactively stay on top of latest secure application design to deliver thorough security recommendation aligned with organization's IT security technology policy & procedure.
Identity and Access Management
- Supervise the AIA-SG IAM Manager and their team performing IAM Governance functions for the Business Unit.
Cyber Security & Security Incident Handling
- Work with Security Operation Centre (SOC) Team to ensure secure protection of AIA SG environment.
- Deploy new cyber security initiatives and roll out the platform together with SOC Team.
- Point of contact for security incident handling and investigation, starting from incident is identified, handled, and resolved.
Security Advisory
- Provide feasible security recommendations or guidance based on queries / changes initiated by application development team, infrastructure team, or business users.
- Facilitate challenging security conversations and provide acceptable solutions where IT standards are contradicting with business demands to achieve acceptable business solutions without sacrificing security and compliance aspects.
Managerial Responsibilities
- Lead promotion of activities to increase information security within your teams to embed and continuously improve adherence to good practice.
- Drive a continues Learning and Development program for staff training. (with inhouse and external training programs).
WHAT WE ARE LOOKING FOR:
- University degree in one of the following or related disciplines (Computer Science, Computer Engineering, Information Security, Information Systems).
- Minimum 15 years of experiences of information security domain, especially in Application Security, Infrastructure Security and Cloud Security.
- Preferable to have application development or infrastructure operation background with hands-on experiences of designing and/or reviewing application security or infrastructure security.
- Hands-on information security experience in the Multiple Cloud Environment (SaaS, PaaS and IaaS) and Cyber Incident management.
- Certifications related to security architecture or Cloud Security is preferable, such as CCSP, Azure DevOps certification, Azure Solutions Architect certification, etc.
- Preferably a holder of one or more of the following information security and audit qualifications: CISSP, CISA, CRISC, CCSP.
- Good knowledge of latest security technologies and cyber landscape in a highly regulated industry.
- Good interpersonal and communication skill.
- Strong leadership with a high integrity, proactive mindset, and strong ownership.
- Working experiences in insurance / banking / IT industry is preferred.
- Leading DevSecOps tool experience such as Snyk, Veracode, SonarQube
- Infrastructure Security: Windows, Linux, AS400.
- Application framework and Security: NodeJS, ReactJS, .NET
- Security Advisory and Assessment.
- Security Incident Management.
- CI/CD pipelines: Azure DevOps, Bamboo, Jenkins, GitHub, Bitbucket.