Search by job, company or skills

dtcpay

Head of Security

8-10 Years
Save
  • Posted 20 hours ago
  • Be among the first 10 applicants
Early Applicant

Job Description

  • Security Testing & Programme Leadership
  • Design, plan, and execute full-scope security testing engagements (network, application, cloud, social engineering awareness, physical) against dtcpay's production and pre-production environments.
  • Develop and maintain simulation and testing plans aligned with recognised industry frameworks and regulatory threat intelligence guidance (e.g. MITRE ATT&CK-informed methodology, TIBER-EU, MAS TPRM).
  • Lead collaborative exercises with the Security Operations team and internal defence functions to validate detection and response controls.
  • Manage the end-to-end vulnerability disclosure programme, triaging findings and coordinating remediation timelines with engineering.
  • Maintain the security testing infrastructure and tooling to production-safe standards.
  • People & Team Management
  • Hire, mentor, and retain a high-performing team of Security Testing Specialists, Penetration Testers, and Threat Intelligence Analysts.
  • Define career paths, training budgets, and certification goals (e.g. OSCP, OSED, CRTO, PNPT, GXPN).
  • Foster a culture of continuous learning, responsible disclosure, and professional ethics.
  • Conduct regular skills assessments and rotate team members across specialisations (web, mobile, OT/IoT, cloud).
  • Technology Risk Management & Governance
  • Translate security testing findings into structured risk statements aligned with dtcpay's enterprise risk framework (ISO 31000, NIST RMF).
  • Interface with the GRC team to update the risk register, contribute to board-level risk dashboards, and provide evidence of remediation for auditors.
  • Define and track KPIs / KRIs for the security testing function: mean time to detect (MTTD), mean time to respond (MTTR), and risk-exposure-reduction metrics.
  • Participate in third-party and supply-chain risk assessments for critical technology vendors.
  • Represent the security testing function in change-advisory and architecture review processes.
  • Regulatory Compliance & Privacy Requirements
  • Ensure all security testing activities are conducted within legal and regulatory boundaries across all operating jurisdictions, including obtaining appropriate written authorisations.
  • Advise on security controls required to meet obligations under MAS TRM, PDPA, GDPR, UK GDPR, PDPD, and related frameworks.
  • Collaborate with Legal and the DPO to ensure any personal data encountered during testing is handled, minimised, and destroyed in compliance with applicable data-protection laws.
  • Contribute to regulatory engagement: respond to MAS, ICO, and supervisory authority queries; prepare evidence packs for technology-risk examinations.
  • Track regulatory developments and proactively update engagement rules of engagement and testing policies.
  • Reporting & Stakeholder Communication
  • Produce executive-level and technical reports with clear risk ratings (CVSS, DREAD), business-impact narratives, and prioritised remediation roadmaps.
  • Present findings to the CISO, CTO, and Risk Committee; tailor communication to both technical and non-technical audiences.
  • Maintain a historical findings database to trend residual risk over time and demonstrate programme maturity.

What We're Looking For

  • 8+ years of hands-on security testing experience, with at least 3 years in a team leadership or management capacity.
  • Demonstrated expertise in simulation-based security testing and penetration testing across web applications, cloud (AWS/Azure/GCP), mobile (iOS/Android), APIs, and internal networks.
  • Proven experience operating within a regulated financial-services or payment-industry environment.
  • Deep working knowledge of MAS TRM Guidelines, UK GDPR / FCA Operational Resilience, GDPR, and DORA.
  • Proficiency in industry-standard security testing tools and frameworks, including custom tooling development (Python, C#, PowerShell).
  • Familiarity with cloud-native security risks (IAM misconfiguration, SSRF, container escape, serverless exposure).
  • Exceptional written and verbal communication; ability to present technical risk findings to senior executives and board members.
  • Bachelor's degree or higher in Computer Science, Information Security, or equivalent.

Preferred Certifications

  • Technical Security Testing: OSCP / OSED / OSWE / OSMR, CRTO / CRTE, GXPN, PNPT, CCT INF / CRT
  • Governance & Risk: CISSP, CISM, CRISC, CDPSE, CIPP/A or CIPP/E
  • Cloud: AWS Security Specialty, Azure Security Engineer, Google PCSE

Preferred Experience

  • Experience with TIBER-EU or iCAST (MAS Intelligence-led Cyber Attack Simulation Testing) engagements.
  • Prior engagement with regulators (MAS, ICO, BNM, FCA) on technology-risk or security incidents.
  • Exposure to digital-asset custody, or infrastructure security testing.
  • Experience building or scaling a security testing programme from the ground up.

More Info

Job Type:
Industry:
Employment Type:

About Company

Job ID: 151254735

Similar Jobs

Singapore, Cecil Street

Skills:

GdprApisPowerShellIosAndroidGcpSecurity TestingPenetration TestingAzurePythonAWSsimulation-based security testingUK GDPRDORAMAS TRM GuidelinesFCA Operational Resilience

Singapore

Skills:

Incident ResponseGovernancePayment fraudAdversarial TestingTransaction IntegrityTransaction abuseBusiness logic vulnerabilitiesFraud Risk PartnershipPayment threat modelingPayment Security Architecture