Own and manage the companys IT/security controls across infrastructure (network security, firewalls/WAF, cloud hosting, endpoint security, identity & access, internet and usage policies).
Define, implement, and maintain security baselines and hardening standards for cloud and on-prem environments.
Security operations & monitoring
Monitor, investigate, and analyze cybersecurity events; coordinate incident response, root cause analysis, and post-incident improvements.
Establish operational security processes (alert triage, escalation, reporting, and continuous tuning of detection rules).
Risk management, assessment & secure design
Conduct security assessments (technical and process-based), identify threats/vulnerabilities, assess likelihood/impact, and maintain risk register with mitigation plans.
Review security architecture/design for systems and applications, including business continuity and disaster recovery requirements.
Vulnerability management & testing
Review existing security measures, coordinate penetration tests for internal applications, and ensure findings are tracked to closure.
Support engineering teams in remediation, patching, and implementing secure coding / secure configuration practices.
Drive vulnerability remediation timelines and verify fixes (re-test and closure evidence) with the development team.
Compliance & audit readiness
Support development and rollout of IT policies, standards, and procedures to meet regulatory/legal requirements (e.g., BOT Virtual Bank regulations, PDPA, ISO 27001).
Perform regular compliance reviews and internal audits to identify control gaps and ensure readiness for external and regulatory audits.
Prepare, maintain, and coordinate compliance documentation and audit evidence (policies, procedures, control test results, risk assessments, and audit responses).
Cross-team enablement
Implement security guidelines for collaboration tools and company-wide ways of working (access control, data handling, approved tools, third-party access).
Provide clear advisory support to stakeholders: explain security findings, technical risks, and remediation options in practical terms.
KNOWLEDGE, SKILLS AND ABILITIES:
Strong knowledge of IT/cybersecurity laws and regulations (e.g., PDPA, Computer Crime Act, cyber-related regulatory requirements, IT risk management practices).
(Nice to have) Experience with ISO 27001/ISMS implementation, security audits, cloud security (AWS/GCP/Azure), and common security tooling (SIEM, EDR, WAF, vulnerability scanners).
EDUCATION AND EXPERIENCE:
45+ years of experience in IT Security Management and project delivery in regulated/complex environments (banking, fintech, insurance, etc.).
Bachelors degree in Computer Engineering, Computer Science, IT, or related field.
