Information Security Consultant

insyghts security pte. ltd.

Singapore

5-7 Years

SGD 5,000 - 8,000 per month

Save

Posted 14 hours ago
Be among the first 10 applicants

Early Applicant

Job Description

ROLE OVERVIEW

The Information Security Consultant is one of the most pivotal roles at Insyghts Security. This is a broad, high-impact position designed for a rare professional who can operate credibly across the full breadth of our advisory and consulting service portfolio - from hands-on offensive security assessments and CSA certification readiness, to delivering virtual CISO leadership and outsourced Data Protection Officer services for clients.

This role demands an exceptional combination of deep technical knowledge, regulatory fluency across both Malaysia and Singapore, and the executive communication skills to engage confidently at every level - from technical teams through to board members and regulators. Our consultants are not report writers they are trusted partners who sit alongside clients, challenge their assumptions, and help them build security programmes that are genuinely resilient.

The ideal candidate brings proven experience across GRC, compliance consulting, offensive security, and privacy law - and is intellectually excited by the opportunity to serve clients across all of these disciplines within a single, varied role. You will be one of the primary faces of Insyghts Security in the market, and your quality of work directly shapes our reputation.

SERVICE LINES & KEYRESPONSIBILITIES

This role spans five distinct consulting service lines. Candidates are expected to be competent across all five and capable of leading client engagements independently. The depth of expertise required in each area is described below.

A | GRC, Risk Advisory & Compliance

Core advisory services covering governance, risk management, compliance frameworks, ISO 27001implementation, and business continuity planning.

. Lead information security risk assessments, gap analyses, and maturity evaluations aligned to ISO 27001, NIST CSF, CIS Controls v8, and sector-specific frameworks

. Develop and refine information security policies, procedures, governance frameworks, and ISMS documentation for clients

. Advise clients on regulatory compliance obligations including ISO 27001, PCI DSS v4.0,MAS TRM, BNM RMiT, HIPAA, and GDPR

. Lead end-to-end ISO 27001 implementation projects - from initial gap assessment and scope definition through to certification readiness and audit support

. Conduct Business Continuity (BCP) and Disaster Recovery (DRP) planning, business impact analysis, and tabletop exercise facilitation

. Perform third-party and supply chain risk assessments assist clients in building and maintaining vendor risk management programmes

. Design and facilitate security awareness training and culture-building programmes tailored to client organisations

. Prepare and present executive-quality reports, board-level presentations, and regulatory submissions

B | CSA Cyber Essentials & Cyber Trust Mark

Specialist advisory services helping clients achieve CSA Cyber Essentials (CE) and Cyber Trust Mark (CTM) certification under Singapore's national cybersecurity scheme, including the expanded 2025 framework covering Cloud, OT, and AI security.

. Guide clients through the CSA Cyber Essentials (2025) certification process - from self-assessment and gap analysis through to certification body audit readiness

. Advise on all domains of the expanded Cyber Essentials framework including classical cybersecurity, cloud security, OT security, and AI security controls

. Lead clients through CSA Cyber Trust Mark engagements - conducting risk profiling, determining the appropriate Cybersecurity Preparedness Tier, and building the corresponding security programme

. Develop and document the cybersecurity controls, evidence artefacts, and risk treatment plans required to satisfy Cyber Essentials and Cyber Trust Mark certification requirements

. Deliver Cybersecurity Health Plan engagements as part of CSA's CISOaaS scheme, assisting eligible SMEs in strengthening their cyber resilience with funded consultancy support

. Advise clients on the strategic benefits of CSA certification for tender eligibility, regulatory compliance, cyber insurance, and stakeholder trust in both Singapore and regional markets

. Maintain current knowledge of CSA certification updates, funding schemes (e.g., Enterprise Development Grant, SME co-funding), and scheme evolutions to provide accurate, timely guidance

C | Offensive Security & Penetration Testing

Hands-on offensive security engagements including network, web application, social engineering, and red team assessments. Findings are communicated clearly and actioned through structured remediation support.

. Plan, scope, and execute network penetration tests across client environments including internal networks, external perimeter, cloud infrastructure, and wireless networks

. Conduct web application penetration tests following OWASP methodology, targeting common vulnerability classes including injection flaws, authentication weaknesses, access control issues, and API vulnerabilities

. Perform social engineering assessments including phishing simulations, vishing, and physical intrusion testing where scoped

. Conduct vulnerability assessments and produce prioritised, actionable remediation reports with clear technical and executive-level findings

. Support red team engagements - simulating realistic threat actor TTPs using the MITRE ATT&CK framework to test detection and response capabilities

. Communicate pentest findings clearly to both technical and non-technical audiences conduct findings briefings and debrief sessions with client stakeholders

. Review and validate remediation efforts through retest engagements to confirm vulnerabilities have been effectively addressed

. Maintain up-to-date knowledge of current CVEs, exploitation techniques, and offensive tooling contribute to internal knowledge sharing and methodology development

D | Virtual CISO (vCISO) Services

Outsourced executive security leadership delivered on a retainer or fractional basis. The consultant acts as an embedded CISO for clients who lack full-time security leadership, providing strategy, governance, board reporting, and programme ownership.

. Serve as the outsourced, executive-level CISO for client organisations - providing strategic cybersecurity leadership, programme oversight, and board-level reporting on a retainer or fractional basis

. Develop client-specific cybersecurity roadmaps aligned to their risk appetite, business objectives, regulatory environment, and maturity level

. Chair or participate in client security steering committees produce and present regular security metrics, KPIs, and risk dashboards to C-suite and board audiences

. Oversee the development and maintenance of clients information security policies, procedures, and governance frameworks

. Lead clients through compliance programmes (ISO 27001, CSA CE/CTM, PCI DSS, PDPA) as their designated security executive, ensuring accountability at the right level

. Provide guidance on security technology investments - evaluating vendor proposals, reviewing security architectures, and ensuring controls are commensurate with risk exposure

. Act as the primary escalation point and security spokesperson during incidents, regulatory enquiries, or client audits

. Manage and mentor client-side security staff where applicable, helping build internal security capability alongside the vCISO engagement

E | DataProtection Officer (DPO) Services

Outsourced DPO services fulfilling statutory obligations under Malaysia's PDPA 2010 (including June 2025 amendments mandating DPO appointment) and Singapore's PDPA. The consultant acts as the official, registered DPO for client organisations.

. Serve as the outsourced Data Protection Officer (DPO) for client organisations in Malaysia and Singapore, fulfilling statutory obligations under Malaysia's PDPA2010 (as amended, effective June 2025) and Singapore's PDPA

. Advise client organisations on their data processing obligations, lawful bases for data collection, data subject rights, and cross-border data transfer requirements

. Develop, implement, and maintain clients Data Protection Management Programmes (DPMP)including data inventories, privacy notices, consent frameworks, and retention policies

. Conduct and oversee Data Protection Impact Assessments (DPIAs) for new projects, systems, or processing activities that carry elevated privacy risk

. Monitor ongoing compliance with applicable PDPA requirements and internal data protection policies maintain compliance registers and issue remediation guidance

. Manage personal data breach response - supporting clients in assessing breach severity, meeting mandatory notification timelines (72 hours under Malaysia's updated PDPA), and communicating with the Commissioner and affected data subjects

. Act as the official point of contact between client organisations and data protection regulators (PDPC Singapore, PDPD Malaysia) and data subjects for all PDPA-related matters

. Conduct regular staff training and awareness sessions on data protection obligations, privacy-by-design principles, and breach response procedures

. Provide guidance on privacy-by-design and privacy-by-default principles when clients are implementing new systems, processes, or products that involve personal data

F | Cross-Cutting Consulting Responsibilities

Responsibilities that apply across all service lines.

. Build and maintain long-term trusted advisory relationships with client stakeholders at all levels

. Identify expansion opportunities across service lines and collaborate with the Sales team to develop proposals and Statements of Work

. Maintain billable utilisation targets and manage engagement timelines, client expectations, and deliverable quality

. Contribute to Insyghts Security's intellectual capital - developing methodology templates, proposal content, and internal knowledge resources

. Represent Insyghts Security at industry events, seminars, and client briefings to build market presence and thought leadership

TECHNICAL SKILLS &KNOWLEDGE

Candidates are expected to hold strong working knowledge across all technical domains below. Deep expertise in at least three service line areas is required broad competency across all five is strongly preferred.

. GRC Frameworks: ISO 27001/27002, NIST CSF, CIS Controls v8, COBIT 2019, PCI DSSv4.0, SS 712:2025 (Cyber Trust)

. CSA Schemes: Cyber Essentials (2025) - Classical, Cloud, OT & AI domains Cyber Trust Mark - all five Preparedness Tiers CISOaaS scheme requirements

. Offensive Security Tools: Burp Suite Pro, Metasploit, Nmap/Masscan, Nessus/OpenVAS, Kali Linux toolset, Cobalt Strike (advantageous), BloodHound/AD tools

. Penetration Testing Methodology: PTES, OWASP WSTG, OWASP MSTG, MITRE ATT&CK, CVSS scoring, responsible disclosure practices

. Privacy & Data Protection Law: Malaysia PDPA 2010 (incl. June 2025 amendments), Singapore PDPA 2012, GDPR, DPIA methodology, breach notification requirements

. vCISO Delivery: Security programme design, risk register management, board reporting, security metrics and KPIs, security budget planning

. Risk Management: FAIR methodology (advantageous), risk quantification, threat modelling (STRIDE, DREAD, PASTA), risk treatment planning

. Regulatory: MAS TRM, BNM RMiT, MOH HIMS requirements, HIPAA (advantageous)

. GRC Tools: ISMS. online, ServiceNow GRC, Archer, or equivalent platforms

. Cloud Governance: AWS, Azure, GCP shared responsibility models CSA STAR cloud-specific CIS Benchmarks

. Reporting: Advanced MS Office/365 - ability to produce board-quality reports, executive summaries, and regulatory submissions

COMPETENCIES & SOFT SKILLS

. Exceptional written and verbal communication - able to engage, advise, and influence credibly at board, C-suite, and regulatory levels

. Ability to translate complex technical and legal concepts into clear, business-relevant language without losing accuracy

. Commercially aware - understands how security risk and data privacy connect to business value, liability, and competitive positioning

. Structured, organised, and self-directed - capable of managing multiple concurrent client engagements across different service lines

. Trusted advisor mindset - you build long-term relationships, not transactional ones, and clients seek your opinion proactively

. Ethically grounded, particularly in offensive security work - meticulous about scope, rules of engagement, and responsible disclosure

. Facilitation and presentation skills for workshops, tabletop exercises, training sessions, and board briefings

. Resilient and adaptable - comfortable switching between a penetration testing mindset and an executive advisory role across the same week

EDUCATION & EXPERIENCE

Education

Bachelor's Degree in Information Security, Computer Science, Information Systems, Law, Business, or a related field. A Master's degree, LLM with privacy specialisation, or MBA with a Cybersecurity concentration is advantageous. Candidates without a degree but with exceptional, demonstrable experience across multiple service lines will be considered.

Experience

Minimum 5-7years of experience in information security, with meaningful hands-on exposure across at least three of the five service lines: GRC/compliance consulting, CSA certification advisory, offensive security/penetration testing, vCISO delivery, or data protection/DPO services. Candidates with 3-4 years of strong multi-discipline experience and a clear progression trajectory will also be considered.

PREFERRED CERTIFICATIONS

Given the breadth of this role, certifications spanning GRC, offensive security, and privacy are all valued. The following certifications relevant to your service line focus areas would be a valuable addition.