Technical Security & Risk Manager

The Security & Risk Manager is a strategic leadership role responsible for safeguarding McDonald's Singapore's digital, technology, and data ecosystem in an increasingly complex and rapidly evolving threat landscape. This role leads the end-to-end cybersecurity, technology risk, and resilience agenda across restaurant operations, digital platforms, enterprise environments, and third-party ecosystems. It ensures the confidentiality, integrity, availability, and privacy of critical assets while enabling secure innovation and seamless customer experiences. The role aligns local execution with global McDonald's standards and embeds modern, intelligence-driven, and risk-based security practices that support business growth, regulatory compliance, and operational excellence.

About the role:

1. Enterprise Security and Risk Leadership

• Own, Define and execute a forward-looking cybersecurity and technology risk strategy aligned with business objectives and digital transformation priorities
• Embed security-by-design and risk-based decision-making across all technology initiatives
• Champion modern security paradigms, including Zero Trust Architecture, Secure Access Service Edge, and cloud-native security
• Position security as a business enabler, balancing risk, customer experience, and operational efficiency

2. Security Governance, Frameworks and Control Assurance

• Establish and continuously enhance a robust governance model aligned with leading frameworks (NIST Cybersecurity Framework, ISO/IEC 27001 & 27701, CIS Critical Security Controls)
• Develop policies and standards that are practical, scalable, and enforceable within a fast-paced operational environment
• Implement measurable, auditable, and risk-aligned controls across technology and restaurant technology ecosystems
• Drive periodic reviews and updates based on evolving threats and regulatory requirements. Implement continuous control monitoring (CCM) and automate compliance where possible

3. Regulatory Compliance and Data Protection

• Ensure full compliance with applicable regulations and standards including:
• PDPA (Personal Data Protection Act)
• PCI DSS (for payment security and cashless transactions)
• Applicable global data regulations
• Serve as the primary liaison for audits, regulatory reviews, and compliance reporting
• Strengthen privacy-by-design practices in collaboration with the Data Protection Officer
• Advance data governance capabilities, including data classification, retention, and protection controls

4. Cybersecurity Operations and Threat Management

• Oversee and continuously enhance security operations capabilities, including:
• Security monitoring (SIEM, SOC, XDR)
• Threat intelligence and proactive threat hunting
• Vulnerability and exposure management
• Endpoint, network, and cloud security controls
• Ensure robust protection across hybrid environments (on-premises, cloud, SaaS, APIs, and mobile platforms)
• Proactively identify and prioritise risks arising from emerging threats such as ransomware, supply chain attacks, and identity-based exploits
• Drive timely and effective remediation within allocated budgets
• Leverage automation and AI-driven capabilities to strengthen detection and response

5. Technology Risk Management & Quantification

• Lead enterprise-wide risk identification, assessment, and prioritisation using leading methodologies
• Develop quantitative risk models to translate cyber risks into financial and operational impact
• Provide clear, data-driven insights to support executive decision-making and risk-informed investments

Monitor and govern remediation initiatives to ensure effectiveness and accountability

6. Third-Party Risk Management

• Establish and mature a comprehensive third-party risk management programme for all third-party partners in the ecosystem.
• Conduct rigorous due diligence, onboarding assessments, and continuous monitoring of third-party partners
• Ensure third-party partners meet McDonald's security, compliance, and regulatory standards

7. Incident Management, Business Resilience and Crisis Management

• Lead cyber incident response strategy, readiness, and execution, ensuring rapid containment and recovery and minimize disruption to restaurant and digital operations
• Establish and maintain business continuity (BCP) and disaster recovery (DR) frameworks aligned with critical restaurant and digital operations
• Establish, maintain, and enhance the Incident Response Plan by working closely with local stakeholders and the global cyber security team to ensure coordinated, timely, and effective response capabilities
• Conduct regular crisis simulations, red team/blue team exercises, and tabletop exercises across corporate and restaurant environments.

8. Monitoring, Reporting & Continuous Improvement

• Define and track Key Risk Indicators (KRIs), Key Control Indicators (KCIs), and security KPIs
• Deliver clear, executive-level reporting on risk posture, control effectiveness, and incident trends
• Leverage insights and threat intelligence to drive continuous improvement and proactive risk reduction
• Benchmark security maturity against industry standards and peers

9. Digital Workplace & Secure Innovation

• Oversee security across modern workplace technologies, including:
• End-user devices and endpoint security
• Collaboration platforms and SaaS tools
• Hybrid and remote work environments
• Enable secure innovation across digital ordering, mobile apps, kiosks, and emerging technologies
• Integrate DevSecOps practices into application and platform development lifecycles

10. Global and Cross-Functional Collaboration

• Partner with Global McDonald's Security & Risk teams to align with security standards and policies, best practices, enterprise architecture, tools, and services.
• Act as a trusted advisor to business leaders, cross-functional and technology stakeholders.
• Ensure global frameworks are effectively adapted to Singapore's regulatory and operational context

11. Security Awareness, Culture and Workforce Enablement

• Champion a security-first and risk-aware culture across corporate and restaurant environments.
• Design and deliver targeted security awareness and behavioural change programmes
• Promote best practices in phishing awareness, data protection, and operational security
• Build organisational capability through training, coaching, and stakeholder engagement

Key Requirements:

Education and Certifications

• Bachelor's degree in Information Security, Computer Science, or a related discipline
• Relevant professional certifications such as CISSP, CISM, CRISC (preferred), ISO 27001 Lead Implementer/Auditor, Cloud security certifications (CCSP, AWS/Azure Security), PCI DSS or privacy certifications (e.g., CIPM, CIPP)

Experience

• 6–10 years of progressive experience in cybersecurity and technology risk management
• Demonstrated experience in developing and executing security strategies in complex, customer-facing environments, managing regulatory compliance (PDPA, PCI DSS),
• Demonstrated experience in leading security and digital transformation initiatives
• Minimum 3 years in a security leadership role with enterprise-level accountability
• Proven ability to translate complex technical risks into clear business insights and decisions
• Highly proactive, resilient, and outcome-driven in a fast-paced environment
• Ability to manage multiple priorities across an operationally intensive landscape
• Excellent communication skills with the ability to influence senior leadership and cross-functional teams