1. Security Testing & Programme Leadership
- Design, plan, and execute full-scope security testing engagements (network, application, cloud, social engineering awareness, physical) against dtcpay's production and pre-production environments.
- Develop and maintain simulation and testing plans aligned with recognised industry frameworks and regulatory threat intelligence guidance (e.g. MITRE ATT&CK-informed methodology, TIBER-EU, MAS TPRM).
- Lead collaborative exercises with the Security Operations team and internal defence functions to validate detection and response controls.
- Manage the end-to-end vulnerability disclosure programme, triaging findings and coordinating remediation timelines with engineering.
- Maintain the security testing infrastructure and tooling to production-safe standards.
2. People & Team Management
- Hire, mentor, and retain a high-performing team of Security Testing Specialists, Penetration Testers, and Threat Intelligence Analysts.
- Define career paths, training budgets, and certification goals (e.g. OSCP, OSED, CRTO, PNPT, GXPN).
- Foster a culture of continuous learning, responsible disclosure, and professional ethics.
- Conduct regular skills assessments and rotate team members across specialisations (web, mobile, OT/IoT, cloud).
3. Technology Risk Management & Governance
- Translate security testing findings into structured risk statements aligned with dtcpay's enterprise risk framework (ISO 31000, NIST RMF).
- Interface with the GRC team to update the risk register, contribute to board-level risk dashboards, and provide evidence of remediation for auditors.
- Define and track KPIs / KRIs for the security testing function: mean time to detect (MTTD), mean time to respond (MTTR), and risk-exposure-reduction metrics.
- Participate in third-party and supply-chain risk assessments for critical technology vendors.
- Represent the security testing function in change-advisory and architecture review processes.
4. Regulatory Compliance & Privacy Requirements
- Ensure all security testing activities are conducted within legal and regulatory boundaries across all operating jurisdictions, including obtaining appropriate written authorisations.
- Advise on security controls required to meet obligations under MAS TRM, PDPA, GDPR, UK GDPR, PDPD, and related frameworks.
- Collaborate with Legal and the DPO to ensure any personal data encountered during testing is handled, minimised, and destroyed in compliance with applicable data-protection laws.
- Contribute to regulatory engagement: respond to MAS, ICO, and supervisory authority queries prepare evidence packs for technology-risk examinations.
- Track regulatory developments and proactively update engagement rules of engagement and testing policies.
5. Reporting & Stakeholder Communication
- Produce executive-level and technical reports with clear risk ratings (CVSS, DREAD), business-impact narratives, and prioritised remediation roadmaps.
- Present findings to the CISO, CTO, and Risk Committee tailor communication to both technical and non-technical audiences.
- Maintain a historical findings database to trend residual risk over time and demonstrate programme maturity.
What We're Looking For
- 8+ years of hands-on security testing experience, with at least 3 years in a team leadership or management capacity.
- Demonstrated expertise in simulation-based security testing and penetration testing across web applications, cloud (AWS/Azure/GCP), mobile (iOS/Android), APIs, and internal networks.
- Proven experience operating within a regulated financial-services or payment-industry environment.
- Deep working knowledge of MAS TRM Guidelines, UK GDPR / FCA Operational Resilience, GDPR, and DORA.
- Proficiency in industry-standard security testing tools and frameworks, including custom tooling development (Python, C#, PowerShell).
- Familiarity with cloud-native security risks (IAM misconfiguration, SSRF, container escape, serverless exposure).
- Exceptional written and verbal communication ability to present technical risk findings to senior executives and board members.
- Bachelor's degree or higher in Computer Science, Information Security, or equivalent.
Preferred Certifications
- Technical Security Testing: OSCP / OSED / OSWE / OSMR, CRTO / CRTE, GXPN, PNPT, CCT INF / CRT
- Governance & Risk: CISSP, CISM, CRISC, CDPSE, CIPP/A or CIPP/E
- Cloud: AWS Security Specialty, Azure Security Engineer, Google PCSE
Preferred Experience
- Experience with TIBER-EU or iCAST (MAS Intelligence-led Cyber Attack Simulation Testing) engagements.
- Prior engagement with regulators (MAS, ICO, BNM, FCA) on technology-risk or security incidents.
- Exposure to digital-asset custody, or infrastructure security testing.
- Experience building or scaling a security testing programme from the ground up.