​Our Client is an established company in Singapore, who is seeking to recruit a Lead Cybersecurity Specialist (Governance).

Lead Cybersecurity Specialist (Governance)

You will be the primary architect of the security governance and risk management framework., with the mission to transform GRC from a compliance-heavy exercise into a strategic enabler. You will ensure that risk management is deeply integrated into the lifecycle of every digital system, from web applications to critical Operational Technology (OT) environments.

1. Enterprise Risk Governance & Management

·       Dynamic Risk Registers: Establish and oversee the security risk register. You will ensure that registers are not static documents but "living" tools that accurately reflect the current threat landscape and project status across all agencies.

·       Senior Management Facilitation: Lead and facilitate high-level risk conversations with Senior Management. You must be able to translate complex technical risks into clear business impacts to drive informed resource allocation and prioritisation.

·       Risk Analysis Framework: Develop a robust framework to guide agencies in performing consistent, high-quality risk analysis. This framework should empower agencies to take calculated risks for innovation rather than defaulting to "no" due to risk aversion.

2. Threat Risk Assessment (TRA) & Standards

·       Unified TRA Framework: Establish and maintain standards for conducting Threat Risk Assessments across diverse domains, including Cloud (GCC), Web Applications, and OT/ICS systems.

·       Crown Jewel Identification: Develop SOPs to guide project teams in identifying "Crown Jewels" (Critical Information Assets) and mapping comprehensive threat vectors.

·       Standardisation of Controls: Define common security configuration standards and ensure that controls are technically effective in mitigating identified risks, rather than just meeting baseline requirements.

3. Zero Trust & Architecture Governance

·       Zero Trust Roadmap: Lead the establishment of a Zero Trust Framework, setting the standards for identity-based security, micro-segmentation, and "never trust, always verify" architectures.

·       Architectural Advisory: Provide expert GRC input during the design phase of high-impact systems to ensure security-by-design and alignment with standards.

·       Technology Application: Evaluate and recommend security technologies that effectively mitigate specific risks, ensuring that defensive layers remain relevant against modern threats.

4. Supply Chain & Ecosystem Risk Management

·       Third-Party Risk Strategy: Establish the framework for managing risks across the software supply chain and IT vendors.

·       Dependency & Vendor Risk: Develop standards for assessing the cyber-resilience of third-party partners and managing risks associated with software dependencies (e.g., Open Source libraries).

5. Audit Excellence & Systemic Improvement

·       Proactive Readiness: Shift agencies from "reactive" audit preparation to a state of continuous compliance and readiness.

·       Root Cause Rectification: Oversee the closure of audit findings, ensuring agencies implement substantive, effective technical fixes rather than surface-level measures.

6. Stakeholder Management & Threat Intelligence

·       Education & Advocacy: Partner with key stakeholders to inculcate a proactive risk management mindset.

·       Threat & Tech Foresight: Keep abreast of evolving Actor TTPs (Tactics, Techniques, and Procedures) and technology changes. Periodically review the relevancy of existing defences against the latest threats.

Requirements

Experience

·       Years of Experience: 10 to 12 years in Cybersecurity GRC, Information Security Risk Management, or Security Architecture.

·       Domain Breadth: Proven experience in managing risks across IT and Cloud environments; exposure to OT (Operational Technology) systems is a significant advantage.

·       Regulatory Knowledge: Deep familiarity with security policies (e.g., Instruction Manual on IT Management) and international standards (e.g., NIST, ISO 27001).

Technical Skills

·       Risk Methodologies: Mastery of risk assessment methodologies (e.g., TVRA) and the ability to translate technical vulnerabilities into business risk.

·       Security Technologies: Strong technical understanding of various Zero Trust Architecture (ZTA) components and cloud security technologies. Such as Firewalls, EDR, IAM, SIEM, CSPM, CWPP, CASB and secrets management etc.

·       Threat Awareness: Ability to map technical controls to the MITRE ATT&CK framework to ensure defensive coverage.

·       Offensive Security: Proficiency in manual and automated testing tools; deep understanding of the MITRE ATT&CK framework and common TTPs.

·       Certifications: Professional certifications such as CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), CISSP, OSCP or OSWE (Offensive Security Web Expert) are highly preferred.

Soft Skills

·       Strategic Influence: Ability to educate and persuade senior stakeholders (CIOs/Project Owners) on the importance of rigorous risk governance.

·       Critical Thinking: Ability to look past surface-level audit compliance to find and fix underlying systemic issues.

·       Lifelong Learner: A genuine passion for staying updated on the latest security technologies and evolving cyber threat landscapes.

·       Risk Articulation: Exceptional ability to "translate" deep technical issues (e.g., zero-day vulnerabilities, configuration drifts) into business risk for non-technical senior executives.

JJ Consulting Services

EA Licence No.: 12C6207

Applicants are invited to send in a MS Word resume to [email protected] stating position applying for/present/expected salaries and earliest available date.

We thank all applicants in advance and regret that only short listed candidates will be notified.